Horabot
Horabot is a Windows banking malware family and botnet first identified in June 2023, though reporting cited in the content assesses it has been used in attacks targeting Latin America since at least November 2020. It has been described as both a banking trojan and a propagation/spreader component used alongside Casbaneiro/Metamorfo in multi-stage phishing campaigns. High-confidence reporting links recent activity to the Brazilian cybercrime group Augmented Marauder, also tracked as Water Saci.
The malware has targeted primarily Spanish-speaking users in Latin America, including Mexico, Guatemala, Colombia, Peru, Chile, and Argentina, with additional campaigns aimed at Spanish-speaking users in Latin America and Spain or Europe. Mexico appears heavily affected in one 2025 campaign, where researchers observed 5,384 infected machines, about 93% of them in Mexico. Targeting is financially motivated, with lures themed as judicial summonses, invoices, or confidential business documents.
Observed infection chains rely on phishing and social engineering rather than software exploitation. Delivery methods described in the content include phishing emails with password-protected PDF attachments, links to malicious ZIP archives, fake CAPTCHA pages that instruct victims to run mshta, and follow-on HTA, JavaScript, VBScript, PowerShell, and AutoIt stages. The malware chain performs environment and anti-analysis checks, including checks for Avast and VM artifacts, retrieves additional payloads from remote servers, and establishes persistence via a Startup-folder LNK shortcut.
Horabot’s key behavior is self-propagation through compromised email accounts. It abuses the victim’s mailbox, harvests contacts via Outlook/MAPI, filters addresses, and sends phishing emails from the victim’s own account, increasing trust and reducing the likelihood of email security detection. Campaigns described in the content generate tailored, password-protected PDF lures dynamically through a remote PHP API using a random PIN, then distribute them to harvested contacts. Reporting also states Horabot-related components targeted Yahoo, Live, and Gmail accounts and functioned as spam and account-hijacking tools.
In the broader attack ecosystem, Casbaneiro is repeatedly described as the primary banking trojan payload, while Horabot is used as the delivery and propagation mechanism. In another detailed 2025 campaign, Horabot is described as a bundle consisting of a Delphi banking trojan plus a PowerShell-driven email worm. The banking trojan component uses fake banking overlays to steal credentials during active banking sessions, and reporting associates the overall operation with targeting banks and financial platforms such as Santander, Banco do Brasil, and Binance.
Technical indicators and infrastructure directly mentioned in the content include use of HTA/VBS/AutoIt loaders; encrypted payload files with .ia and .at extensions; deployment of Casbaneiro as staticdata.dll and Horabot as at.dll in one campaign; dynamic PDF generation via hxxps://tt.grupobedfs[.]com/.../gera_pdf.php; fake CAPTCHA and staging infrastructure at evs.grupotuis[.]buzz and pdj.gruposhac[.]lat; configuration retrieval from cgf.facturastbs[.]shop; and socket C2 infrastructure including lifenews[.]pro:49569 and 64.177.80[.]44. One report notes the malware’s custom TCP protocol uses traffic framed between double ## markers, which researchers identified as a reliable IDS/Suricata detection opportunity.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
One of the scripts deployed later in the attack chain — a tool called Horabot — is designed to exploit the victim's email account, with the goal of self-propagation.
One of the scripts deployed later in the attack chain — a tool called Horabot — is designed to exploit the victim's email account, with the goal of self-propagation.
Techniques & procedures
29 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
1 technique
Reconnaissance
Initial Access
4 techniques
Initial Access
The script then iterates over the filtered email list, utilizing the compromised user's own email account to send a tailored phishing email with the newly generated PDF attached.
Threat actors typically rely on traditional initial access methods, such as phishing via email, SMS, and WhatsApp messages, impersonating financial institutions, and requesting invoices or payments.
The malicious file attached to the phishing email is password-protected, lending an air of legitimacy to the document and possibly helping it escape scrutiny from secure email gateways (SEGs). That zip file name is randomized for each victim — an obstacle for signature-based detection tools.
Execution
7 techniques
Execution
This threat group employs a wider-ranging attack model focused on a bespoke delivery and propagation mechanism that includes WhatsApp, ClickFix techniques, and email-centric phishing.
Casbaneiro's Delphi DLL module contacts a command-and-control (C2) server to fetch a PowerShell script that employs Horabot to distribute the malware via phishing emails to harvested contacts from Microsoft Outlook.
...leading to the execution of interim HTML Application (HTA) and VBS payloads. These scripts perform environment checks and retrieve further payloads from a remote server...
it opens a blank window, then immediately pulls and runs an external JavaScript payload hosted on the attacker’s domain.
Upon opening the PDF, users are directed to a malicious link that downloads a ZIP archive, leading to the execution of interim HTML Application (HTA) and VBS payloads.
Persistence
3 techniques
Persistence
Privilege Escalation
3 techniques
Privilege Escalation
Stealth
6 techniques
Stealth
The script is obfuscated and employs a custom string encoding routine... Heavy obfuscation: the script uses multiple layers of obfuscation to obscure its behavior.
Cleanup routines: removes temporary files and terminates selected processes.
The script then iterates over the filtered email list, utilizing the compromised user's own email account to send a tailored phishing email with the newly generated PDF attached.
Clicking on an embedded link in the document directs the victim to a malicious link and initiates an automatic download of a ZIP archive, which, in turn, leads to the execution of interim HTML Application (HTA) and VBS payloads.
Discovery
6 techniques
Discovery
collects the host IP, hostname, username, and OS version, then sends this data to a C2 server.
collects the host IP, hostname, username, and OS version, then sends this data to a C2 server.
Cleanup routines: removes temporary files and terminates selected processes.
Information gathering and exfiltration: collects the host IP, hostname, username, and OS version, then sends this data to a C2 server.
Collection
4 techniques
Collection
One of the scripts deployed later in the attack chain — a tool called Horabot — is designed to exploit the victim's email account, with the goal of self-propagation. It grabs their contacts, filters them, then blasts a new round of phishing emails to any number of new potential targets.
...distribute the malware via phishing emails to harvested contacts from Microsoft Outlook.
Command and Control
1 technique
Command and Control
IOCs tracked for this family
36 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Windows banking trojan that also functions as a propagation tool by abusing compromised email accounts to send phishing emails with dynamically generated PDF attachments to harvested contacts.
A self-propagating tool used in the attack chain to compromise a victim's email account, harvest and filter contacts, and send further phishing emails with modified malicious attachments to new targets.
A malware family and botnet using invoice-themed phishing emails to gain initial access, targeting Spanish-speaking users in multiple LAC countries.
Malware used as a propagation mechanism for Casbaneiro. It harvests contacts from Microsoft Outlook and helps distribute phishing emails; a related DLL also functions as a spam and account hijacking tool targeting Yahoo, Live, and Gmail accounts via Outlook.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.