Kaspersky Identified a New SilverFox Campaign Targeting Companies in SA

The SilverFox operation reflects a growing trend of tax‑related phishing attacks in South Africa, where fraudsters exploit the inherent trust businesses place in government communications. By masquerading as tax‑audit notices, attackers create a sense of urgency that compels recipients to open malicious attachments. This tactic aligns with a broader global shift toward credential‑driven social engineering, where threat actors weaponize regulatory processes to infiltrate corporate networks.

Technically, the campaign introduces ABCDoor, a Python‑based backdoor that augments the older ValleyRAT framework. ABCDoor enables real‑time screen streaming, clipboard harvesting, and autonomous updates, dramatically expanding an attacker’s foothold. Coupled with a newly observed RustSL variant delivering ValleyRAT, the malware stack evades traditional signature‑based defenses and complicates incident response. Security teams must pivot to behavior‑based detection, monitoring for unusual file transfers, screen‑capture activity, and rapid backdoor updates.

For South African enterprises, the implications are immediate. The convergence of social engineering and sophisticated payloads raises the risk of data exfiltration, ransomware deployment, and operational disruption. Organizations should reinforce email filtering, enforce multi‑factor authentication for privileged accounts, and conduct regular phishing simulations. Sharing indicators of compromise through industry ISACs will also help mitigate the spread of SilverFox’s evolving toolkit, protecting both the private sector and the broader digital economy.