In the mighty Savanna: Check Point Research reveals a 2-year campaign targeting large financial institutions in French-Speaking African countries


  • Dubbed ‘DangerousSavanna’- Check Point Research (CPR) uncovers a malicious campaign, targeting multiple major financial groups in French-speaking Africa, for the past two years
  • Attackers used Spear-phishing as initial infection, sending malicious attachment emails to employees in Ivory Coast, Morocco, Cameroon, Senegal, and Togo
  • The research provides overview of the infections chain and malicious infrastructure, urging organization to adopt email and endpoint security technologies to prevent sophisticated spear phishing attacks and malware infections.
  • Check Point Threat Emulation blocked this attack on A customer’ environments

The Savanna can be a dangerous playground

Recent studies show that more than 85% of financial institutions in Central and Western Africa have repeatedly been victimized in multiple, damaging cyberattacks. In a quarter of these cases, intrusions into network systems resulted in the worst possible outcomes for the financial and banking sector: information leaks, identity theft, money transfer fraud, and bank withdrawals on false checks.
Recently, CPR researchers analyzed a malicious campaign called DangerousSavanna, which has been targeting multiple major financial service groups in French-speaking Africa for the last two years. The threat actors behind this campaign use diversified spear-phishing as a means of initial infection, sending emails with various types of malicious attachments to the employees of financial institutions in at least five different French-speaking countries: Ivory Coast, Morocco, Cameroon, Senegal, and Togo. In the last few months, the campaign heavily focused on Ivory Coast.
Spear phishing is a highly targeted phishing attack. Like any phishing attack, it can be performed over a variety of different media – email, SMS, social media, etc. – but spear phishing emails are the most common.
As a type of phishing, spear phishing operates very similarly to other phishing attacks, but the process of crafting the phishing message is a bit different and is specific per each target of the attack. Also, the design of these attacks means that methods for blocking phishing emails may not be effective, requiring targeted spear phishing defenses.

Overview of the development in DangerousSavanna  infection chains, infrastructure and payloads

Infection Chains

The infection starts with spear-phishing emails written in French, usually sent to several employees of the targeted companies.. In the early stages of the campaign, the phishing emails were sent using Gmail and Hotmail services. To increase their credibility, the actors began to use lookalike domains, impersonating other financial institutions in Africa such as the Tunisian Foreign bank, Nedbank, and others. For the last year, the actors also used spoofed email addresses of a local insurance advisory company.

An example of a phishing email in which the actors used the name of an existing employee at the impersonated company

Malicious Attachments

Since 2021, the actors have been attaching malicious files to their phishing emails. These documents are either Word documents with macros, documents with a remote template (or, in some cases a few layers of external templates), or PDF documents, which lure the victim to download and then manually execute the next stage. All these documents, both MS Office or PDF, are written in  Frenchand share similar metadata such as the usernames digger, hooper davis, and HooperDEV.

 Overview of the lure documents used in the campaign.

In addition, the actors actively use PDF files to lure the user to download and manually execute the next stage. In 2022, the hackers also started using archive files like . ISO or . ZIP as part of the infection chains, in order to make the detection of the malicious files more challenging.


DangerousSavanna targets medium or large finance-related enterprises which operate across multiple African countries. The companies that belong to these financial groups provide a wide range of banking products and services, and include not only banks but also insurance companies, microfinancing companies, financial holding companies, financial management companies, financial advisory services, etc. Despite the relatively low complexity of their tools, we observed the signs that might point out that the attackers managed to infect some of their targets. This was most likely due to the actors’ persistent attempts at infiltration. If one infection chain didn’t work out, they changed the attachment and the lure and tried targeting the same company again and again trying to find an entry point. With social engineering via spear-phishing, all it takes is one incautious click by an unsuspecting user.

How to prevent Spear Phishing attacks

Spear phishing prevention is a key component of email security. A combination of security mechanism is often essential when it comes to prevention of sophisticated spear phishing attacks, that takes a more targeted and focused approach by specifically and tactically selecting victims, in opposed to a wider tactic of a “regular” phishing attack.

Powered by ThreatCloud, which is continuously enriched by advanced predictive intelligence engines, data from hundreds of millions of sensors, cutting-edge research from Check Point Research and external intelligence feeds, Threat Emulation technology is able to analyze the entire infection chain. Threat Emulation will analyze any dropper file actions. By utilizing a secure open connection to the internet, Threat Emulation will let the dropper download the second file, execute it and detect it as malicious – thus preventing the attack before it ever breaches the network. Threat Emulation protects networks against unknown threats in web downloads and e-mail attachments. The Threat Emulation engine picks up malware at the initial phase before it enters the network. The engine quickly quarantines and runs the files in a virtual sandbox environment, which imitates a standard operating system, to discover malicious behavior at the exploit phase, before hackers can apply evasion techniques to bypass. Through a combination of evasion-resistant Threat Emulation scanning engines, revolutionary AI engines, and Threat Extraction that pre-emptively sanitizes files arriving by email and web downloads.
Harmony Email & Collaboration detects and blocks the most advanced phishing attacks in real-time, before they reach end-users.
Leveraging Artificial Intelligence and machine learning, analysing over 300+ indicators of phishing and ingesting data from ThreatCloud, Harmony Email & Collaboration reduces phishing reaching the inbox by 99.2%.

In addition, complete endpoint protection is essential in preventing the most imminent threats to the endpoint, and is crucial to avoid security breaches and data compromise.

Some best practices to minimize the risks associated with spear phishing can be found here

For the full technical research visit