Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Silver Fox tax-themed phishing campaign delivering ABCDoor and ValleyRAT

Campaign
First reported
Last updated
Happening score
H score 39
1 unique sources, 2 articles

Summary

Hide ▲

Silver Fox is running a tax-themed phishing campaign that now targets India with Income Tax Department lures and delivers ValleyRAT (aka Winos 4.0). The campaign uses phishing emails, DLL hijacking, a ZIP/NSIS installer chain, and process injection into `explorer.exe` to install the malware and enable keylogging, credential harvesting, and defense evasion. The group is China-based and also uses related lure sites and installer infrastructure to track downloads and distribute ValleyRAT. The campaign matters because it shows a sustained, multi-stage delivery chain built for persistence and low-noise access.

Related Happenings

FakeWallet crypto wallet phishing campaign targeting users in China

Campaign
First: 21.04.2026 00:52 Last: 21.04.2026 00:52 Sources 1

About this happening: The **FakeWallet** campaign is actively distributing **26 malicious apps** that impersonate crypto wallets and steal **seed phrases**, putting **users in China** at immediate risk...

Latest development: 24.04.2026 14:48

Kaspersky said the FakeWallet campaign is gaining momentum with new tactics, including phishing apps published in the Apple App Store, cold wallet impersonation, and phishing notifications, and suspected it may be the work of threat actors linked to SparkKitty because some infected apps use OCR to steal wallet recovery phrases and the two campaigns share native Chinese-speaking operators and cryptocurrency targeting.

Open Happening

JanelaRAT malware activity targeting Latin American banks

Malware Activity
First: 13.04.2026 20:15 Last: 13.04.2026 20:15 Sources 1

About this happening: **JanelaRAT** continues targeting **Latin American banks and financial institutions**, with telemetry showing **14,739 attacks in Brazil** in **2025** and **11,695 in Mexico**, ra...

Open Happening

Augmented Marauder / Water Saci multi-pronged phishing campaign targeting Latin America and Europe

Campaign
First: 01.04.2026 15:36 Last: 01.04.2026 15:36 Sources 1

About this happening: **Water Saci** is actively evolving a **WhatsApp Web worm** in **Brazil** that uses **HTA** and **PDF** lures to deliver a **banking trojan**. The latest wave shifts from **PowerS...

Open Happening

Silver Fox South Asia phishing campaign

Campaign
First: 24.03.2026 18:00 Last: 24.03.2026 18:00 Sources 1

About this happening: The **Silver Fox** campaign now includes **BYOVD** abuse of a previously unknown **WatchDog Anti-malware** driver, **amsdk.sys (version 1.0.600)**, to disable security tools on co...

Open Happening

UNC1069 GhostCall cryptocurrency social-engineering campaign

Campaign
First: 11.02.2026 08:50 Last: 11.02.2026 08:50 Sources 1

About this happening: **UNC1069** is **actively targeting the cryptocurrency sector** with a **social-engineering campaign** designed to steal credentials and data for **financial theft**. The operatio...

Open Happening

Timeline

  1. 04.05.2026 14:57 3 articles · 23d ago

    Silver Fox tax-phishing campaign delivers ABCDoor and ValleyRAT

    Initial Disclosure

    Silver Fox is linked to a tax-themed phishing campaign targeting organizations in Russia and India, using fake Income Tax Department of India notices and archive lures to deliver a modified RustSL loader, ValleyRAT (aka Winos 4.0), and the previously undocumented Python-based backdoor ABCDoor; the operation spans December 2025 to early February 2026, with more than 1,600 phishing emails flagged and the highest attack volume seen in India, Russia, and Indonesia across industrial, consulting, retail, and transportation organizations.

    Show sources
    Open in new tab