Casbaneiro Phishing Targets Latin America and Europe Using Dynamic PDF Lures
Hamla dial Phishing "Casbaneiro": Mujrimin indomniya men l-Brazil kay-stahdfu Amrika l-Latiniya u l-Europe b’milafat PDF mu3aqqada
Casbaneiro Phishing Campaign: Brazilian Threat Actors Target Latin America and Europe with Dynamic PDF Lures
TL;DR
A Brazilian cybercrime group known as Augmented Marauder (or Water Saci) is deploying a sophisticated multi-pronged phishing campaign. By utilizing an "email-hijacking engine" and dynamic PDF generation, the group is spreading the Casbaneiro banking trojan and Horabot malware across Latin America and Europe, specifically targeting Spanish-speaking users through judicial-themed social engineering.
Overview of the "Augmented Marauder" Threat
Recent technical analysis from BlueVoyant highlights the evolution of a Brazilian e-crime group tracked as Augmented Marauder (also known as Water Saci). First documented by Trend Micro in October 2025, this group has transitioned from simple retail fraud to a highly coordinated infrastructure capable of penetrating enterprise perimeters.
The group employs a bifurcated attack model:
- Consumer Targeting: Leveraging script-based WhatsApp automation to spread malware in a worm-like fashion.
- Enterprise Targeting: Utilizing advanced email hijacking and "ClickFix" social engineering tactics to compromise organizations in Latin America and Europe.
The Attack Lifecycle: From Phishing to Payload
The campaign begins with a phishing email featuring a sense of urgency—typically a Spanish court summons. To bypass initial security filters, the attackers include a password-protected PDF attachment.
1. Initial Infection Vector
Once a victim opens the PDF and clicks the embedded link, a sequence of events is triggered:
- A ZIP archive is automatically downloaded.
- The archive contains an HTML Application (HTA) and VBS payloads.
- The VBS script performs anti-analysis environment checks, specifically looking for security software like Avast antivirus.
2. Multi-Stage Loading
If the environment checks pass, the script retrieves next-stage payloads from a remote server. These payloads include AutoIt-based loaders, which extract and execute encrypted files (using .ia or .at extensions). This process ultimately launches two distinct malware families:
- Casbaneiro (aka Metamorfo): A Delphi-based Windows banking trojan (launched as
staticdata.dll). - Horabot: A propagation and account-hijacking tool (launched as
at.dll).
Dynamic Propagation: The Horabot Engine
What sets this campaign apart is the sophisticated use of the Horabot malware. Rather than being a passive payload, Horabot serves as a propagation engine:
- Email Hijacking: Horabot harvests contact lists from Microsoft Outlook and targets accounts from Yahoo, Live, and Gmail.
- Dynamic PDF Generation: Casbaneiro contacts a Command-and-Control (C2) server to fetch a PowerShell script. This script sends a POST request to a remote PHP API, which dynamically generates a bespoke password-protected PDF for each new target.
- The "ClickFix" Tactic: In some variations, the group utilizes "ClickFix" social engineering—duping users into executing malicious code under the guise of fixing browser or document display errors.
Ongoing Innovation in the Threat Landscape
The Brazilian operators have demonstrated significant agility. By maintaining a dual-path infrastructure—using WhatsApp for retail targets and an email-centric engine for enterprises—they are able to bypass modern security controls.
"The integration of ClickFix social engineering, alongside dynamic PDF generation and WhatsApp automation, demonstrates an agile adversary that is continually innovating," noted BlueVoyant researchers Thomas Elkins and Joshua Green.
Conclusion
The Augmented Marauder campaign proves that regional banking trojans are no longer "simple" threats. By combining dynamic document generation with automated propagation via WhatsApp and Outlook, this group has built a resilient and dangerous delivery mechanism. Organizations with Spanish-speaking staff in Latin America and Europe should remain highly vigilant against judicial-themed phishing and unusual HTA executions.
Source: The Hacker News - Casbaneiro Phishing Targets Latin America and Europe Using Dynamic PDF Lures
