A large-scale, multi-stage phishing campaign is targeting Spanish-speaking users in enterprises across Latin America and several European countries. The operation aims to quietly deploy Windows banking trojans, primarily Casbaneiro (also known as Metamorfo), with the Horabot malware family acting as an auxiliary spreading and spam module.
Water Saci / Augmented Marauder: Brazilian Banking Malware Operation
Analysts attribute this activity to a Brazilian cybercrime group tracked as Water Saci and Augmented Marauder. According to reporting referenced by the researchers, the group was first thoroughly profiled by Trend Micro in October 2025 and is known for banking trojans targeting financial institutions and retail users in Latin America.
Threat intelligence from vendors such as ESET, Kaspersky and Microsoft has repeatedly highlighted Brazil and neighboring countries as hotbeds of region-specific banking malware, including families like Casbaneiro, Grandoreiro and Guildma. Water Saci fits this pattern, but is notable for combining email phishing, social engineering and messaging apps into a single hybrid attack infrastructure.
In the current campaign, BlueVoyant researchers describe a hybrid infection model that blends WhatsApp-based lures, ClickFix-style social engineering and traditional email phishing. This allows attackers to hit both individual users and corporate environments, including organizations in Europe with Spanish-speaking staff or customers.
Multi‑Stage Phishing Chain: From Fake Court Summons to Banking Trojan
Initial Infection via Password-Protected “Court Summons” PDFs
The primary initial access vector is a targeted phishing email spoofing a government authority and notifying the recipient of a supposed court summons. To increase credibility, the message contains a password-protected PDF attachment, presented as a confidential legal document.
When the victim opens the PDF, instead of genuine legal content they are shown a link to an external site. Clicking this link triggers the automatic download of a ZIP archive from a malicious or compromised server.
ZIP Archive, HTA/VBS Scripts and Anti-Analysis Checks
The downloaded ZIP contains intermediate malware components, typically HTA (HTML Application) and VBS (VBScript) files. Once executed, these scripts initiate the next stages of the infection chain.
The VBS script runs a series of environment and anti-analysis checks: it searches for antivirus products such as Avast, and attempts to detect virtual machines or sandbox environments frequently used by security researchers. If no obstacles are identified, the script pulls additional payloads from a remote server, including loaders written in AutoIt.
Casbaneiro and Horabot: Modular Malware Toolkit
AutoIt Loaders, DLL Payloads and C2 Infrastructure
The AutoIt-based loaders unpack and execute encrypted files with .ia and .at extensions. These ultimately deploy two key components on the victim’s system: the Casbaneiro banking trojan (delivered as staticdata.dll) and the associated Horabot module (delivered as at.dll).
Casbaneiro acts as the core payload. Its Delphi-based DLL establishes a connection to a command‑and‑control (C2) server and downloads a PowerShell script. This script orchestrates both credential theft and lateral propagation, relying on Horabot as the engine for further phishing operations.
Dynamic PDF Generation and Self-Spreading via Outlook
Earlier Horabot campaigns typically used static attachments or fixed phishing URLs. In contrast, the current wave introduces dynamically generated PDFs. The infected host sends a POST request to a remote PHP script (gera_pdf.php) on a compromised domain, supplying a random four‑digit PIN. The server returns a unique, password-protected PDF in Spanish, again mimicking an official court summons.
The PowerShell component then parses the user’s Microsoft Outlook address book, filters relevant contacts and sends phishing emails directly from the victim’s own mailbox. Each message carries the freshly generated PDF as an attachment, significantly increasing trust and the likelihood of successful infection along the contact chain.
Account Takeover and Worm-Like Propagation
An additional Horabot DLL (at.dll) functions as a spammer and credential-harvesting tool. It targets webmail accounts such as Yahoo, Microsoft Live and Gmail, while continuing to coordinate bulk sending via Outlook. This architecture creates a worm‑like propagation pattern, with compromised accounts automatically seeding new phishing waves.
Beyond Email: WhatsApp Web and ClickFix Social Engineering
Water Saci is not limited to email channels. Previous research has documented the group’s use of WhatsApp Web to deliver links to banking trojans like Maverick and Casbaneiro. By abusing the victim’s WhatsApp contact list, attackers trigger a chain reaction where each newly infected user becomes a new distribution point.
In more recent activity, Kaspersky reported the use of the ClickFix technique: victims are urged to “fix an error” or “update a document,” and in doing so are tricked into launching malicious HTA files. These HTAs ultimately install Casbaneiro together with the Horabot spreading module, bypassing traditional attachment filtering and exploiting user trust in familiar interfaces.
Security Implications and Recommended Mitigations
The combination of ClickFix, dynamically generated PDFs, Outlook-based self-spreading and messaging-app abuse underscores a highly adaptive threat actor focused on evading modern defenses, including email security gateways, sandboxing and behavior-based detection.
For organizations in Latin America and Europe, effective mitigation requires a multi‑layered security strategy. Priority measures include:
• Enhanced email and web filtering: block HTA/VBS attachments, inspect encrypted archives where possible and aggressively filter links to newly registered or compromised domains.
• Strong authentication: enforce multi-factor authentication (MFA) for corporate email, cloud services and messaging apps to limit the impact of stolen credentials.
• Script and macro control: restrict execution of VBS, PowerShell and HTA files via application control, signed scripts policies and endpoint hardening.
• User awareness training: regularly educate staff to recognize fake court summons, urgent legal notices and “fix this error” prompts, emphasizing that password-protected PDFs are not inherently safe.
• Outbound monitoring and anomaly detection: track unusual spikes in outgoing email volume, failed logins and atypical geographic access patterns that may indicate account compromise or worm-like spread.
Sustained monitoring, rapid incident response and continuous security education are essential to reducing the effectiveness of the Casbaneiro–Horabot toolset and similar Latin American banking malware campaigns. Organizations that combine technical controls with informed users will be better positioned to disrupt phishing chains before they reach customers, partners and wider contact networks.
