Casbaneiro Phishing Targets Latin America and Europe Using Dynamic PDF Lures
A separate phishing campaign targeted Spanish-speaking users at organizations across Latin America and Europe to deliver Windows banking trojans like Casbaneiro (aka Metamorfo) with another malware called Horabot.
The project is said to have been created by a cybercriminal threat actor known as Augmented Marauder and Water Saci. The e-crime group was first documented by Trend Micro in October 2025.
“This threat group uses a broad attack model focused on targeted delivery and distribution that includes WhatsApp, ClickFix techniques, and email phishing,” BlueVoyant security researchers Thomas Elkins and Joshua Green said in a statement published Tuesday.
“It is now clear that while these Brazilian operatives are using WhatsApp automation extensively to compromise retail users and consumers in Latin America, at the same time they are maintaining and deploying an advanced, email-stealing engine to infiltrate businesses there and in Europe as well.”
The beginning of the campaign is a phishing email that uses subpoenaed messages to trick recipients into opening password-protected PDF attachments. Clicking on the embedded link in the document directs the victim to a malicious link and initiates an automatic download of a ZIP archive, which in turn leads to the execution of a temporary HTML Application (HTA) and paid VBS.
The VBS script is designed to perform environmental checks and prevention analysis similar to those found in Horabot artifacts, including checking Avast antivirus software, and proceeds to retrieve the next stage payload from the remote server. Among the downloaded files are AutoIt-based downloaders, each of which extracts and executes encrypted payload files with “.ia” or “.at” extensions to ultimately launch two malware families: Casbaneiro (“staticdata.dll”) and Horabot (“at.dll”).
While Casbaneiro is the primary payload, Horabot is used as a means of spreading malware. Casbaneiro’s Delphi DLL module contacts the command and control server (C2) to download a PowerShell script that uses Horabot to distribute the malware via phishing emails to harvested contacts in Microsoft Outlook.
“Instead of distributing a static file or hard-coded link as seen in older Horabot campaigns, this script initiates an HTTP POST request to the PHP API (hxxps://tt.grupobedfs)[.]com/…/gera_pdf.php), transmits a randomized four-digit PIN,” BlueVoyant said.
“The server generates an unauthorized, password-protected PDF masquerading as a Spanish legal subpoena, which is sent back to the infected host. The script then replicates a filtered email list, using the user’s compromised email account to send a phishing email with the newly generated PDF attached.”
Also used in tandem is a second Horabot-related DLL (“at.dll”) that acts as a spam and hijacking tool that targets Yahoo, Live, and Gmail accounts to send phishing emails through Outlook. Horabot is being tested for use in attacks targeting Latin America from at least November 2020.
Water Saci has a history of using WhatsApp Web as a distribution method to distribute banking trojans such as Maverick and Casbaneiro in a worm-like manner. However, recent campaigns highlighted by Kaspersky used ClickFix’s social engineering tactic to trick users into using malicious HTA files with the ultimate goal of using the Casbaneiro and Horabot spreader.
“Taken together, the combination of ClickFix’s social engineering, as well as flexible PDF generation and WhatsApp automation, shows an increasingly agile adversary that is constantly inventing new attack methods to bypass modern security controls,” the researchers concluded.
“This adversary maintains a two-pronged, multi-pronged attack infrastructure, using the WhatsApp-centric Maverick chain and simultaneously using the ClickFix and Horabot email attack methods.”
