Global Cyber Threat Escalates as Horabot Campaign Deploys Dynamic Phishing, Fileless Malware, and Banking Trojan Infrastructure

CyberDefender 12 mins0

Cybercriminal campaigns continue to evolve in complexity, blending social engineering with multi-stage malware delivery to bypass modern defenses. A recent campaign analyzed by researchers highlights how attackers are refining both psychological manipulation and technical evasion to achieve higher infection success rates.

The attack begins with a carefully crafted phishing email subject line: “Citación judicial pendiente – actuación obligatoria comparecencia el No. 20260226-124145.” This translates to a pending judicial summons requiring mandatory court appearance. The wording is intentionally alarming, designed to trigger urgency and fear. Victims are more likely to act quickly when legal consequences are implied, reducing their likelihood of scrutinizing the message.

The email includes a password-protected PDF attachment, presented as an official legal document. This tactic serves two purposes. First, it prevents automated email security systems from scanning the file contents. Second, it enhances credibility by suggesting the document contains sensitive legal information. Inside the PDF, users are instructed to click a link to access further case details, initiating the next stage of the attack.

PDF Attachment contents containing link to download ZIP archive, Source : bluevoyant

Once the victim clicks the embedded link, their browser is redirected to an attacker-controlled URL. The page automatically downloads a ZIP archive without requiring user interaction. Unlike traditional malware campaigns that rely on static filenames, this variant generates a unique filename using a Version 4 UUID combined with a variable suffix. This dynamic naming approach effectively bypasses hash-based detection and enables attackers to track individual victim interactions.

Inside the ZIP archive resides an HTA file, also named using a UUID-based convention. When executed, the HTA file leverages mshta.exe to retrieve and run remote code from:

  • hxxps://ge.factu.it[.]com/GZSPEGIJ/YFSBNPQK
HTA File Content, Source : bluevoyant

The script includes obfuscation techniques such as junk HTML padding and uses JavaScript functions like moveTo() to hide execution windows from the user. These methods are consistent with earlier Horabot campaigns but demonstrate incremental improvements in stealth and delivery.

Execution of the HTA file triggers a multi-stage infection chain. The first stage downloads a lightweight JavaScript payload from:

  • hxxps://104.21.19[.]50/GZSPEGIJ/YFSBNPQK

This script dynamically injects a second-stage VBScript from:

  • hxxps://ge.factu.it[.]com/g1/ld1/

The VBScript payload is heavily obfuscated using a custom string decryption routine. Instead of storing readable strings, encoded values are decrypted in memory at runtime using a per-string key derived from ASCII manipulation. This technique significantly complicates static analysis and signature-based detection.

Before proceeding, the malware performs anti-analysis checks. It looks for indicators of sandbox environments, such as Avast directories or known virtual machine artifacts. Notably, this campaign expands its blocklist to include usernames like IT-Admin, WALKER, and TIM-XG178L01X6, indicating ongoing reconnaissance of modern analysis environments. If any checks are triggered, execution is halted immediately.

If the environment is deemed safe, the malware creates a working directory at:

  • C:\Users\Public\LAPTOP-0QF0NEUP32

It then downloads additional payloads from:

  • hxxps://ge.factu.it[.]com/g1/

Among these are renamed AutoIT tools used to compile and execute further payloads. Persistence is achieved via Windows Startup folder shortcuts and file attribute manipulation.

The AutoIT scripts act as loaders, searching for encrypted files with extensions like .ia and .at. These files contain AES-encrypted payloads decrypted using a hardcoded seed: 99521487. Once decrypted, the payloads are loaded directly into memory, avoiding disk-based detection.

Two primary malware components are deployed:

Casbaneiro Banking Trojan (staticdata.dll)
This payload targets financial institutions, particularly in Latin America and Spain. It includes extensive banking string tables and relies on OpenSSL libraries for cryptographic operations. Communication with its command-and-control (C2) server results in additional instructions, including PowerShell scripts that download further payloads.

