Could 14, 2025Ravie LakshmananWindows Safety / Risk Intelligence
Cybersecurity researchers have found a brand new phishing marketing campaign that is getting used to distribute malware referred to as Horabot concentrating on Home windows customers in Latin American international locations like Mexico, Guatemala, Colombia, Peru, Chile, and Argentina.
The marketing campaign is “utilizing crafted emails that impersonate invoices or monetary paperwork to trick victims into opening malicious attachments and might steal electronic mail credentials, harvest contact lists, and set up banking trojans,” Fortinet FortiGuard Labs researcher Cara Lin mentioned.
The exercise, noticed by the community safety firm in April 2025, has primarily singled out Spanish-speaking customers. The assaults have additionally been discovered to ship phishing messages from victims’ mailboxes utilizing Outlook COM automation, successfully propagating the malware laterally inside company or private networks.
As well as, the menace actors behind the marketing campaign execute varied VBScript, AutoIt, and PowerShell scripts to conduct system reconnaissance, steal credentials, and drop further payloads.
Horabot was first documented by Cisco Talos in June 2023 as concentrating on Spanish-speaking customers in Latin America since at the least November 2020. It is assessed that the assaults are the work of a menace actor from Brazil.
Then final 12 months, Trustwave SpiderLabs revealed particulars of one other phishing marketing campaign concentrating on the identical area with malicious payloads which it mentioned reveals similarities with that of Horabot malware.
The newest set of assaults begins with a phishing electronic mail that employs invoice-themed lures to entice customers into opening a ZIP archive containing a PDF doc. Nevertheless, in actuality, the connected ZIP file accommodates a malicious HTML file with Base64-encoded HTML knowledge that is designed to achieve out to a distant server and obtain the next-stage payload.
The payload is one other ZIP archive that accommodates an HTML Utility (HTA) file, which is chargeable for loading a script hosted on a distant server. The script then injects an exterior Visible Fundamental Script (VBScript) that performs a sequence of checks that trigger it to terminate if Avast antivirus is put in or it is working in a digital atmosphere.
The VBScript proceeds to gather primary system info, exfiltrate it to a distant server, and retrieves further payloads, together with an AutoIt script that unleashes the banking trojan via a malicious DLL and a PowerShell script that is tasked with spreading the phishing emails after constructing an inventory of goal electronic mail addresses by scanning contact knowledge inside Outlook.
“The malware then proceeds to steal browser-related knowledge from a variety of focused internet browsers, together with Courageous, Yandex, Epic Privateness Browser, Comodo Dragon, Cent Browser, Opera, Microsoft Edge, and Google Chrome,” Lin mentioned. “Along with knowledge theft, Horabot displays the sufferer’s habits and injects faux pop-up home windows designed to seize delicate person login credentials.”
Discovered this text attention-grabbing? Observe us on Twitter and LinkedIn to learn extra unique content material we put up.
