ACCORDING to The Hacker News, a multi-pronged phishing campaign is targeting Spanish-speaking users in organisations across Latin America and Europe to deliver Windows banking trojans such as Casbaneiro (aka Metamorfo) via another malware called Horabot. The activity has been attributed to a Brazilian cybercrime threat actor tracked as Augmented Marauder and Water Saci, first documented by Trend Micro in October 2025.
The campaign begins with a phishing email using court summons-themed messages that prompt recipients to open a password-protected PDF attachment, which then guides them to a malicious link and an automatic download of a ZIP archive, leading to interim HTA and VBS payloads.
The VBS script checks for Avast antivirus and retrieves next-stage payloads from a remote server, with loaded AutoIt-based loaders that eventually launch two families: Casbaneiro and Horabot, the latter serving as a propagation mechanism via Outlook-harvested contact lists. Casbaneiro acts as the primary payload, while Horabot and WhatsApp automation are used to distribute the malware, with the campaign also leveraging ClickFix techniques to dupe users into running malicious HTA files.
Water Saci is noted for using WhatsApp Web as a distribution vector, and the researchers describe a dynamic PDF generator that forges Spanish judicial summons to facilitate the attack.