New Delhi, May 9 (AHN) Cybersecurity firm Kaspersky attributed a global wave of phishing attacks to the SilverFox threat group masquerading as tax related files and warned the campaign now deploys a Python backdoor it has named ABCDoor.

Kaspersky said the campaign began in December 2025 with emails in India that closely mimicked notices from the Income Tax Department, and later the same group conducted phishing attacks in Russia in January.

Further, attacks were reported in Indonesia, South Africa and other countries.

The company recorded over 1,600 malicious emails between January and February, targeting firms in industrial, consulting, trade and transportation sectors.

Kaspersky said the attack used messages urging recipients to download an archive described as a “list of tax violations,” and upon downloading, it triggered a modified Rust‑based loader pulled from a public repository, which would download and execute the ValleyRAT backdoor.

The firm found ValleyRAT delivering a new ValleyRAT plugin to victim devices, which functioned as a loader for a previously undocumented Python-based backdoor.

Attackers can then upload or download files, and remotely control infected systems by streaming multiple victim screens simultaneously in near real time.

The firm urged smartphone users to improve digital literacy and asked organisations to strengthen email defences to automatically block suspicious emails, scan password-protected archives and apply CDR technology.

Another recent report said that credential theft and identity compromise have emerged as a primary entry point for large‑scale cyber attacks against Indian IT firms with 265.52 million detections across over 8 million endpoints.

Stolen login credentials, increasingly traded and weaponised on the dark web, are emerging as one of the most effective entry points for large-scale cyberattacks, the report noted.

Trojans accounted for nearly 43 per cent of detections and often act as the primary payload for harvesting login information. Attackers combine phishing, malware and compromised applications to capture credentials that are then circulated on dark‑web marketplaces, the firm said.

The report warned that India’s IT firms are particularly exposed due to their extensive use of cloud platforms, remote access systems, and third-party integrations. A single compromised credential can provide access to multiple environments, significantly amplifying the potential impact.

—AHN

aar/ag