Cybersecurity researchers have identified a sophisticated phishing campaign distributing the Horabot malware, primarily targeting Windows users in Latin American countries such as Mexico, Guatemala, Colombia, Peru, Chile, and Argentina. This campaign employs meticulously crafted emails that masquerade as invoices or financial documents to deceive recipients into opening malicious attachments. Once activated, the malware is capable of stealing email credentials, harvesting contact lists, and installing banking trojans.
The campaign, observed by Fortinet FortiGuard Labs in April 2025, predominantly targets Spanish-speaking users. Notably, the attackers utilize victims’ Outlook accounts to send phishing emails, facilitating the lateral spread of the malware within corporate or personal networks. The threat actors execute various scripts, including VBScript, AutoIt, and PowerShell, to conduct system reconnaissance, steal credentials, and deploy additional payloads.
Horabot was first documented by Cisco Talos in June 2023, with evidence of its activity dating back to at least November 2020. The attacks are believed to be orchestrated by a threat actor based in Brazil. Subsequent reports by Trustwave SpiderLabs in 2024 detailed similar phishing campaigns targeting the same region, exhibiting characteristics akin to the Horabot malware.
Attack Chain and Methodology:
The latest attacks commence with phishing emails that use invoice-themed lures to entice users into opening a ZIP archive containing a PDF document. In reality, the attached ZIP file contains a malicious HTML file with Base64-encoded data designed to contact a remote server and download the next-stage payload. This payload is another ZIP archive containing an HTML Application (HTA) file, which loads a script hosted on a remote server. The script injects an external Visual Basic Script (VBScript) that performs checks to terminate if Avast antivirus is installed or if it’s running in a virtual environment.
The VBScript collects basic system information, exfiltrates it to a remote server, and retrieves additional payloads, including an AutoIt script that deploys the banking trojan via a malicious DLL and a PowerShell script tasked with spreading phishing emails after compiling a list of target email addresses by scanning contact data within Outlook.
The malware proceeds to steal browser-related data from various web browsers, including Brave, Yandex, Epic Privacy Browser, Comodo Dragon, Cent Browser, Opera, Microsoft Edge, and Google Chrome. In addition to data theft, Horabot monitors the victim’s behavior and injects fake pop-up windows designed to capture sensitive user login credentials.
Recommendations:
To protect against the Horabot campaign and similar attacks, it is crucial to adhere to best security practices:
– Avoid opening suspicious attachments or links in unsolicited emails.
– Keep software and operating systems updated.
– Utilize reliable security solutions.
– Educate users about the risks of social engineering.
Organizations should also monitor for indicators of compromise (IoCs) associated with Horabot and implement measures to detect and mitigate potential infections.
