Horabot’s Sneaky Phishing Campaign
Horabot malware targets Windows users in six Latin American countries, including Mexico and Colombia. Attackers send phishing emails disguised as invoices. For example, these emails trick users into opening malicious attachments. The campaign, active in April 2025, aims to steal credentials and spread banking trojans.
How the Attack Begins
The attack starts with Spanish-language emails mimicking financial documents. These emails contain ZIP files with harmful HTML content. When opened, the HTML connects to a remote server. Consequently, it downloads a second ZIP with an HTML Application (HTA) file to advance the attack.
Complex Infection Chain
The HTA file triggers a remote script that checks for antivirus software like Avast. If clear, it deploys VBScript, AutoIt, and PowerShell scripts. For instance, these scripts collect system data and steal browser credentials. They also enable the malware to spread via victims’ Outlook accounts.
Data Theft and Propagation
Horabot steals data from browsers like Edge, Chrome, and Opera. It monitors user actions and displays fake login pop-ups. Additionally, it scans Outlook contacts to send phishing emails to new targets. This self-spreading tactic amplifies the campaign’s reach within networks.
History and Origins
First identified in 2020, Horabot likely originates from a Brazilian threat actor. Previous campaigns showed similar tactics. A report notes its evolution into a sophisticated threat. Therefore, its return in 2025 poses significant risks to Latin American users.
Why It’s Hard to Detect
Horabot avoids detection by terminating in virtual environments. Its use of encoded HTML and legitimate scripting tools adds stealth. As a result, users may not notice the infection until data is stolen. This makes early prevention critical.
Preventing Horabot Malware Attacks
To stop Horabot, avoid opening email attachments from unknown sources. For example, verify sender addresses before acting. Install and update antivirus software to detect malicious scripts. Additionally, enable two-factor authentication and train users to recognize phishing. These steps protect against data theft and malware spread.
Sleep well, we got you covered.
