Cybersecurity researchers have found a brand new phishing marketing campaign that is getting used to distribute malware referred to as Horabot focusing on Home windows customers in Latin American international locations like Mexico, Guatemala, Colombia, Peru, Chile, and Argentina.
The marketing campaign is “utilizing crafted emails that impersonate invoices or monetary paperwork to trick victims into opening malicious attachments and might steal e-mail credentials, harvest contact lists, and set up banking trojans,” Fortinet FortiGuard Labs researcher Cara Lin stated.
The exercise, noticed by the community safety firm in April 2025, has primarily singled out Spanish-speaking customers. The assaults have additionally been discovered to ship phishing messages from victims’ mailboxes utilizing Outlook COM automation, successfully propagating the malware laterally inside company or private networks.
As well as, the risk actors behind the marketing campaign execute varied VBScript, AutoIt, and PowerShell scripts to conduct system reconnaissance, steal credentials, and drop further payloads.
Horabot was first documented by Cisco Talos in June 2023 as focusing on Spanish-speaking customers in Latin America since a minimum of November 2020. It is assessed that the assaults are the work of a risk actor from Brazil.
Then final yr, Trustwave SpiderLabs revealed particulars of one other phishing marketing campaign focusing on the identical area with malicious payloads which it stated reveals similarities with that of Horabot malware.
The most recent set of assaults begins with a phishing e-mail that employs invoice-themed lures to entice customers into opening a ZIP archive containing a PDF doc. Nonetheless, in actuality, the hooked up ZIP file accommodates a malicious HTML file with Base64-encoded HTML information that is designed to succeed in out to a distant server and obtain the next-stage payload.
The payload is one other ZIP archive that accommodates an HTML Utility (HTA) file, which is accountable for loading a script hosted on a distant server. The script then injects an exterior Visible Primary Script (VBScript) that performs a sequence of checks that trigger it to terminate if Avast antivirus is put in or it is working in a digital surroundings.
The VBScript proceeds to gather fundamental system data, exfiltrate it to a distant server, and retrieves further payloads, together with an AutoIt script that unleashes the banking trojan by the use of a malicious DLL and a PowerShell script that is tasked with spreading the phishing emails after constructing an inventory of goal e-mail addresses by scanning contact information inside Outlook.
“The malware then proceeds to steal browser-related information from a variety of focused net browsers, together with Courageous, Yandex, Epic Privateness Browser, Comodo Dragon, Cent Browser, Opera, Microsoft Edge, and Google Chrome,” Lin stated. “Along with information theft, Horabot screens the sufferer’s conduct and injects pretend pop-up home windows designed to seize delicate consumer login credentials.”
