CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Casbaneiro banking trojan distribution via dynamic PDF lures and Horabot propagation

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A phishing campaign attributed to the Brazilian cybercrime group Augmented Marauder (Water Saci) is actively targeting Spanish-speaking users in Latin America and Europe to deliver the Casbaneiro (Metamorfo) Windows banking trojan and the Horabot malware family. The campaign leverages court summons-themed phishing emails with password-protected PDF attachments that redirect to malicious downloads, initiating a multi-stage infection chain involving HTA, VBS, AutoIt loaders, and dynamic PDF generation for further propagation. The attack infrastructure combines WhatsApp automation, ClickFix social engineering, and enterprise email hijacking to distribute Casbaneiro as the primary payload while Horabot acts as a propagation mechanism targeting Outlook contacts and email accounts.

Timeline

  1. 01.04.2026 15:36 1 articles · 2h ago

    Casbaneiro and Horabot phishing campaign expands to Europe with dynamic PDF lures and Outlook hijacking

    A Brazilian cybercrime group tracked as Augmented Marauder (Water Saci) is distributing Casbaneiro and Horabot malware via court summons-themed phishing emails containing password-protected PDF attachments. The infection chain involves malicious ZIP downloads leading to HTA/VBS execution, AutoIt loaders, and dynamic generation of PDF lures via a remote PHP API. Horabot is used to propagate malware through compromised Outlook contacts and hijacked email accounts (Yahoo, Live, Gmail), expanding beyond prior Latin America-focused operations into Europe.

    Show sources
    Open in new tab

Information Snippets