Cybersecurity researchers have discovered a new phishing campaign used to distribute malware Horabot Aiming at Windows users in Latin American countries such as Mexico, Guatemala, Colombia, Peru, Chile and Argentina.
The company “uses the created emails that provide themselves with accounts and financial documents to deceive the victims in the opening of malicious investments and can steal the credentials via e -mail, from the crop and install bank trojans,” “Researcher Fortinet Fortiguard Labs Cara Labs – Note.
The activity observed by the network security company in April 2025 was primarily nominated by Hispanic users. The attacks were also discovered by the vicinage of the victims using the Audlook Com automation, effectively distributing malicious software to the corporate and personal networks.
In addition, the actors behind the company are performing various VBScript scripts, auto and powers for systemic exploration, theft of powers and reducing additional useful loads.
Horabob was First documented Cisco Talos in June 2023 as an orientation on Hispanic users in Latin America since November 2020. It is estimated that attacks are the work of an actor from Brazil.
Then last year Trustwave Spiderlabs disclosed Details of another phishing campaign aimed at the same region with malicious loads, which, according to, demonstrate similarity to malicious Hoabot programs.
The latest set of attacks begins with a phishing email that uses baits with the subject on the account to attract users to the opening of the ZIP archive containing the PDF document. However, in reality, the attached ZIP file contains a malicious HTML file with HTML-coded Base64 data designed to achieve a remote server and load the useful load to the next stage.
Useful load – another ZIP archive containing the HTML (HTA) file (HTA) file, which is responsible for downloading the script on a remote server. Then the script introduces an external visual basic scenario (VBScript), which performs a number of checks that make it stop when Avast Antivirus is installed or works in a virtual setting.
VBScript continues to collect basic system information, highlight it on a remote server and receives additional useful loads, including the auto -script scenario that unleashes the banking trojan with the help of malicious dll and the PowerShell script, which instructed to distribute the fisher emails after creating the target address list, using the scanning of the contacts.
“Then malicious software continues to steal the browser data from a number of target web browsers, including Brave, Yandex, Epic Privicy Browser, Comodo Dragon, Cent Browser, Opera, Microsoft Edge and Google Chrome,” said the rope. “In addition to theft of data, Horabot monitors the victim’s behavior and introduces fake pop -up windows designed to capture sensitive credentials to enter.”
