The Kaspersky Global Research & Analysis Team (GReAT) analysed several new waves of cyberattacks conducted by the SilverFox group, which were observed since December 2025. The campaign targeted companies in South Africa, India, Indonesia, and Russia across the industrial, consulting, trade and transportation sectors.
The phishing emails were crafted to appear as official tax audit notifications or to prompt recipients to download an archive purportedly containing a “list of tax violations”. By leveraging the perceived authority and urgency of communications from tax agencies, the threat actor aimed to persuade victims to download the file and trigger the attack chain. Between January and February alone, more than 1600 malicious emails were recorded.
The threat actor expanded its toolkit by deploying a new Python-based backdoor, dubbed ABCDoor, via the previously known ValleyRAT backdoor used in earlier attacks. ABCDoor was present in the APT arsenal from the end of 2024 and was used in attacks throughout 2025. It enables attackers to upload and download files, and to remotely control infected systems by streaming multiple victim screens simultaneously in near real time, accessing the clipboard, and updating itself. In addition, a modified, previously undocumented version of RustSL was used to deliver ValleyRAT, which the threat actor first deployed in late December 2025.
“Social engineering played a key role in this campaign. The group exploited users’ tendency to trust communications from official agencies, such as tax authorities. At the same time, SilverFox employed a multi-stage delivery approach for the primary malicious payload and utilised multiple email addresses and domains. This increases the overall risk posed by such attacks, as it helps minimise the likelihood of detection and disruption across the attack chain,” says Anton Kargin, senior security researcher in Kaspersky GReAT.
Learn more at www.kaspersky.co.za.
© Technews Publishing (Pty) Ltd. | All Rights Reserved.
printer friendly version