Ethical Hacking News
The Horabot phishing campaign has been identified as a significant threat to Windows users in six Latin American nations. The malware uses invoice-themed phishing emails to trick victims into opening malicious attachments, thereby stealing email credentials, harvesting contact lists, and installing banking trojans.
The Horabot phishing campaign targets Windows users in six Latin American nations using invoice-themed phishing emails. The malware steals email credentials, harvests contact lists, and installs banking trojans. The threat actors use sophisticated tactics, including Outlook COM automation to propagate the malware laterally within corporate or personal networks. The campaign uses Base64-encoded HTML data to download next-stage payloads, which can steal browser-related data and inject fake pop-up windows. The threat actors behind the campaign are believed to be from Brazil and have been linked to previous phishing campaigns targeting Spanish-speaking users since at least November 2020.
The cybersecurity landscape has witnessed a significant escalation in recent times, with various actors employing sophisticated tactics to compromise security systems. One such threat that has gained prominence recently is the Horabot phishing campaign, which targets Windows users in six Latin American nations. The malware, identified by Fortinet FortiGuard Labs researcher Cara Lin, uses invoice-themed phishing emails to trick victims into opening malicious attachments, thereby stealing email credentials, harvesting contact lists, and installing banking trojans.
The attacks, primarily targeting Spanish-speaking users, have been observed to send phishing messages from victims' mailboxes using Outlook COM automation, effectively propagating the malware laterally within corporate or personal networks. This approach underscores the sophistication of the threat actors behind the Horabot campaign, who seem to be leveraging familiar email templates to evade detection.
The latest set of attacks begins with a phishing email that employs invoice-themed lures to entice users into opening a ZIP archive containing a PDF document. However, in reality, the attached ZIP file contains a malicious HTML file with Base64-encoded HTML data that is designed to reach out to a remote server and download the next-stage payload. This payload is another ZIP archive that contains an HTML Application (HTA) file, which is responsible for loading a script hosted on a remote server.
The script then injects an external Visual Basic Script (VBScript) that performs a series of checks that cause it to terminate if Avast antivirus is installed or it's running in a virtual environment. The VBScript proceeds to collect basic system information, exfiltrate it to a remote server, and retrieves additional payloads, including an AutoIt script that unleashes the banking trojan by means of a malicious DLL and a PowerShell script that is tasked with spreading the phishing emails after building a list of target email addresses by scanning contact data within Outlook.
The malware then proceeds to steal browser-related data from a range of targeted web browsers, including Brave, Yandex, Epic Privacy Browser, Comodo Dragon, Cent Browser, Opera, Microsoft Edge, and Google Chrome. In addition to data theft, Horabot monitors the victim's behavior and injects fake pop-up windows designed to capture sensitive user login credentials.
The threat actors behind the Horabot campaign are believed to be a threat actor from Brazil, who has been linked to previous phishing campaigns targeting Spanish-speaking users in Latin America since at least November 2020. The latest set of attacks exhibits similarities with another phishing campaign revealed by Trustwave SpiderLabs last year, highlighting the persistence and adaptability of these threat actors.
The Horabot malware was first documented by Cisco Talos in June 2023 as targeting Spanish-speaking users in Latin America since at least November 2020. Since then, various security researchers have observed this malware campaign, with Fortinet FortiGuard Labs researcher Cara Lin providing detailed insights into the tactics employed by these threat actors.
The phishing campaign is using crafted emails that impersonate invoices or financial documents to trick victims into opening malicious attachments and can steal email credentials, harvest contact lists, and install banking trojans. The activity, observed by the network security company in April 2025, has primarily singled out Spanish-speaking users. The attacks have also been found to send phishing messages from victims' mailboxes using Outlook COM automation, effectively propagating the malware laterally within corporate or personal networks.
In addition, the threat actors behind the campaign execute various VBScript, AutoIt, and PowerShell scripts to conduct system reconnaissance, steal credentials, and drop additional payloads. This level of sophistication underscores the need for increased vigilance among users and organizations in Latin America, who must take steps to protect themselves against such threats.
The spread of malware using invoice-themed phishing emails highlights the importance of robust cybersecurity measures, including regular software updates, strong password management, and awareness training for employees. As threat actors continue to evolve and adapt their tactics, it is essential that individuals and organizations remain vigilant and proactive in protecting themselves against such threats.
Summary:
The Horabot phishing campaign has been identified as a significant threat to Windows users in six Latin American nations. The malware uses invoice-themed phishing emails to trick victims into opening malicious attachments, thereby stealing email credentials, harvesting contact lists, and installing banking trojans. The threat actors behind the campaign have demonstrated a high level of sophistication, leveraging familiar email templates and exploiting vulnerabilities in software systems to conduct lateral movement attacks. It is essential for individuals and organizations to remain vigilant and take steps to protect themselves against such threats.
The Horabot phishing campaign has been identified as a significant threat to Windows users in six Latin American nations. The malware uses invoice-themed phishing emails to trick victims into opening malicious attachments, thereby stealing email credentials, harvesting contact lists, and installing banking trojans.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Horabot-Phishing-Campaign-A-Lateral-Movement-Malware-Threat-to-Latin-American-Nations-ehn.shtml
https://thehackernews.com/2025/05/horabot-malware-targets-6-latin.html
https://thenimblenerd.com/article/phishy-business-horabot-malware-hooks-latin-america-with-invoice-scams/
Published: Wed May 14 06:51:25 2025 by llama3.2 3B Q4_K_M
