Casbaneiro and Horabot Phishing Campaign Hits Latin America and Europe
A Brazilian cybercrime group tracked as Augmented Marauder and Water Saci is targeting Spanish-speaking users at organizations across Latin America and Europe with a multi-stage phishing campaign that delivers the Casbaneiro banking trojan and uses Horabot for delivery and propagation. The operation begins with court summons-themed phishing emails carrying password-protected PDF lures that direct victims to malicious links and ZIP archives, leading to execution of HTA and VBS payloads, followed by AutoIt loaders and encrypted malware components.
Researchers said the malware chain includes anti-analysis checks, retrieval of additional payloads from remote servers, and dynamically generated judicial-themed PDF attachments created through a remote PHP API using random PINs. Horabot helps expand the campaign by harvesting Outlook contacts, abusing compromised email accounts, and sending new phishing messages, while the broader operation also incorporates ClickFix social engineering and WhatsApp-based distribution to evade defenses and widen infections.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Researchers detail Horabot's role in propagation and dynamic PDF lures
Analysis of the campaign revealed that Horabot was being used both to deliver malware and to propagate the operation by harvesting Outlook contacts, abusing compromised email accounts, and sending phishing emails with dynamically generated judicial-themed PDF attachments. Researchers also found the malware performed anti-analysis checks, retrieved additional payloads from remote servers, and incorporated ClickFix and WhatsApp-based social engineering to expand infections.
Augmented Marauder launches Casbaneiro phishing campaign
A Brazilian cybercrime group tracked as Augmented Marauder, also known as Water Saci, began targeting Spanish-speaking users at organizations across Latin America and Europe with phishing emails delivering the Casbaneiro banking trojan. The campaign used court summons-themed lures, password-protected PDFs, malicious links, ZIP archives, and HTA/VBS payloads in a multi-stage infection chain.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Eternidade Stealer Banking Trojan Propagated via WhatsApp Worm in Brazil
Cybersecurity researchers have identified a new campaign targeting Brazilian users in which the Eternidade Stealer, a Delphi-based banking trojan, is distributed through a WhatsApp worm. The attack leverages social engineering and WhatsApp hijacking, with the threat actor deploying a Python script—marking a shift from previous PowerShell-based methods—to hijack WhatsApp Web sessions and spread malicious attachments. The campaign uses an obfuscated Visual Basic Script as the initial infection vector, which then drops a batch script responsible for delivering two payloads, including the Python-based worm. The malware utilizes the Internet Message Access Protocol (IMAP) to dynamically retrieve command-and-control (C2) addresses, allowing the attacker to update C2 infrastructure as needed. This activity is part of a broader trend in Brazil, where WhatsApp's ubiquity makes it a favored vector for distributing banking trojans and information stealers. The use of Delphi for malware development remains prevalent in Latin America due to its technical efficiency and regional familiarity. Researchers note that this campaign represents an evolution in tactics, building on previous attacks such as Water Saci, and highlights the increasing sophistication of social engineering and malware propagation techniques in the region's cybercrime ecosystem.
Mar 21, 2026
JanelaRAT Banking Trojan Expands Attacks on Latin American Financial Users
Researchers reported that **JanelaRAT**, a Latin America-focused banking trojan derived from **BX RAT**, is actively targeting online banking and cryptocurrency users, with the heaviest activity in **Brazil** and **Mexico** and additional campaigns observed in **Chile** and **Colombia**. Kaspersky said it recorded **14,739 detections in Brazil** and **11,695 in Mexico** during 2025, as the malware continued to evolve from earlier VBScript-and-ZIP delivery chains to newer phishing-led infections using **MSI droppers**, **DLL sideloading**, obfuscated **.NET** payloads, and persistence through **Startup-folder LNK files**. Recent activity also included deployment of a malicious Chromium extension disguised as legitimate software. Once installed, JanelaRAT monitors browser and window titles for hard-coded banking and financial targets, then opens interactive **TCP** and **HTTP** command-and-control channels to support screenshots, keylogging, input injection, cursor control, remote command execution, and session hijacking. The malware uses encrypted strings, anti-analysis checks, daily rotating dynamic DNS infrastructure, and user inactivity monitoring to evade detection and help operators time fraudulent transactions. A notable feature is its overlay system, which displays fake banking prompts and Windows update screens to steal credentials and **MFA** tokens while suppressing user interaction.
Apr 22, 2026
Grandoreiro Banking Trojan Resurfaces Against Portuguese Banks and Latin American Firms
The **Grandoreiro** banking trojan has re-emerged in campaigns targeting Portuguese banks and organizations across Spain, Mexico, and Latin America, showing that the malware remains active despite earlier law-enforcement disruption. Researchers reported phishing-led delivery chains using ZIP archives, loaders disguised as PDFs, **DLL side-loading**, and malicious **VBS** scripts hosted through abused legitimate services. In earlier observed activity, the operators impersonated government entities such as the Attorney General's Office of Mexico City and Spain's Public Ministry to lure employees at manufacturing, automotive, machinery, and chemicals companies into opening malicious attachments. The latest variants use stronger evasion and persistence techniques, including binary padding to roughly **400MB**, CAPTCHA-based execution, Windows Registry persistence, geofencing, and anti-analysis checks. Once installed, Grandoreiro can steal credentials, log keystrokes, monitor the clipboard, enumerate antivirus products, cryptocurrency wallets, and e-banking applications, and display fake banking overlays, while blending command-and-control traffic through trusted cloud services including **Google Cloud**, **Microsoft Azure**, and **Amazon**. Brazilian police previously arrested suspects tied to Grandoreiro operations, but the renewed campaigns indicate the financially motivated group continues to operate across multiple countries.
Jun 2, 2026