Casbaneiro Phishing Targets Latin America and Europe Using Dynamic PDF Lures
Casbaneiro Phishing Targets Latin America and Europe Using Dynamic PDF Lures
https://thehackernews.com/2026/04/casbaneiro-phishing-targets-latin.html
Publish Date: 2026-04-01 08:36:00
Source Domain: thehackernews.com
A multi-pronged phishing campaign is targeting Spanish-speaking users in organizations across Latin America and Europe to deliver Windows banking trojans like Casbaneiro (aka Metamorfo) via another malware called Horabot.
The activity has been attributed to a Brazilian cybercrime threat actor tracked as Augmented Marauder and Water Saci. The e-crime group was first documented by Trend Micro in October 2025.
“This threat group employs a wider-ranging attack model focused on a bespoke delivery and propagation mechanism that includes WhatsApp, ClickFix techniques, and email-centric phishing,” BlueVoyant security researchers Thomas Elkins and Joshua Green said in a technical breakdown published Tuesday.
“It is now evident that while these Brazil-based operators heavily leverage script-based WhatsApp automation to compromise retail and consumer users in Latin America, they concurrently maintain and deploy an advanced, email-hijacking engine to penetrate enterprise perimeters there and Europe as well.”
The starting point of the campaign is a phishing email that employs court summons-themed messages to deceive recipients into opening a password-protected PDF attachment. Clicking on an embedded link in the document directs the victim to a malicious link and initiates an automatic download of a ZIP archive, which, in turn, leads to the execution of interim HTML Application (HTA) and VBS payloads.
The VBS script is designed to carry out environment and anti-analysis checks similar to those found in Horabot artifacts, including checks for Avast antivirus software, and proceeds to retrieve next-stage payloads from a remote server. Among the downloaded files are AutoIt-based loaders, each of which extracts and runs encrypted payload files with “.ia” or “.at” extensions to eventually launch two malware families: Casbaneiro (“staticdata.dll”) and Horabot (“at.dll”).
While Casbaneiro is the primary payload,…
