The multi-pronged phishing campaign targets Spanish-speaking users within organizations in Latin America and Europe, delivering Windows banking Trojans like Casbaneiro (also known as Metamorfo) via another piece of malware called Horabot.
This activity is believed to be the work of Brazilian cybercrime threat actors tracked as Augmented Marauder and Water Saci. This electronic crime group was first documented by Trend Micro in October 2025.
“This threat group employs a wide range of attack models, focusing on bespoke delivery and propagation mechanisms including WhatsApp, ClickFix technology, and email-centric phishing,” BlueVoyant security researchers Thomas Elkins and Joshua Green said in a technical analysis published Tuesday.
“We have discovered that these Brazil-based carriers are making extensive use of script-based WhatsApp automation to compromise retail and consumer users in Latin America, while simultaneously maintaining and deploying sophisticated email hijacking engines to penetrate local and European corporate boundaries.”
The campaign begins with a phishing email that uses a court subpoena-themed message to trick recipients into opening a password-protected PDF attachment. By clicking on the link embedded in the document, the victim is directed to a malicious link that initiates an automatic download of a ZIP archive and executes an intermediate HTML application (HTA) and VBS payload.
The VBS script is designed to perform environmental and anti-analytical checks similar to those found in the Horabot artifact (such as checks for Avast antivirus software), and retrieves the next stage payload from a remote server. The downloaded files contain an AutoIt-based loader that extracts and executes encrypted payload files, each with an “.ia” or “.at” extension, ultimately launching two malware families: Casbaneiro (“staticdata.dll”) and Horabot (“at.dll”).
While Casbaneiro is the primary payload, Horabot is used as a malware propagation mechanism. Casbaneiro’s Delphi DLL module connects to a command and control (C2) server and retrieves a PowerShell script that uses Horabot to distribute malware via phishing emails to contacts harvested from Microsoft Outlook.
“Rather than distributing static files or hardcoded links as seen in older Horabot campaigns, this script initiates an HTTP POST request to a remote PHP API (hxxps://tt.grupobedfs).[.]com/…/gera_pdf.php) and hand over a randomly generated four-digit PIN,” BlueVoyant said.
“The server dynamically forges a custom password-protected PDF disguised as a Spanish judicial subpoena and sends it back to the infected host. The script then iterates through the filtered email list and leverages the compromised user’s own email account to send a customized phishing email with the newly generated PDF attached.”
Additionally, a secondary Horabot-related DLL (“at.dll”) used at the same time acts as a spam and account hijacking tool that targets Yahoo, Live, and Gmail accounts and sends phishing emails via Outlook. Horabot has been assessed to be used in attacks targeting Latin America since at least November 2020.
Water Saci has a history of using WhatsApp Web as a distribution vector for spreading banking Trojans such as Maverick and Casbaneiro in a worm-like manner. However, recent campaigns highlighted by Kaspersky used ClickFix social engineering tactics to trick users into running malicious HTA files, with the ultimate goal of deploying Casbaneiro and Horabot spreaders.
“Taken together, the integration of ClickFix social engineering, along with dynamic PDF generation and WhatsApp automation, points to an agile attacker that continuously innovates and executes diverse attack paths to circumvent modern security controls,” the researchers conclude.
“This threat actor maintains a bifurcated, multi-pronged attack infrastructure, dynamically deploying a WhatsApp-centric Maverick chain and leveraging both ClickFix and email-based Horabot attack paths simultaneously.”
Source link
