Casbaneiro Phishing Targets Latin America and Europe
Basically, hackers are tricking people into opening fake court documents to steal their banking info.
A new phishing campaign is targeting Spanish-speaking users in Latin America and Europe, delivering banking trojans via dynamic PDFs. This sophisticated attack employs social engineering tactics to compromise victims. Users should remain vigilant and take precautions against such threats.
What Happened
A multi-pronged phishing campaign has emerged, targeting Spanish-speaking users in organizations across Latin America and Europe. This campaign aims to deliver Windows banking trojans, specifically Casbaneiro (also known as Metamorfo), through another malware called Horabot. The Brazilian cybercrime group behind this operation is tracked under the aliases Augmented Marauder and Water Saci. They have been active since at least October 2025, employing various tactics to compromise users.
The attack begins with a phishing email that uses court summons-themed messages to lure victims into opening a password-protected PDF attachment. Once the PDF is opened, it contains a link that directs users to a malicious site, triggering the download of a ZIP archive. This archive executes interim HTML Application (HTA) and VBS payloads designed to check the victim's environment for security software and download further malicious components.
Who's Being Targeted
The primary targets of this campaign are Spanish-speaking users across various organizations in Latin America and Europe. The attackers leverage WhatsApp and email as their primary delivery mechanisms. By using script-based WhatsApp automation, they can effectively compromise retail and consumer users while also targeting enterprise environments through sophisticated email hijacking techniques.
This dual approach allows the attackers to maximize their reach and effectiveness. The use of dynamic PDF generation and ClickFix social engineering tactics demonstrates their adaptability and innovation in bypassing modern security measures.
Signs of Infection
Victims may notice several signs indicating a potential infection. These include receiving unexpected emails with court summons attachments, unusual activity in their email accounts, or the presence of unknown files on their systems. The VBS script used in this campaign performs checks for antivirus software, which can indicate a more sophisticated threat.
Additionally, the malware can propagate itself by sending phishing emails from compromised accounts, making it harder for victims to recognize the threat. Users should be vigilant about any suspicious emails or attachments, especially those that seem to come from trusted contacts.
How to Protect Yourself
To safeguard against this phishing campaign, users should take several proactive measures:
- Do not open unexpected email attachments, especially those that are password-protected.
- Verify the sender's email address before clicking on any links or downloading files.
- Use updated antivirus software to help detect and block malware.
- Educate yourself and your team about phishing tactics and how to recognize suspicious communications.
By implementing these strategies, individuals and organizations can significantly reduce their risk of falling victim to this evolving threat landscape. The integration of multiple attack vectors by the Augmented Marauder group highlights the importance of staying informed and vigilant in cybersecurity practices.