A sophisticated and multi-pronged phishing campaign is actively targeting Spanish-speaking users within corporate environments across Latin America and Europe. The campaign's ultimate goal is to deploy the Casbaneiro banking trojan, also known as Metamorfo, onto victim systems. Security researchers have identified a complex infection chain where the initial phishing emails deliver a malicious Microsoft Word document. This document, in turn, downloads a secondary payload: a loader for another piece of malware called Horabot. It is this Horabot malware that acts as the final delivery mechanism for the Casbaneiro banking trojan, creating a layered and evasive attack strategy designed to bypass traditional security defenses.
The campaign employs highly convincing phishing lures, primarily using dynamic PDF attachments. These PDFs are crafted to appear as legitimate notifications from major financial institutions, shipping companies, or government tax authorities, all written in fluent Spanish. A key technical hallmark of this operation is the use of geolocation filtering. The malicious infrastructure checks the IP address of the recipient. If the connection originates from outside the campaign's target countries—which include Mexico, Spain, Peru, and Portugal—the PDF either displays an error message or benign content, effectively hiding the malicious payload from security researchers and non-targeted regions. This technique improves the campaign's stealth and longevity.
This malicious activity has been attributed by cybersecurity firm Trend Micro to a financially motivated Brazilian cybercrime threat actor tracked under the aliases **Augmented Marauder** and **Water Saci**. The group was first documented by Trend Micro in 2022 and has a known history of targeting Latin American financial institutions. Their tools, including Casbaneiro, are specifically designed to steal online banking credentials and facilitate fraudulent transactions. The trojan employs sophisticated web-injection techniques to modify the content of legitimate banking websites in real-time, tricking users into entering sensitive information directly into the attacker-controlled interface.
The combination of geo-targeting, multi-stage payload delivery, and the use of Horabot as an intermediate loader represents a significant escalation in the tactics of this threat group. Organizations, especially those with operations in Spanish and Portuguese-speaking regions, are urged to enhance user awareness training regarding phishing attempts, particularly those involving PDF and Word document attachments. Security teams should implement advanced email filtering, monitor for network traffic to suspicious domains associated with new malware loaders, and ensure endpoint detection systems are updated to recognize the signatures and behaviors of both Horabot and the Casbaneiro banking trojan.
