As banking trojan Grandoreiro expands geographically, it is now targeting South Africa as tax season is in full force.
It is putting millions of people and companies at risk, as the malicious e-mails purporting to be from the South African Revenue Service (SARS) flood inboxes.
Grandoreiro, which started in Brazil, employs sophisticated phishing campaigns to impersonate government entities, particularly tax agencies and law enforcement bodies, says Samantha Clarke, Mimecast senior threat research engineer.
“South African businesses are facing a growing threat as the Grandoreiro banking trojan spreads through convincing SARS-themed phishing e-mails this tax season,” says Jacqui Muller, researcher at Belgium Campus iTversity.
Scammers send messages from a fake SARS e-mail address containing a link to a fraudulent website, often changing a single character in the hyperlink, like replacing South Africa with ‘South Afrìca’, using a special character that looks similar to the original, says Southern African Fraud Prevention Service CEO Manie van Schalkwyk.
Tax season is a peak period for opportunistic scams targeting individuals, and sophisticated fraud against financial institutions, says Sameer Kumandan, MD of data aggregation platform SearchWorks.
“SARS has ramped up its scam warnings, issuing multiple alerts in July alone, addressing attempts to mimic refund audits, letters of demand and auto-assessments, all of which use SARS branding and real phrasing to appear legitimate.”
Individual taxpayers have until 20 October 2025 to file their returns after SARS shortened the filing period. So far, 5.8 million registered taxpayers have been automatically assessed of the 7.5 million individual taxpayers.
Geographical migration
After law enforcement started clamping down on Grandoreiro in Latin America, its operators started expanding globally, beginning with South Africa, said IBM in April.
Muller explains that the malware “has now reached local inboxes, capable of hijacking banking sessions, stealing credentials, and using infected Outlook accounts to phish clients and colleagues”.
Underscoring this surge in e-mail-borne threats, cyber security firm Kaspersky reports that phishing accounted for 67% of cyber incidents among South African organisations over the past year, with a 29% increase recorded as tax season opened, Kumandan points out.
SARS previously told ITWeb that it “has the necessary internal processes that deal with the management of information received from anyone that interacts with the organisation on all matters within its purview”.
Mimecast has found that Grandoreiro can harvest far more than banking credentials, including credit card numbers, bank account details, transaction histories, e-mail logins for further phishing attacks, sensitive files, and private keys and wallet addresses for crypto-currency theft.
The trojan targets Windows users through phishing e-mails that disguise a malicious ZIP file as a PDF. The ZIP contains a script that downloads and installs the malware.
IBM says the latest variant now specifically targets more than 1 500 global banks, enabling attackers to commit banking fraud in over 60 countries.
Mimecast’s research shows Grandoreiro, active in one form or another since 2016, has already infiltrated several financial institutions in Argentina, including its tax authority, the Federal Administration of Public Income, and Spain’s police network.
Belgium Campus has noted a general rise in phishing attacks this year through its monitoring of publicly disclosed breaches. These include incidents at the South African Broadcasting Corporation, eNCA, South African Weather Service, National Treasury and platinum miner Eastern Platinum.
The real danger lies in the depth of access, says Muller. “Once inside, attackers can view e-mails, financial data, tax records, supplier details and use that intelligence to escalate attacks or commit fraud at scale.”
Clever impersonation
Phishing has become increasingly sophisticated and often looks genuine apart from the e-mail address, Muller warns. Hackers are now infiltrating Outlook servers to send phishing e-mails from legitimate accounts, she adds.
“We have also recently seen a social media campaign with hackers sending people messages on WhatsApp to enter a competition through voting for something, but then people are asked for a one-time-PIN for their Telegram.”
Muller explains that the hackers then hijack the victim’s Telegram account, enabling them to impersonate the victim and launch new phishing campaigns.
“There are small and medium enterprises that conduct professional conversations on platforms like Telegram and the risk of exposure to sensitive data for those organisations, through phishing attacks like these, can be detrimental to business operations.”
The cost of such attacks can run into hundreds of thousands of rands in recovery efforts, reputational damage, compliance fallout under the Protection of Personal Information Act and loss of customer trust, says Muller.
“For businesses, especially accountable institutions handling large data volumes and transactions, the risks are twofold: they may be targeted directly or indirectly impacted through compromised clients,” says Kumandan. “Ultimately, tax season is a pressure test, not only for compliance teams, but for the systems and habits that underpin them.”
Share