Casbaneiro Phishing Campaigns Escalate Across Latin America and Europe
A sophisticated phishing campaign is actively targeting Spanish-speaking users in organizations across Latin America and Europe, aiming to deploy Windows banking trojans such as Casbaneiro (also known as Metamorfo) through the intermediary malware Horabot. This operation has been linked to a Brazilian cybercriminal group identified as Augmented Marauder and Water Saci, first documented by Trend Micro in October 2025.
According to BlueVoyant security researchers Thomas Elkins and Joshua Green, this threat group employs a multifaceted attack strategy that includes WhatsApp automation, ClickFix techniques, and email-centric phishing. While initially focusing on compromising retail and consumer users in Latin America through WhatsApp automation, the group has expanded its tactics to penetrate enterprise networks in both Latin America and Europe using advanced email hijacking methods.
Attack Methodology
The campaign begins with phishing emails that use court summons-themed messages to deceive recipients into opening a password-protected PDF attachment. Within this document, an embedded link directs the victim to a malicious URL, triggering the automatic download of a ZIP archive. This archive contains interim HTML Application (HTA) and VBS payloads designed to execute the next stages of the attack.
The VBS script performs environment and anti-analysis checks, including the detection of Avast antivirus software. If the system passes these checks, the script retrieves additional payloads from a remote server. Among these are AutoIt-based loaders that extract and run encrypted payload files with .ia or .at extensions, ultimately launching two malware families: Casbaneiro (staticdata.dll) and Horabot (at.dll).
Casbaneiro serves as the primary payload, while Horabot functions as a propagation mechanism. The Casbaneiro Delphi DLL module contacts a command-and-control (C2) server to fetch a PowerShell script that utilizes Horabot to distribute the malware via phishing emails to contacts harvested from Microsoft Outlook.
Rather than distributing a static file or hardcoded link, this script initiates an HTTP POST request to a remote PHP API, passing a randomly generated four-digit PIN. The server dynamically generates a bespoke, password-protected PDF impersonating a Spanish judicial summons, which is returned to the infected host. The script then iterates over the filtered email list, using the compromised user’s own email account to send tailored phishing emails with the newly generated PDF attached.
Additionally, a secondary Horabot-related DLL (at.dll) functions as a spam and account hijacking tool targeting Yahoo, Live, and Gmail accounts to send phishing emails via Outlook. Horabot has been used in attacks targeting Latin America since at least November 2020.
Evolution of Tactics
Water Saci has a history of using WhatsApp Web as a distribution vector for disseminating banking trojans like Maverick and Casbaneiro in a worm-like manner. However, recent campaigns have leveraged the ClickFix social engineering tactic to deceive users into running malicious HTA files, ultimately deploying Casbaneiro and the Horabot spreader.
The integration of ClickFix social engineering, dynamic PDF generation, and WhatsApp automation demonstrates an agile adversary continually innovating and executing diverse attack paths to bypass modern security controls. This adversary maintains a bifurcated, multi-pronged attack infrastructure, dynamically deploying the WhatsApp-centric Maverick chain while concurrently utilizing both ClickFix and email-based Horabot attack paths.
Implications and Recommendations
The evolving tactics of the Augmented Marauder and Water Saci groups underscore the need for heightened vigilance among organizations operating in Latin America and Europe. The use of dynamic PDF lures and advanced propagation mechanisms like Horabot highlight the sophistication of these campaigns.
Organizations are advised to implement comprehensive email filtering solutions, conduct regular security awareness training for employees, and maintain up-to-date antivirus and anti-malware software. Additionally, monitoring for unusual email activity and implementing multi-factor authentication can help mitigate the risks associated with these phishing campaigns.
As cybercriminals continue to refine their methods, staying informed about emerging threats and adapting security measures accordingly is crucial for protecting sensitive information and maintaining operational integrity.
