Cybersecurity researchers have found a brand new phishing marketing campaign that is getting used to distribute malware known as Horabot concentrating on Home windows customers in Latin American international locations like Mexico, Guatemala, Colombia, Peru, Chile, and Argentina.
The marketing campaign is “utilizing crafted emails that impersonate invoices or monetary paperwork to trick victims into opening malicious attachments and may steal e mail credentials, harvest contact lists, and set up banking trojans,” Fortinet FortiGuard Labs researcher Cara Lin mentioned.
The exercise, noticed by the community safety firm in April 2025, has primarily singled out Spanish-speaking customers. The assaults have additionally been discovered to ship phishing messages from victims’ mailboxes utilizing Outlook COM automation, successfully propagating the malware laterally inside company or private networks.
As well as, the risk actors behind the marketing campaign execute varied VBScript, AutoIt, and PowerShell scripts to conduct system reconnaissance, steal credentials, and drop extra payloads.
Horabot was first documented by Cisco Talos in June 2023 as concentrating on Spanish-speaking customers in Latin America since at the least November 2020. It is assessed that the assaults are the work of a risk actor from Brazil.
Then final yr, Trustwave SpiderLabs revealed particulars of one other phishing marketing campaign concentrating on the identical area with malicious payloads which it mentioned reveals similarities with that of Horabot malware.
The newest set of assaults begins with a phishing e mail that employs invoice-themed lures to entice customers into opening a ZIP archive containing a PDF doc. Nevertheless, in actuality, the hooked up ZIP file comprises a malicious HTML file with Base64-encoded HTML knowledge that is designed to succeed in out to a distant server and obtain the next-stage payload.
The payload is one other ZIP archive that comprises an HTML Utility (HTA) file, which is accountable for loading a script hosted on a distant server. The script then injects an exterior Visible Fundamental Script (VBScript) that performs a sequence of checks that trigger it to terminate if Avast antivirus is put in or it is operating in a digital setting.
The VBScript proceeds to gather fundamental system info, exfiltrate it to a distant server, and retrieves extra payloads, together with an AutoIt script that unleashes the banking trojan via a malicious DLL and a PowerShell script that is tasked with spreading the phishing emails after constructing an inventory of goal e mail addresses by scanning contact knowledge inside Outlook.
“The malware then proceeds to steal browser-related knowledge from a spread of focused net browsers, together with Courageous, Yandex, Epic Privateness Browser, Comodo Dragon, Cent Browser, Opera, Microsoft Edge, and Google Chrome,” Lin mentioned. “Along with knowledge theft, Horabot displays the sufferer’s conduct and injects pretend pop-up home windows designed to seize delicate consumer login credentials.”
