The Reveal Platform
Intel Name: Horabot unleashed: a stealthy phishing threat
Date of Scan: May 13, 2025
Impact: High
Summary: A threat actor has been using phishing emails with malicious HTML attachments to distribute Horabot malware, primarily targeting Spanish-speaking users. The campaign impersonates invoices to steal email credentials and spread banking trojans across Latin America. Horabot uses Outlook COM automation to send phishing emails from compromised inboxes, aiding lateral movement. It also executes VBScript, AutoIt, and PowerShell for reconnaissance, credential theft, and deploying additional payloads. These attacks target users in Latin America, including Mexico, Guatemala, Colombia, Peru, Chile, and Argentina.
