Kaspersky Managed Detection and Response (MDR) experts have uncovered a targeted campaign involving Horabot, a Brazilian-origin threat that bundles a banking trojan, an email spreader, and a notably complex attack chain. A webpage exposed by the threat actor containing a database dating back to May 2025 was found, showing a total of 5,384 victims with 93% of them recorded in Mexico.
The initial lure is a fake CAPTCHA page that instructs the victim to open the Run dialog, paste a malicious command into it, and execute it. This action initiates a complex, multi-layered infection chain. The threat uses multiple layers of obfuscation to conceal its behavior, can remove temporary files and terminate selected processes, and leverages tools such as PowerShell and VBScript.
The malware gathers and exfiltrates information, sending the collected data to its own database that lists its victims. The collected data includes IP addresses, operating system information, and location. The malware also contains the Delphi banking trojan, which can display fake pop-ups stored as encrypted resources, prompting victims to enter their banking credentials by abusing well-known bank brands.
Using PowerShell, the threat actor exfiltrates unique email addresses to the C2 and mass-spreads phishing emails with malicious PDF attachments to the filtered addresses on behalf of selected already infected users. The emails ask new victims to click a button in the document to access a “confidential file” or an “invoice”, which eventually triggers the infection.
Examples of Horabot malicious attachments used in the campaign. All of them were edited in Spanish.
“Although Horabot has been detected by the cybersecurity community for several years, the threat remains highly active in 2026. Moreover, the malware continues to evolve and acquire new features, including updates to its encryption and protocol-handling logic. Therefore, it is crucial to keep security solutions up to date in order to stay protected,” says Mateus Salgado, SOC Team Lead in Kaspersky.
