A multi-stage phishing campaign is targeting Spanish-speaking users at organizations across Latin America and Europe to deliver Windows banking trojans, including Casbaneiro and Horabot, according to a technical analysis from BlueVoyant published on Tuesday. The activity is tied to a Brazilian cybercrime group tracked as Augmented Marauder and Water Saci.
KEY FACTS
- Targeting Spanish-speaking users in Latin America and Europe
- Initial lure Court summons-themed phishing emails with password-protected PDF attachments
- Payloads Casbaneiro, also known as Metamorfo, and Horabot
- Delivery methods Email phishing, WhatsApp automation and ClickFix tactics
- Function Horabot is used to spread phishing emails from compromised Outlook accounts
The campaign begins with an email that urges recipients to open a PDF attachment. A link inside the document leads to a malicious download chain that runs HTA and VBS payloads before fetching later-stage files from remote servers.
Researchers said the VBS script performs anti-analysis checks, including a check for Avast antivirus software. The downloaded files include AutoIt-based loaders that unpack encrypted payloads and ultimately launch Casbaneiro and Horabot.
Casbaneiro acts as the main payload. Once installed, it contacts a command-and-control server and pulls a PowerShell script that uses Horabot to send phishing emails to contacts harvested from Microsoft Outlook. The report says the script asks a remote PHP API for a four-digit PIN and then receives a customized, password-protected PDF that impersonates a Spanish judicial summons.
A separate Horabot-related DLL is also used as a spam and account-hijacking tool against Yahoo, Live and Gmail accounts, with Outlook used to send the messages. The report says the group combines this email-based chain with WhatsApp automation and ClickFix-style social engineering to reach both consumer and enterprise targets.
WHY IT MATTERS
The campaign shows how criminal groups can mix phishing, messaging apps and email theft to move malware through multiple channels at once. That approach can make detection harder and lets attackers reuse compromised accounts to spread new lures from trusted senders.