Horabot Malware Exploits Invoice-Themed Phishing Campaigns Across Six Latin American Countries

Cybersecurity researchers have identified a sophisticated phishing campaign distributing a malware variant known as Horabot, specifically targeting Windows users across various Latin American countries, including Mexico, Guatemala, Colombia, Peru, Chile, and Argentina.

This campaign leverages carefully crafted emails that mimic invoices or financial documents to deceive victims into opening malicious attachments. The malware is designed to steal email credentials, harvest contact lists, and deploy banking trojans. Observations by Fortinet FortiGuard Labs indicate that this activity, first noted in April 2025, predominantly affects Spanish-speaking users. Notably, the attackers have also been observed sending phishing messages from compromised mailboxes using Outlook COM automation, facilitating the lateral spread of the malware within both corporate and personal networks.

In addition to phishing attempts, the threat actors utilize a variety of scripts, including VBScript, AutoIt, and PowerShell, to conduct system reconnaissance, pilfer credentials, and deliver further malicious payloads. Horabot was initially documented by Cisco Talos in June 2023, having targeted Spanish-speaking users in Latin America since at least November 2020. Analysis suggests a connection to threat actors operating out of Brazil.

Additionally, last year, Trustwave SpiderLabs reported on another phishing campaign also aimed at the Latin American region, which demonstrated similarities to the Horabot malware campaign.

The current wave of attacks begins with a phishing email deploying an invoice-themed lure, prompting users to open a ZIP file that ostensibly contains a PDF document. In reality, this ZIP archive houses a malicious HTML file encoded in Base64, intended to connect with a remote server and retrieve a subsequent malicious payload.

This payload is delivered in another ZIP archive that contains an HTML Application (HTA) file, which fetches and executes a remotely hosted script. This script injects an external Visual Basic Script (VBScript) designed to perform checks that lead to its termination if it detects the presence of Avast antivirus or if it operates within a virtualized environment.

The VBScript processes various tasks, including gathering basic system information, exfiltrating this data to a remote server, and downloading additional payloads. Among these payloads is an AutoIt script responsible for deploying a banking trojan via a malicious DLL and a PowerShell script meant to disseminate phishing emails by compiling a list of target addresses from Outlook’s contact data.

The Horabot malware systemically targets and collects browser-related data from a wide range of web browsers, including Brave, Yandex, Epic Privacy Browser, Comodo Dragon, Cent Browser, Opera, Microsoft Edge, and Google Chrome. In addition to data extraction, Horabot actively monitors user behaviors, injecting deceptive pop-up windows aimed at capturing sensitive login credentials.