Bank Trojan 'Casbaneiro' Worms Through Latin America

CYBERATTACKS & DATA BREACHES THREAT INTELLIGENCE CYBER RISK ENDPOINT SECURITY NEWS Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific Bank Trojan 'Casbaneiro' Worms Through Latin America Augmented Marauder's multipronged banking-Trojan cyber campaigns are targeting Spanish speakers, evading detection, and replicating rapidly. Nate Nelson,Contributing Writer April 2, 2026 4 Min Read SOURCE: HUGO OLIVEIRA VIA ALAMY STOCK PHOTO Brazilian threat actors are aiming to steal banking credentials across Spanish-speaking countries, using highly wormable and slightly elusive infection techniques. As much as North Korea is known for large-scale cryptocurrency hacks and Israel dominates the spyware market, Brazil has become notorious as the banking malware capital of the world. Hackers there churn out money-stealing Trojans at a rate that challenges analysts' ability to come up with explanations. The cybercrime operation known as Water Saci, or Augmented Marauder, has been near the heart of this movement for some years now. In more recent months, it has been splitting its time between two financially motivated cyberattack campaigns. One of them has been waged over WhatsApp, focused in Brazil, and tracked by researchers since last year. BlueVoyant has now identified a parallel, in some ways similar, campaign, but it's being carried out via email, and might well spread through Latin America and Spain. This latest iteration on Water Saci's playbook is characterized by self-propagating malware, email security bypass, and financial information theft. Related:Chinese Police Use ChatGPT to Smear Japan PM Takaichi "This threat group seems as if they have a campaign that they try to launch [roughly] every quarter, and they keep changing it, so it's pretty clear whoever this is [is] very active [and] their end goal is to get access to users' bank accounts within the Latin American region," says Thomas Elkins, SOC security analyst for BlueVoyant. "To me, it's clear that they're going to keep ramping up." A Wormable Banking Attack LOADING... On first impression, an Augmented Marauder attack is rather unexceptional. All victims receive the same notice in their inbox of some vague upcoming judicial summons. Victims who fall for the bait land on a site where they end up downloading a malicious zip file. Behind each step in this chain of events, though, is a trick that either modestly helps the attack evade detection, or significantly helps it spread to new targets. The malicious file attached to the phishing email is password-protected, lending an air of legitimacy to the document and possibly helping it escape scrutiny from secure email gateways (SEGs). That zip file name is randomized for each victim — an obstacle for signature-based detection tools. Most significant of all, though, is how victims end up with that judicial summons email in the first place. One of the scripts deployed later in the attack chain — a tool called Horabot — is designed to exploit the victim's email account, with the goal of self-propagation. It grabs their contacts, filters them, then blasts a new round of phishing emails to any number of new potential targets, with a modified version of the judicial summons file locked with a new password. Related:Singapore & Its 4 Major Telcos Fend Off Chinese Hackers Besides spreading fast and far, this worming element carries a few other distinct advantages. First, because new targets receive their phishing emails from trusted contacts, they might be more likely to click on those malicious attachments. It also means those emails are less likely to be flagged by email security solutions. "And it's pretty smart because it makes it harder to identify where the attack actually originated from," Elkins points out. Between the wormable emails, and the wormable WhatsApp messages in their concurrent campaign in Brazil, "they're finding new ways to automate their attack chains to not just rely on an attacker-based account," which makes identifying attacker-controlled infrastructure more challenging for cybersecurity defenders. Brazil's Banking Trojans Don't Impress The point of all this is to drop Casbaneiro, a classic banking Trojan that triggers when victims visit their cryptocurrency or financial service providers online. Its list of targets is extensive, covering major banks in Central and South America — like Santander and Banco do Brasil — plus payment and cryptocurrency platforms like Binance. Per tradition, it uses an overlay to trick users into thinking they're logging into a legitimate site, and logs their keystrokes in order to capture their credentials. Related:Senegalese Data Breaches Expose Lack of Security Maturity For Elkins, the phenomenon of Brazilian banking Trojans is a mystery. "It's interesting that they're still hung up on banking Trojans, because a lot of time these newer threat actors are focusing on: How do we gain access to this customer's network? How do we start infiltrating exfiltrating data? How can we use ransomware to get paid?" he says. Banking Trojans are a more direct way to steal money with malware, and they apparently work often enough to keep this sector of cybercrime chugging along, but "I don't think most of the banking Trojans succeed at this point, in today's environment, because they're so easy to attack now," Elkins says. With competent, modern cybersecurity protections, he says, "they're getting caught more easily. I mean, Windows Defender itself has so many different rule sets for catching AutoIT executables [like those used by Water Saci] and stopping that behavior. That's why, a lot of the time in my research, we don't see it get all the way to the end in the customer's environment. It's usually stopped at the email stage." Read more about: DR Global Latin America About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like CYBERATTACKS & DATA BREACHES Cyberattackers Target LastPass, Top Password Managers by Nate Nelson, Contributing Writer OCT 16, 2025 CYBERATTACKS & DATA BREACHES After Pahalgam Attack, Hacktivists Unite Under #OpIndia by Nate Nelson, Contributing Writer MAY 09, 2025 CYBERATTACKS & DATA BREACHES Despite Arrests, Scattered Spider Continues High-Profile Hacking by Rob Wright MAY 02, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ CYBER RISK What Orgs Can Learn From Olympics, World Cup IR Plans byTara Seals MAR 12, 2026 THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE