Attached to the email is a fake court summons with a button labelled “view legal document & case details here”, which downloads a 62.3KB file.<\/p>\n\n\n\n
“Social engineering played a key role in this campaign,” said Anton Kargin, senior security researcher at Kaspersky’s global research and analysis team.<\/p>\n\n\n\n
“At the same time, SilverFox employed a multi-stage delivery approach for the primary malicious payload and utilised multiple email addresses and domains.”<\/p>\n\n\n\n
Lionel Dartnall, country manager SADC for international cybersecurity firm Check Point Software, also described the sophisticated techniques employed by SilverFox to breach companies.<\/p>\n\n\n\n
“As part of the infection chain, the group employs a ‘bring your own vulnerable driver’ technique to terminate security product processes and reduce the chances of detection,” he told MyBroadband.<\/p>\n\n\n\n
“Their techniques have become more sophisticated and more ‘APT-like’ (advanced persistent threat), blending espionage tactics with financially motivated attacks.”<\/p>\n\n\n\n
SilverFox shifts attention to South Africa, India, Russia<\/h2>\n\n\n\n![\"\"](\"https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2026\/05\/Dartnall-Check-Point-1200x675.jpg\")
Lionel Dartnall, country manager SADC for Check Point Software<\/figcaption><\/figure>\n\n\n\nDuring this campaign, SilverFox added a new Python-based backdoor called “ABCDoor.” This was an updated version of a backdoor called ValleyRat, which the group used extensively in Asia.<\/p>\n\n\n\n
Specifically, it used this backdoor to target organisations in Taiwan and Japan. ABCDoor allowed the group to terminate security product processes and reduce the chances of detection.<\/p>\n\n\n\n
The group was previously focused solely on the East Asian market, targeting enterprises in the telecommunications, energy, logistics, and finance sectors.<\/p>\n\n\n\n
“Check Point has since seen many attacks instigated by this group globally, which deploys several social engineering, fake software, and stealthy malware delivery methods to breach organisations,” said Dartnall.<\/p>\n\n\n\n
Kaspersky said that the backdoor, delivered through the downloaded file, allowed the threat actor to remotely control infected systems and upload and download files at will.<\/p>\n\n\n\n
“In addition, a modified and previously undocumented version of RustSL was used to deliver ValleyRAT, first deployed by the threat actor in late December 2025,” it said.<\/p>\n\n\n\n
SilverFox used a wide-ranging email campaign across multiple email addresses to minimise the likelihood of detection and disruption.<\/p>\n\n\n\n
Dartnall recommended that companies in South Africa implement IOC (Indicator of Compromise) blocking and IPS (Intrusion Prevention System) enforcement.<\/p>\n\n\n\n
Additionally, practices such as accelerated patching, updating, and running hotfixes should be prioritised, as well as the enforcement of multifactor authentication for employees.<\/p>\n\n\n\n
Meanwhile, Kaspersky said that these attack chains can be stopped by regularly improving employees’ digital literacy and increasing phishing awareness.<\/p>\n\n\n\n
Alternatively, using a solution that automatically blocks suspicious emails and scans password-protected archives could prevent threat actors like SilverFox from gaining access to company systems.<\/p>\n","protected":false},"excerpt":{"rendered":"
Hacker group SilverFox spent January and February attempting to hack South African companies using fake SARS tax emails.<\/p>\n","protected":false},"author":341213,"featured_media":646154,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[27],"tags":[105083,104783,15227,1595,105084,417,509,105082,4336,105086],"class_list":["post-646153","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","tag-anton-kargin","tag-check-point-software","tag-cybersecurity","tag-kaspersky","tag-lionel-dartnall","tag-phishing","tag-sars","tag-silverfox","tag-south-african-revenue-service","tag-valleyrat"],"_links":{"self":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/646153"}],"collection":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/users\/341213"}],"replies":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/comments?post=646153"}],"version-history":[{"count":3,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/646153\/revisions"}],"predecessor-version":[{"id":646193,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/646153\/revisions\/646193"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media\/646154"}],"wp:attachment":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media?parent=646153"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/categories?post=646153"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/tags?post=646153"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
During this campaign, SilverFox added a new Python-based backdoor called “ABCDoor.” This was an updated version of a backdoor called ValleyRat, which the group used extensively in Asia.<\/p>\n\n\n\n
Specifically, it used this backdoor to target organisations in Taiwan and Japan. ABCDoor allowed the group to terminate security product processes and reduce the chances of detection.<\/p>\n\n\n\n
The group was previously focused solely on the East Asian market, targeting enterprises in the telecommunications, energy, logistics, and finance sectors.<\/p>\n\n\n\n
“Check Point has since seen many attacks instigated by this group globally, which deploys several social engineering, fake software, and stealthy malware delivery methods to breach organisations,” said Dartnall.<\/p>\n\n\n\n
Kaspersky said that the backdoor, delivered through the downloaded file, allowed the threat actor to remotely control infected systems and upload and download files at will.<\/p>\n\n\n\n
“In addition, a modified and previously undocumented version of RustSL was used to deliver ValleyRAT, first deployed by the threat actor in late December 2025,” it said.<\/p>\n\n\n\n
SilverFox used a wide-ranging email campaign across multiple email addresses to minimise the likelihood of detection and disruption.<\/p>\n\n\n\n
Dartnall recommended that companies in South Africa implement IOC (Indicator of Compromise) blocking and IPS (Intrusion Prevention System) enforcement.<\/p>\n\n\n\n
Additionally, practices such as accelerated patching, updating, and running hotfixes should be prioritised, as well as the enforcement of multifactor authentication for employees.<\/p>\n\n\n\n
Meanwhile, Kaspersky said that these attack chains can be stopped by regularly improving employees’ digital literacy and increasing phishing awareness.<\/p>\n\n\n\n
Alternatively, using a solution that automatically blocks suspicious emails and scans password-protected archives could prevent threat actors like SilverFox from gaining access to company systems.<\/p>\n","protected":false},"excerpt":{"rendered":"
Hacker group SilverFox spent January and February attempting to hack South African companies using fake SARS tax emails.<\/p>\n","protected":false},"author":341213,"featured_media":646154,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[27],"tags":[105083,104783,15227,1595,105084,417,509,105082,4336,105086],"class_list":["post-646153","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","tag-anton-kargin","tag-check-point-software","tag-cybersecurity","tag-kaspersky","tag-lionel-dartnall","tag-phishing","tag-sars","tag-silverfox","tag-south-african-revenue-service","tag-valleyrat"],"_links":{"self":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/646153"}],"collection":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/users\/341213"}],"replies":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/comments?post=646153"}],"version-history":[{"count":3,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/646153\/revisions"}],"predecessor-version":[{"id":646193,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/646153\/revisions\/646193"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media\/646154"}],"wp:attachment":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media?parent=646153"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/categories?post=646153"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/tags?post=646153"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}