In April 2025, FortiGuard Labs observed a threat actor using phishing emails with malicious HTML files to spread Horabot, malware that primarily targets Spanish-speaking users. It is known for using crafted emails that impersonate invoices or financial documents to trick victims into opening malicious attachments and can steal email credentials, harvest contact lists, and install banking trojans.
Horabot leverages Outlook COM automation to send phishing messages from the victim’s mailbox, enabling it to propagate laterally within corporate or personal networks. The threat actor also executed a combination of VBScript, AutoIt, and PowerShell to conduct system reconnaissance, credential theft, and the installation of additional payloads. Based on the telemetry gathered by FortiGuard Labs, these attacks target users in Latin America, including Mexico, Guatemala, Colombia, Peru, Chile, and Argentina.
Link to full report: IR-25-133-001_Horabot.pdf
Comments