Augmented Marauder

Augmented Marauder is a Brazilian cybercrime threat actor also tracked as Water Saci. Reported activity links the group to phishing campaigns targeting Spanish-speaking users in organizations across Latin America and Europe to deliver banking malware including Casbaneiro and Horabot. The group uses a multi-pronged delivery model involving email-based phishing, ClickFix techniques, and WhatsApp-based lures. Observed campaigns begin with phishing emails themed as court summons messages and containing password-protected PDF attachments. The PDFs direct victims to malicious links that download ZIP archives, leading to execution of HTA and VBS payloads. These scripts perform environment and anti-analysis checks, including checks for Avast in one reported chain, retrieve additional payloads from remote servers, and can lead to AutoIt-based loaders that extract and run encrypted components. Reported payload chains ultimately deploy Casbaneiro, with Horabot used as a propagation and account-abuse mechanism. Horabot is described as harvesting contacts from Microsoft Outlook and using compromised email accounts to send phishing emails with dynamically generated, password-protected judicial-themed PDF attachments. A related Horabot DLL has been described as a spam and account hijacking tool targeting Yahoo, Live, and Gmail accounts via Outlook. Supporting reporting also states that Water Saci has previously used WhatsApp Web as a distribution vector for banking trojans such as Maverick and Casbaneiro, and that recent campaigns used ClickFix social engineering to trick users into running malicious HTA files. BlueVoyant assessed the operation as maintaining bifurcated infrastructure combining a WhatsApp-centric Maverick chain with ClickFix- and email-based Horabot attack paths.