‘SilverFox’ Cyber Attack Targets Indians Through Fraudulent Income Tax Emails

Cybersecurity company Kaspersky has issued a warning about a highly advanced phishing operation being carried out by the hacker group known as “SilverFox.” The campaign specifically targets Indian users through fraudulent emails designed to look like official communications from the Income Tax Department. These deceptive emails are intended to persuade recipients to download infected files that secretly install malware capable of stealing confidential information and providing attackers with remote access to devices.

According to Kaspersky, the first wave of these suspicious emails was identified in December 2025 in India. The messages closely imitated genuine tax department notices, making them difficult for ordinary users to distinguish from legitimate communications. Shortly afterward, in January 2026, similar attacks were reportedly directed at organisations in Russia, and the campaign later expanded to Indonesia as well.

Security researchers have classified this operation as an Advanced Persistent Threat (APT) campaign due to its sophisticated execution and long-term malicious intent. The emails typically contain attachments or links claiming to relate to tax violations, audits, or compliance issues. Victims are encouraged to download an archive file allegedly containing a “list of tax violations” or other important tax-related documents.

Once the file is downloaded and opened, a manipulated Rust-based loader is activated. This loader, reportedly adapted from a publicly available repository, is then used to install the ValleyRAT malware — a dangerous backdoor tool that allows cybercriminals to remotely control infected systems and extract sensitive data.

During its investigation, Kaspersky also uncovered a newly identified component of the attack. Researchers found that the hackers were deploying an additional ValleyRAT plugin that acted as a delivery mechanism for another previously unknown Python-based backdoor. This newly discovered malware has been named “ABCDoor.”

Further analysis conducted by Kaspersky suggests that ABCDoor has been part of the SilverFox group’s cyber toolkit since late 2024. The malware has reportedly been used in active cyberattacks since the beginning of 2025 and continues to pose a significant threat to users and organisations across multiple countries.

Kaspersky has advised individuals and businesses to remain cautious while opening emails related to tax matters, especially those containing attachments, archive files, links, or urgent notices. Users are encouraged to verify communications only through official government portals and avoid downloading files from untrusted sources.