Hacker group targeted companies in South Africa using fake SARS notifications
Hacker group SilverFox has been linked to a campaign in South Africa that used fake notifications from the South African Revenue Service (SARS) to breach company systems.
The group employed multiple email addresses and other methods in sophisticated attacks targeting local companies. Clicking links or downloading attachments could see systems completely taken over.
“The phishing emails were crafted to appear as official tax audit notifications or to prompt recipients to download an archive purportedly containing a ‘list of tax violations,'” said security group Kaspersky.
SilverFox aimed to exploit the perceived authority and urgency of communications from tax agencies across South Africa, India, Indonesia and Russia to breach companies across multiple sectors.
This included industrial, consulting, trade and transportation sectors between January and February 2026, with more than 1,600 malicious emails recorded by researchers at Kaspersky.
The main attack vector was a social engineering technique that persuaded recipients of the email to download a file, triggering the attack chain.
In one example of a phishing email attempt collected by SARS on 10 February 2026, the sender accused the recipient of failing to pay their outstanding tax debt for one or more years.
Attached to the email is a fake court summons with a button labelled “view legal document & case details here”, which downloads a 62.3KB file.
“Social engineering played a key role in this campaign,” said Anton Kargin, senior security researcher at Kaspersky’s global research and analysis team.
“At the same time, SilverFox employed a multi-stage delivery approach for the primary malicious payload and utilised multiple email addresses and domains.”
Lionel Dartnall, country manager SADC for international cybersecurity firm Check Point Software, also described the sophisticated techniques employed by SilverFox to breach companies.
“As part of the infection chain, the group employs a ‘bring your own vulnerable driver’ technique to terminate security product processes and reduce the chances of detection,” he told MyBroadband.
“Their techniques have become more sophisticated and more ‘APT-like’ (advanced persistent threat), blending espionage tactics with financially motivated attacks.”
SilverFox shifts attention to South Africa, India, Russia

During this campaign, SilverFox added a new Python-based backdoor called “ABCDoor.” This was an updated version of a backdoor called ValleyRat, which the group used extensively in Asia.
Specifically, it used this backdoor to target organisations in Taiwan and Japan. ABCDoor allowed the group to terminate security product processes and reduce the chances of detection.
The group was previously focused solely on the East Asian market, targeting enterprises in the telecommunications, energy, logistics, and finance sectors.
“Check Point has since seen many attacks instigated by this group globally, which deploys several social engineering, fake software, and stealthy malware delivery methods to breach organisations,” said Dartnall.
Kaspersky said that the backdoor, delivered through the downloaded file, allowed the threat actor to remotely control infected systems and upload and download files at will.
“In addition, a modified and previously undocumented version of RustSL was used to deliver ValleyRAT, first deployed by the threat actor in late December 2025,” it said.
SilverFox used a wide-ranging email campaign across multiple email addresses to minimise the likelihood of detection and disruption.
Dartnall recommended that companies in South Africa implement IOC (Indicator of Compromise) blocking and IPS (Intrusion Prevention System) enforcement.
Additionally, practices such as accelerated patching, updating, and running hotfixes should be prioritised, as well as the enforcement of multifactor authentication for employees.
Meanwhile, Kaspersky said that these attack chains can be stopped by regularly improving employees’ digital literacy and increasing phishing awareness.
Alternatively, using a solution that automatically blocks suspicious emails and scans password-protected archives could prevent threat actors like SilverFox from gaining access to company systems.