Horabot Spreader
A PowerShell-based propagation module leverages Outlook COM objects to harvest contacts and send phishing emails from the victim’s account. A notable innovation in this campaign is dynamic lure generation. Instead of reusing static attachments, the malware sends a POST request to:

  • hxxps://tt.grupobedfs[.]com/…/gera_pdf.php

This generates a unique, password-protected PDF for each victim, drastically reducing detection rates by email security systems.

Horabot Webmail Hijacker (at.dll)
This module targets Gmail, Yahoo, and Outlook accounts. It retrieves encrypted configuration commands from:

  • hxxps://cgf.facturastbs[.]shop/a/08/150822/au

These commands dynamically enable or disable features such as SMTP abuse, PDF delivery, and automated account hijacking. This modular design allows attackers to adapt their operations in real time without redeploying malware.

The campaign also demonstrates strong ties to a broader malware ecosystem. The consistent use of AutoIT loaders, shared cryptographic methods, and overlapping infrastructure strongly suggests attribution to the Augmented Marauder (Water Saci) threat group. Their operations blend multiple attack vectors, including email phishing and WhatsApp-based malware delivery, all unified by a common execution framework.

Indicators of Compromise (IOCs)

  • hxxps://ge.factu.it[.]com/GZSPEGIJ/YFSBNPQK
  • hxxps://104.21.19[.]50/GZSPEGIJ/YFSBNPQK
  • hxxps://ge.factu.it[.]com/g1/ld1/
  • hxxps://ge.factu.it[.]com/g1/
  • hxxps://tt.grupobedfs[.]com/…/gera_pdf.php
  • hxxps://cgf.facturastbs[.]shop/a/08/150822/au
  • factu.it[.]com
  • grupobedfs[.]com
  • facturastbs[.]shop

Hashes:

  • 239cb9232fe01c8b82eb627f66acc6848cb223dfea46d4923844c1fe20f1de49
  • 3e4002c7f0909d3c743b3586098e248d413f485c6bb033cafdb322bd8b206ebb
  • 1af69a3283e28a8cc9a11819ecc2f2cff46dcabbfa78cefc71a02b881a064593
  • 69fc15919044fc6a94bb251afd90a0a07204b79df3bc62c49ba6b0febefbc33e
  • d1d08f7e44641d921fad22ed175b928c696befd14a55271eb203f8fcaff553d5
  • b56d00addd6c6a266de3c739dad22aa1de52624066544929754d47332257cba6
  • 1693448804bf1c90ad7317af250bcd6ea021256e33e983b224aea81d4ecc2e20
  • 4e08a1525a62a387595a2e4942b56ec3f3b3259996115ea2e6ea3638ccb87705

This entire attack chain demonstrates a mature adversary capable of blending social engineering, fileless execution, and modular malware deployment into a cohesive and highly evasive operation.

Our Opinion on This Campaign

What stands out most in this campaign is not just the technical sophistication, but the strategic mindset behind it. The attackers are no longer relying on a single method of compromise. Instead, they are building adaptive ecosystems that evolve in real time. The use of dynamic PDF generation, UUID-based payload delivery, and modular configuration signals a shift toward highly personalized and scalable attacks.

From a defensive perspective, this creates a serious challenge. Traditional security mechanisms—especially those dependent on signatures, hashes, or static indicators—are becoming increasingly ineffective. Each victim effectively receives a unique version of the attack, making pattern detection significantly harder.

Equally concerning is the heavy reliance on legitimate tools and “living off the land” techniques. By abusing native Windows utilities like PowerShell and mshta.exe, attackers blend seamlessly into normal system activity. This reduces the likelihood of triggering alarms and increases dwell time within compromised environments.

Perhaps the most alarming aspect is the integration of propagation mechanisms that weaponize trust. By hijacking legitimate email accounts and generating tailored lures, attackers bypass one of the strongest defenses organizations rely on: user skepticism.

In our view, this campaign reflects a broader trend where cybercrime operations are beginning to resemble enterprise-grade software development. Continuous improvement, modular architecture, and real-time adaptability are no longer exclusive to defenders—they are now core capabilities of modern threat actors.

CyberDefender