Cybersecurity researchers have discovered a new phishing campaign that’s being used to distribute malware called Horabot targeting Windows users in Latin American countries like Mexico, Guatemala, Colombia, Peru, Chile, and Argentina.
The campaign is “using crafted emails that impersonate invoices or financial documents to trick victims into opening malicious attachments and can steal email credentials, harvest contact lists, and install banking trojans,” Fortinet FortiGuard Labs researcher Cara Lin said.
The activity, observed by the network security company in April 2025, has primarily singled out Spanish-speaking users. The attacks have also been found to send phishing messages from victims’ mailboxes using Outlook COM automation, effectively propagating the malware laterally within corporate or personal networks.
In addition, the threat actors behind the campaign execute various VBScript, AutoIt, and PowerShell scripts to conduct system reconnaissance, steal credentials, and drop additional payloads.
Horabot was first documented by Cisco Talos in June 2023 as targeting Spanish-speaking users in Latin America since at least November 2020. It’s assessed that the attacks are the work of a threat actor from Brazil.
Then last year, Trustwave SpiderLabs revealed details of another phishing campaign targeting the same region with malicious payloads which it said exhibits similarities with that of Horabot malware.
The latest set of attacks starts with a phishing email that employs invoice-themed lures to entice users into opening a ZIP archive containing a PDF document. However, in reality, the attached ZIP file contains a malicious HTML file with Base64-encoded HTML data that’s designed to reach out to a remote server and download the next-stage payload.
The payload is another ZIP archive that contains an HTML Application (HTA) file, which is responsible for loading a script hosted on a remote server. The script then injects an external Visual Basic Script (VBScript) that performs a series of checks that cause it to terminate if Avast antivirus is installed or it’s running in a virtual environment.
The VBScript proceeds to collect basic system information, exfiltrate it to a remote server, and retrieves additional payloads, including an AutoIt script that unleashes the banking trojan by means of a malicious DLL and a PowerShell script that’s tasked with spreading the phishing emails after building a list of target email addresses by scanning contact data within Outlook.
“The malware then proceeds to steal browser-related data from a range of targeted web browsers, including Brave, Yandex, Epic Privacy Browser, Comodo Dragon, Cent Browser, Opera, Microsoft Edge, and Google Chrome,” Lin said. “In addition to data theft, Horabot monitors the victim’s behavior and injects fake pop-up windows designed to capture sensitive user login credentials.”
