Cybersecurity researchers have discovered a new phishing campaign that is used to distribute malware called Horabot, targeting Windows users in Latin American countries such as Mexico, Guatemala, Colombia, Peru, Chile and Argentina.
The campaign “uses crafted emails to “make up invoices or financial documents, treat victims, open malicious attachments, steal email credentials, harvest contact lists, and allow bank Trojans to be installed,” said Cara Lin, a researcher at Fortinet Fortiguard Labs.
The activity observed by network security companies in April 2025 was primarily selecting Spanish-speaking users. Attacks are also known to use Outlook Com automation to send phishing messages from victims’ mailboxes and effectively propagate malware horizontally within the company or personal network.
Additionally, the threat actors behind the campaign run various VBScript, car, and PowerShell scripts to conduct system reconnaissance, steal qualifications, and drop additional payloads.
Horabot was first documented in June 2023 by Cisco Talos as targeting Spanish-speaking users in Latin America since at least November 2020. Attacks are rated as the work of Brazilian threat actors.
Then last year, Trustwave SpiderLabs revealed details of another phishing campaign targeting the same region with malicious payloads that demonstrate similarity and similarity to Horabot malware.
The latest attack set starts with a phishing email that uses invoice-themed lures to tempt users to open a ZIP archive containing PDF documents. However, in reality, the attached ZIP file contains a malicious HTML file with Base64 encoded HTML data designed to reach out to a remote server and download the next stage payload.
A payload is another ZIP archive containing HTML application (HTA) files that are responsible for loading scripts hosted on a remote server. The script then inserts an external visual basic script (VBScript) that performs a series of checks that will be terminated if Avast Antivirus is installed or is running in a virtual environment.
VBScript goes to get additional payloads, such as car scripts that collect basic system information, extract it to remote servers, and unleash banking trojans by malicious DLLs, and PowerShell scripts that impose phishing emails spread after constructing a list of target email addresses that have scanned contact data within the scope of your vision.
“Malware steals browser-related data from a variety of target web browsers, including Brave, Yandex, Epic Privacy Browser, Comodo Dragon, Cent Browser, Opera, Microsoft Edge, Google Chrome, and more. “In addition to data theft, Horabot injects fake pop-up windows designed to monitor victim behavior and capture sensitive user login credentials.”
Source link
