A sophisticated phishing campaign has been identified targeting Spanish-speaking users in organizations across Latin America and Europe, delivering Windows banking trojans including Casbaneiro, also known as Metamorfo, through a secondary malware called Horabot. Security researchers have attributed the activity to a Brazilian cybercrime threat actor tracked under the names Augmented Marauder and Water Saci, first documented by Trend Micro in October 2025. The campaign demonstrates a multi-layered approach combining social engineering, dynamic content delivery, and automated propagation techniques to compromise both retail and enterprise systems.
According to BlueVoyant researchers Thomas Elkins and Joshua Green, the campaign employs a combination of WhatsApp automation, ClickFix social engineering, and email-based phishing to infiltrate targets. The initial access point begins with court summons-themed phishing emails containing password-protected PDF attachments. Recipients who interact with the embedded links are directed to malicious websites that automatically download ZIP archives containing HTML Application and VBS scripts. The scripts conduct anti-analysis checks, including scanning for Avast antivirus software, before retrieving further payloads such as AutoIt loaders. These loaders extract encrypted files that ultimately launch the primary Casbaneiro malware and the Horabot propagation tool.
Casbaneiro functions as the main payload, with its Delphi DLL module establishing communication with a command-and-control server to download a PowerShell script responsible for distributing Horabot. Unlike previous campaigns that relied on static files or hardcoded links, this operation dynamically generates password-protected PDFs through a remote PHP API, impersonating Spanish judicial summons. The infected system then iterates over contacts harvested from Microsoft Outlook, sending tailored phishing emails with newly forged PDFs attached. A secondary Horabot DLL also hijacks Yahoo, Live, and Gmail accounts to facilitate further distribution of malicious emails, maintaining the campaign’s reach across enterprise environments.
Researchers note that Water Saci has historically leveraged WhatsApp Web to propagate banking trojans like Maverick and Casbaneiro, operating in a worm-like fashion. Recent campaigns highlight the integration of ClickFix tactics to trick users into executing malicious HTA files, facilitating the deployment of both Casbaneiro and Horabot. BlueVoyant emphasizes that the combination of dynamic PDF generation, email hijacking, and WhatsApp automation demonstrates an agile adversary capable of innovating multiple attack vectors to bypass modern security defenses. By maintaining parallel attack infrastructures, the group continues to target Latin American retail users while simultaneously penetrating European enterprise networks through sophisticated phishing and malware distribution mechanisms.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
