Horabot Banking Trojan - Resurfaces in Mexico with Tactics

What Happened

A notorious banking trojan, Horabot, has re-emerged in Mexico, launching a sophisticated campaign that combines multi-stage infection techniques with an email worm. This malware not only targets users but also turns infected machines into phishing relays, amplifying its reach. The attack begins deceptively with a fake CAPTCHA page, prompting users to execute a malicious command that triggers the infection chain. By using social engineering instead of exploiting software flaws, the attackers turn victims into unwitting accomplices.

Securelist analysts uncovered this campaign after detecting unusual mshta execution alerts within a monitored environment. Their investigation revealed a fake CAPTCHA page linked to an extensive attack chain. They discovered that 5,384 machines had been compromised, with an overwhelming 93% located in Mexico, indicating a focused regional attack. This campaign has been active since at least May 2025, showcasing the attackers' persistence and planning.

Who's Being Targeted

The primary targets of this campaign are users in Mexico, particularly those who may be susceptible to phishing attacks. The phishing emails crafted by the worm masquerade as fake invoices or confidential business documents, specifically designed to deceive Mexican recipients. The trojan, also known as Casbaneiro, Ponteiro, and Metamorfo, employs fake bank overlays to steal sensitive login credentials during banking sessions.

The attackers demonstrate a clear connection to Brazil, as evidenced by comments in the PowerShell code written in Brazilian Portuguese. This regional targeting, coupled with the language used in the phishing emails, suggests a well-planned operation aimed at exploiting local vulnerabilities.

Signs of Infection

Signs of a Horabot infection can be subtle but alarming. Victims may notice unusual activities, such as unexpected emails being sent from their accounts or strange pop-ups during online banking sessions. The trojan employs a multi-stage infection mechanism, where each phase obscures the malware’s true intent. After the initial execution of a malicious HTA file, a JavaScript loader is fetched from an attacker-controlled domain, leading to further obfuscation and the eventual deployment of the banking trojan.

Security teams should remain vigilant for suspicious mshta activities and monitor for any unauthorized access to user accounts. The trojan's ability to harvest contacts from the victim's inbox and send out phishing emails significantly increases the risk of wider infection.

How to Protect Yourself

To safeguard against the Horabot banking trojan, users and organizations should implement several proactive measures. Blocking the execution of HTA files from untrusted sources is crucial, as is monitoring for suspicious activities linked to mshta. Deploying YARA rules for both the Horabot trojan and its AutoIT loader can help detect infections early.

Additionally, users should receive training on recognizing fake CAPTCHA lures and the dangers of malicious PDF attachments. Keeping software up to date and using robust endpoint protection can also mitigate risks. Lastly, organizations should maintain a network blocklist of known attacker-controlled domains to prevent further infections.