Fake Income Tax Emails Target Indian Users as Kaspersky Warns of SilverFox Cyberattack Campaign

Cybersecurity company Kaspersky has identified a phishing campaign targeting Indian users through fraudulent emails disguised as official notices from the Income Tax Department, as per The Economic Times report 

According to the company, the campaign has been linked to the SilverFox threat group, which is believed to be using malware-loaded attachments and fake tax-related documents to gain remote access to victim devices, the report added.

The attacks form part of a broader cyber campaign that has also affected organisations in several other countries across multiple sectors.

Kaspersky Detects Fake Income Tax Email Campaign

Kaspersky stated that it first detected the phishing campaign in December 2025, when malicious emails designed to resemble official communication from India’s Income Tax Department began circulating among users.

The emails reportedly included references to tax audits or alleged tax violations and encouraged recipients to download attached files or archives. Once downloaded, the files activated malware capable of compromising affected systems.

The cybersecurity firm categorised the activity as an Advanced Persistent Threat (APT) campaign due to its structured and targeted nature.

SilverFox Group Linked to the Attacks

According to Kaspersky’s investigation, the attacks have been attributed to the SilverFox threat group, the report added

Researchers noted that the phishing emails followed a consistent format across different countries, with attackers impersonating government or regulatory communication to increase the likelihood of user interaction, according to the report.

The same campaign structure was later identified in Russia in January 2026, before similar attacks were also observed in Indonesia.

Malware Used in the Campaign

Kaspersky reported that the phishing files used a modified Rust-based loader sourced from a public repository. Once activated, the loader downloaded and executed a malware programme known as ValleyRAT.

ValleyRAT functions as a backdoor, allowing attackers to remotely access infected systems and potentially extract sensitive information.

During the investigation, researchers also identified a previously undocumented Python-based backdoor, which they named ABCDoor. According to Kaspersky, the new malware component was delivered through a ValleyRAT plugin.

ABCDoor Malware Traced to Earlier Activity

Retrospective analysis conducted by Kaspersky suggested that ABCDoor has been part of the SilverFox malware toolkit since at least late 2024.

The cybersecurity company stated that the malware has reportedly been used in active cyberattacks since the first quarter of 2025.

Researchers indicated that the malware could allow attackers to maintain remote access, monitor compromised systems and potentially exfiltrate confidential data from infected devices.

Indian Organisations Among Key Targets

According to a press release issued by Kaspersky’s Global Research and Analysis Team (GReAT) on 5 May 2026, the campaign targeted organisations in India, Indonesia, South Africa and Russia.

The attacks reportedly affected companies operating in sectors such as:

• Industrial operations
• Consulting services
• Trade businesses
• Transportation services

The campaign’s use of fake tax notices indicates that attackers may be attempting to exploit trust associated with government communication and regulatory compliance processes.

How Users Can Stay Cautious

Cybersecurity experts generally advise users to exercise caution while opening unsolicited emails, especially those claiming to originate from government departments or financial authorities.

Users are encouraged to:

• Verify the sender’s email address
• Avoid downloading attachments from unknown sources
• Refrain from clicking suspicious links
• Use updated antivirus and cybersecurity software
• Cross-check tax-related communication through official government portals

Businesses and organisations may also consider strengthening email filtering systems and employee awareness training to reduce phishing-related risks.

Read More: Quantum AI Scam: Fake Investment Scheme Misuses Nirmala Sitharaman’s Name to Promise Unrealistic Returns.

Read stock market news in Hindi. Head to Angel One's share market news in Hindi for comprehensive coverage.

Conclusion

Kaspersky’s findings highlight the growing sophistication of phishing campaigns targeting users through fake government communication. The SilverFox-linked attacks demonstrate how cybercriminal groups are increasingly using malware and remote access tools to target organisations and individuals across sectors and countries. 

Disclaimer: This blog has been written exclusively for educational purposes. The securities mentioned are only examples and not recommendations. This does not constitute a personal recommendation or investment advice. It does not aim to influence any individual or entity to make investment decisions. Recipients should conduct their own research and assessments to form an independent opinion about investment decisions. 

Investments in the securities market are subject to market risks. Read all related documents carefully before investing.