{"id":463,"date":"2026-04-01T15:51:52","date_gmt":"2026-04-01T15:51:52","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=463"},"modified":"2026-04-01T15:51:52","modified_gmt":"2026-04-01T15:51:52","slug":"casbaneiro-phishing-targets-latin-america-and-europe-using-dynamic-pdf-lures","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=463","title":{"rendered":"Casbaneiro Phishing Targets Latin America and Europe Using Dynamic PDF Lures"},"content":{"rendered":"
\n

\ue804<\/i>Ravie Lakshmanan<\/span>\ue802<\/i>Apr 01, 2026<\/span><\/span>Malware \/ Windows Security<\/span><\/p>\n<\/div>\n

\n
<\/a><\/div>\n

A multi-pronged phishing campaign is targeting Spanish-speaking users in organizations across Latin America and Europe to deliver Windows banking trojans like Casbaneiro (aka Metamorfo) via another malware called Horabot.<\/p>\n

The activity has been attributed to a Brazilian cybercrime threat actor tracked as Augmented Marauder and Water Saci. The e-crime group was first documented by Trend Micro in October 2025.<\/p>\n

\u00abThis threat group employs a wider-ranging attack model focused on a bespoke delivery and propagation mechanism that includes WhatsApp, ClickFix techniques, and email-centric phishing,\u00bb BlueVoyant security researchers Thomas Elkins and Joshua Green said<\/a> in a technical breakdown published Tuesday.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

\u00abIt is now evident that while these Brazil-based operators heavily leverage script-based WhatsApp automation to compromise retail and consumer users in Latin America, they concurrently maintain and deploy an advanced, email-hijacking engine to penetrate enterprise perimeters there and Europe as well.\u00bb<\/p>\n

The starting point of the campaign is a phishing email that employs court summons-themed messages to deceive recipients into opening a password-protected PDF attachment. Clicking on an embedded link in the document directs the victim to a malicious link and initiates an automatic download of a ZIP archive, which, in turn, leads to the execution of interim HTML Application (HTA) and VBS payloads.<\/p>\n

The VBS script is designed to carry out environment and anti-analysis checks similar to those found in Horabot artifacts, including checks for Avast antivirus software, and proceeds to retrieve next-stage payloads from a remote server. Among the downloaded files are AutoIt-based loaders, each of which extracts and runs encrypted payload files with \u00ab.ia\u00bb or \u00ab.at\u00bb extensions to eventually launch two malware families: Casbaneiro (\u00abstaticdata.dll\u00bb) and Horabot (\u00abat.dll\u00bb).<\/p>\n

While Casbaneiro is the primary payload, Horabot is used as a propagation mechanism for the malware. Casbaneiro’s Delphi DLL module contacts a command-and-control (C2) server to fetch a PowerShell script that employs Horabot to distribute the malware via phishing emails to harvested contacts from Microsoft Outlook.<\/p>\n

\u00abRather than distributing a static file or hardcoded link as seen in older Horabot campaigns, this script initiates an HTTP POST request to a remote PHP API (hxxps:\/\/tt.grupobedfs[.]com\/…\/gera_pdf.php), passing a randomly generated four-digit PIN,\u00bb BlueVoyant said.<\/p>\n

\u00abThe server dynamically forges a bespoke, password-protected PDF impersonating a Spanish judicial summons, which is returned to the infected host. The script then iterates over the filtered email list, utilizing the compromised user’s own email account to send a tailored phishing email with the newly generated PDF attached.\u00bb<\/p>\n

Also used in tandem is a secondary Horabot-related DLL (\u00abat.dll\u00bb) that functions as a spam and account hijacking tool targeting Yahoo, Live, and Gmail accounts to send phishing emails via Outlook. Horabot is assessed to be put to use in attacks targeting Latin America since at least November 2020.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

Water Saci has a history of using WhatsApp Web as a distribution vector for disseminating banking trojans like Maverick and Casbaneiro in a worm-like manner. However, recent campaigns highlighted by Kaspersky have leveraged<\/a> the ClickFix social engineering tactic to dupe users into running malicious HTA files with the end goal of deploying Casbaneiro and the Horabot spreader.<\/p>\n

\u00abTaken together, the integration of ClickFix social engineering, alongside dynamic PDF generation and WhatsApp automation, demonstrates an agile adversary that is continually innovating and executing diverse attack paths to bypass modern security controls,\u00bb the researchers concluded.<\/p>\n

\u00abThis adversary is maintaining a bifurcated, multi-pronged attack infrastructure, dynamically deploying the WhatsApp-centric Maverick chain and concurrently utilizing both ClickFix and email-based Horabot attack paths.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

\ue804Ravie Lakshmanan\ue802Apr 01, 2026Malware \/ Windows Security A multi-pronged phishing campaign is targeting Spanish-speaking users in organizations across Latin America and Europe to deliver Windows banking trojans like Casbaneiro (aka…<\/p>\n","protected":false},"author":1,"featured_media":464,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[1018,1016,1020,1019,1017,1022,1021,390,78],"class_list":["post-463","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-america","tag-casbaneiro","tag-dynamic","tag-europe","tag-latin","tag-lures","tag-pdf","tag-phishing","tag-targets"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/463","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=463"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/463\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/464"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=463"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=463"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=463"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}