A multi-method phishing campaign targets Spanish-speaking users in Latin American and European organizations to deliver Windows trojans such as Casbaneiro (aka Metamorfo) with another malware called Horabot.
The incident was caused by a Brazilian cybercrime threat actor that goes by the names Augmented Marauder and Water Saci. The e-crime category was first documented by Trend Micro in October 2025.
“This group of threats uses a broad attack method that focuses on the delivery and distribution method that includes WhatsApp, ClickFix methods and email phishing,” BlueVoyant security researchers Thomas Elkins and Joshua Green said in a technical briefing published on Tuesday.
“It is clear that while these Brazilian users are using text-based WhatsApp automations to defraud retail users and consumers in Latin America, they are also maintaining and using a sophisticated email phishing engine to infiltrate commercial sites there and in Europe.”
The starting point of the campaign is a phishing email that uses subpoena messages to trick recipients into opening a password-protected PDF attachment. Clicking on a link embedded in the document directs the victim to a malicious link and automatically starts downloading a ZIP archive, which in turn leads to the execution of HTML temporary payloads (HTA) and VBS.
The VBS script is designed to perform environmental and anti-scanning tests similar to those found in Horabot artifacts, including scanning Avast antivirus software, and continues to return the following payloads from the remote server. Among the downloaded files there are loaders based on AutoIt, each of which extracted and ran encrypted payload files with “.ia” or “.at” extensions to end up producing two malware families: Casbaneiro (“staticdata.dll”) and Horabot (“at.dll”).
While Casbaneiro is the main reward, Horabot is used as a means of spreading malware. Casbaneiro’s Delphi DLL module connects to the command and control server (C2) to retrieve a PowerShell script that uses Horabot to distribute malware via phishing emails to contacts harvested from Microsoft Outlook.
“Instead of distributing a static file or hard link as seen in older Horabot campaigns, this script initiates an HTTP POST request to the remote PHP API (hxxps://tt.grupobedfs).[.]com/…/gera_pdf.php), to transmit a randomly generated four-digit PIN,” BlueVoyant said.
“The server dynamically generates a password-protected PDF that automatically subpoenas Spain, which is sent back to the infected person. The script repeats itself to a filtered mailing list, using the compromised user’s email account to send a phishing email with the newly generated PDF.”
It is also used in tandem by a second Horabot-related DLL (“at.dll”) that acts as a spam and account hijacking tool that targets Yahoo, Live, and Gmail accounts to send phishing emails through Outlook. Horabot is slated to be used in attacks targeting Latin America from at least November 2020.
Water Saci has a history of using WhatsApp Web as a delivery mechanism for spreading banking trojans like Maverick and Casbaneiro in a worm-like manner. However, recent campaigns highlighted by Kaspersky used the ClickFix social engineering strategy to trick users into running malicious HTA files with the ultimate goal of running the Casbaneiro and Horabot spreader.
“Together, the combination of ClickFix’s social engineering, as well as powerful PDF creation and WhatsApp automation, shows a dynamic adversary that is constantly inventing and using different attack methods than modern security controls,” the researchers concluded.
“This adversary maintains a multi-layered, multi-layered attack process, using the WhatsApp-centric Maverick network while simultaneously using email-based ClickFix and Horabot attack methods.”
#Casbaneiro #Phishing #Hits #Latin #America #Europe #Powerful #PDF #Lures