Kaspersky identified a new SilverFox campaign targeting companies in South Africa

Tax authority impersonation emails delivered a previously undocumented backdoor to companies in industrial, consulting and transport sectors between December 2025 and February 2026.

Kaspersky, a cybersecurity company whose Global Research and Analysis Team tracks threat actors and malware campaigns worldwide, has published findings on a new wave of attacks attributed to SilverFox, a group previously known for targeting enterprises across Asia. The latest campaign, observed since December 2025, expanded the group's geographic focus to include South Africa, India, Indonesia and Russia, with companies in industrial, consulting, trade and transportation sectors among those targeted.

The attack method relied on phishing emails designed to resemble official communications from tax authorities, either framing messages as formal audit notifications or prompting recipients to download a file described as a list of tax violations. Between January and February alone, Kaspersky recorded more than 1,600 malicious emails using this approach. The use of tax agency impersonation was deliberate: by mimicking the tone and perceived authority of government communications, the group increased the likelihood that recipients would open attachments and trigger the subsequent stages of the attack.

The campaign introduced new tooling alongside previously documented malware. SilverFox deployed ABCDoor, a Python-based backdoor not previously documented publicly, through ValleyRAT, a remote access tool the group had used in earlier operations. ABCDoor has been present in the group's arsenal since late 2024 and appeared in attacks throughout 2025. It allows attackers to upload and download files, stream multiple infected screens simultaneously in near real time, access clipboard contents and update itself remotely. A modified version of RustSL, also previously undocumented, was used to deliver ValleyRAT and was first observed in late December 2025.

Anton Kargin, senior security researcher at Kaspersky GReAT, described the structural factors that made the campaign harder to detect and disrupt: "Social engineering played a key role in this campaign. The group exploited users' tendency to trust communications from official agencies, such as tax authorities. At the same time, SilverFox employed a multi-stage delivery approach for the primary malicious payload and utilised multiple email addresses and domains. This increases the overall risk posed by such attacks, as it helps minimise the likelihood of detection and disruption across the attack chain."

Kaspersky recommends that organisations address this type of threat through a combination of employee awareness training, email security solutions capable of scanning password-protected archives and applying content disarm and reconstruction technology, access to threat intelligence services that track attacker techniques in real time, and endpoint protection platforms with investigation and response capabilities.