Horabot: Fake invoice, real theft

A recent wave of phishing attacks has drawn attention from cybersecurity researchers due to its use of familiar bait and growing regional reach. The malware in question is Horabot, a banking trojan that targets Windows users through invoice-themed emails. Originally observed in Latin America as early as 2020, Horabot has resurfaced with new distribution methods and an extended list of targets.

Targets in sight

The campaign primarily affects Spanish-speaking users across six Latin American countries: Mexico, Guatemala, Colombia, Peru, Chile, and Argentina. It targets individuals and businesses alike, with a particular focus on those using Outlook. Once a machine is infected, the malware can send phishing messages from the victim’s own email account using Outlook COM automation. This lateral spread within corporate or personal networks increases its efficiency and reach, especially in environments with weak segmentation or outdated defenses.

Poisoned Invoice

The infection chain begins with phishing emails disguised as invoice or financial document notifications. These emails contain ZIP archives, which, rather than housing legitimate PDFs, hide malicious HTML files encoded in Base64. When opened, these files contact a remote server to retrieve a second-stage ZIP archive.

This next archive contains an HTML Application (HTA) file. Once executed, it downloads a VBScript payload designed to evade antivirus detection (e.g., Avast) and terminate execution in sandboxed or virtual environments. If successful, the VBScript collects system information, sends it to a command-and-control server, and fetches further payloads.

These include:

• An AutoIt script that launches a banking trojan via malicious DLL injection.

• A PowerShell script that scans Outlook for email addresses and propagates phishing messages.

• A browser data-stealing module targeting Chrome, Edge, Opera, Brave, Yandex, Comodo Dragon, and others.

• Fake pop-ups designed to capture user credentials during login.

No bills posted

To defend against Horabot:

• Avoid opening ZIP attachments from unknown or unexpected senders.

• Disable or restrict the use of HTA files and VBScript execution via group policies.

• Monitor Outlook for automated email-sending behavior.

• Apply advanced phishing and spam filters to inbound email.

• Inspect network traffic for outbound HTTP connections to unknown domains.

Infection is only one click away, and phishing techniques continue to evolve. Staying vigilant and enforcing a layered security approach remain the most reliable defenses against these deceptive attacks.

The Horabot campaign illustrates the persistent threat phishing poses, especially when combined with social engineering and script-based malware delivery. By disguising malicious intent behind familiar financial correspondence, attackers exploit user trust and routine workflows. For Spanish-speaking countries in Latin America, raising awareness and improving endpoint security protocols is essential to stemming the tide of these targeted malware attacks.

https://thehackernews.com/2025/05/horabot-malware-targets-6-latin.html?m=1