A new cyber espionage campaign attributed to the SilverFox APT group has been uncovered by Kaspersky Global Research & Analysis Team (GReAT), revealing a sophisticated phishing operation that leverages fake tax violation notices to infiltrate corporate systems and steal sensitive data.
According to researchers, the campaign—active since December 2025—targeted organizations across India, Indonesia, South Africa, and Russia, spanning industries such as manufacturing, consulting, trade, and transportation.
The attack begins with phishing emails disguised as official tax audit notifications. Victims are urged to download compressed files allegedly containing “tax violation lists,” which instead trigger a multi-stage malware infection once opened. Between January and February alone, more than 1,600 malicious emails were reportedly detected.
Once compromised, systems are infected with a chain of malware tools, including a Python-based backdoor known as ABCDoor, alongside previously identified tools such as ValleyRAT and RustSL variants. These tools enable attackers to remotely control infected devices, exfiltrate data, access clipboards, stream victim screens in real time, and deploy updates to maintain persistence.
Security researchers highlighted that the campaign relies heavily on social engineering tactics, exploiting trust in official government communications—particularly tax-related notices—to increase the likelihood of user interaction.
Anton Kargin, senior security researcher at Kaspersky GReAT, noted that the attackers used multi-stage delivery techniques and rotating domains to evade detection and improve campaign longevity.
The SilverFox group has previously been linked to cyberattacks across telecommunications, energy, logistics, and financial sectors in Asia, indicating an ongoing expansion of its targeting scope and technical capabilities.
Kaspersky recommends organizations strengthen cybersecurity posture through employee awareness training, advanced email security systems, threat intelligence integration, and endpoint protection solutions to mitigate similar attacks.
The findings underscore the growing sophistication of APT campaigns, where malware delivery is increasingly paired with highly convincing social engineering to bypass traditional security defenses.
