Hacker Group Targeted Companies in South Africa Using Fake SARS Notifications

The recent SilverFox campaign illustrates how cybercriminals are weaponising trusted government communications to breach corporate networks. By masquerading as South African Revenue Service audit notices, the group dispatched more than 1,600 phishing emails between January and February 2026, targeting firms in industrial, consulting, trade and transportation sectors. The messages leveraged the urgency of tax compliance, prompting recipients to click malicious links or download forged court summons attachments. This social‑engineering playbook mirrors a global rise in tax‑related phishing, where attackers exploit the credibility of revenue agencies to increase click‑through rates.

Technically, SilverFox combined several APT‑like techniques to stay under the radar. The initial email delivered a compressed archive that, when opened, executed a Python‑based backdoor named ABCDoor, an evolution of the ValleyRAT family. ABCDoor can terminate security‑product processes using a ‘bring your own vulnerable driver’ method, while a modified RustSL loader injects the ValleyRAT payload. This multi‑stage delivery chain, spread across dozens of domains and email addresses, complicates detection and enables persistent remote control, file exfiltration, and lateral movement within compromised networks.

The campaign’s cross‑regional scope underscores the need for proactive defenses in emerging markets. Security teams should ingest the disclosed IOCs, enforce intrusion‑prevention signatures, and harden endpoints with timely patches and multi‑factor authentication. Equally critical is boosting employee digital literacy; regular phishing simulations and automated email scanning can neutralise malicious attachments before execution. As threat actors like SilverFox blend espionage tactics with financial motives, organisations must adopt a layered security model that combines threat intelligence, endpoint hardening, and continuous user education to mitigate future tax‑based phishing assaults.