Fake Income Tax email alert! ‘SilverFox’ hackers target Indians with dangerous malware

Cybersecurity company Kaspersky has warned about a dangerous phishing campaign targeting Indians through fake Income Tax Department emails. These emails look highly official and create panic by mentioning tax audits or violations. Victims are pushed to download suspicious files, which secretly install malware on their devices. The attack later spread to Indonesia, Russia, and South Africa, targeting businesses across multiple sectors.

Kaspersky identified this attack as an Advanced Persistent Threat (APT) campaign linked to the SilverFox hacker group. The attackers used emails designed to imitate official government notices. Many messages asked users to download a file claiming to contain a “list of tax violations.” Once opened, the file triggered a chain of malware infections, giving hackers access to sensitive company and personal data.

The scam starts with phishing emails that look almost identical to genuine Income Tax Department communication. Victims are asked to click and download an archive file. That file secretly installs a modified Rust-based malware loader, which then downloads ValleyRAT, a dangerous backdoor program. This allows attackers to remotely control infected devices without the victim realizing anything unusual.

Kaspersky researchers discovered that the attackers used ValleyRAT to deliver another hidden malware tool called ABCDoor. This new Python-based backdoor program can upload and download files, monitor screens in real time, access clipboard data, and even update itself automatically. According to Kaspersky, ABCDoor has been active since late 2024 and has been used in cyberattacks throughout 2025 and 2026.

The campaign heavily targeted organisations in India across consulting, industrial, transport, and trade sectors. Between January and February 2026 alone, researchers detected over 1,600 malicious emails. Hackers used fear and urgency linked to tax notices to trick people into acting quickly. Experts say the attackers relied strongly on social engineering, exploiting the public’s trust in official government communication.

The fake emails looked highly convincing because they copied official formats, language, and branding used by tax authorities. SilverFox also used multiple email addresses, domains, and multi-stage malware delivery methods to avoid detection. This made it harder for cybersecurity systems to block the attack chain early. Experts warn that even experienced users could fall for these realistic-looking scam emails.

Once a device is infected, hackers may gain remote access and steal confidential information. They can monitor multiple screens, access copied text from the clipboard, transfer files, and potentially spy on company systems. Such attacks can lead to financial losses, data theft, and serious operational disruptions. Businesses and individuals who handle sensitive financial data are especially vulnerable to these threats.

Experts advise users to avoid downloading files from unexpected tax-related emails. Always verify official notices directly through the Income Tax Department website. Use trusted antivirus and cybersecurity tools that can scan suspicious files and block malicious emails. Improving digital awareness through cybersecurity training and staying updated about new online scams can also reduce the risk of falling victim.