A cybercriminal group known as SilverFox has been linked to a phishing campaign in South Africa that used fake South African Revenue Service notifications to breach company systems. The attacks relied on emails designed to look official, using the authority of SARS to pressure recipients into clicking links or downloading files.

According to researchers, the fake messages were dressed up as tax audit notices or warnings about alleged tax violations. In some cases, recipients were accused of failing to pay outstanding tax debt and were prompted to open what appeared to be legal documents or court summonses. That was the trap. Once the file was downloaded, the attack chain could begin.

Attackers used polished social engineering

Kaspersky said social engineering was central to the campaign. The group sent more than 1,600 malicious emails between January and February 2026, targeting sectors including industry, consulting, trade and transport. South Africa was among several countries affected, alongside India, Indonesia and Russia.

The goal was not just to get someone to open an email. The goal was to trick staff into taking the next step themselves. Researchers say SilverFox used multiple email addresses, domains and a layered delivery method to reduce the chances of detection and make the messages look convincing.

One fake SARS phishing email collected on 10 February included a button telling the recipient to view legal case details. Clicking it downloaded a small file that triggered the malicious process.

Malware could hand over full control

Security researchers say SilverFox used a Python-based backdoor called ABCDoor, an updated version of a backdoor known as ValleyRat. The malware could allow attackers to remotely control infected systems and upload or download files.

Check Point Software’s Lionel Dartnall said the group also used a “bring your own vulnerable driver” technique to shut down security tools and lower the chance of being caught. He described SilverFox’s methods as becoming more sophisticated and more like those used by advanced persistent threat groups.

Businesses urged to tighten defences

The campaign is another reminder that local companies remain exposed to phishing attacks built around urgency, fear and official branding. In this case, SARS was used as the bait, but the real weakness lay in how easily a trusted name can be turned into a weapon.

Researchers say companies should strengthen phishing awareness, improve patching, enforce multifactor authentication and use tools that can block suspicious emails before staff ever interact with them. The warning is simple: one fake tax notice can be enough to open the door to a much bigger breach.