Ddos 
In a recent investigation, FortiGuard Labs has exposed a sophisticated phishing campaign distributing the Horabot malware family, a deceptive and potent threat targeting Spanish-speaking users across Latin America. Exploiting familiar business communication—fake invoice emails in Spanish—Horabot blends social engineering with layered scripting techniques to achieve persistence, credential theft, and automated lateral propagation.
According to Fortinet, Horabot “primarily targets Spanish-speaking users” by sending phishing emails that “impersonate invoices or financial documents to trick victims into opening malicious attachments.” These emails, often crafted to appear as legitimate correspondence from Mexican businesses, include a ZIP attachment with a malicious HTML file. Inside, the HTML file contains Base64-encoded data that launches a multi-stage infection chain through remote servers.
The infection chain combines VBScript, AutoIt, and PowerShell to evade detection and deliver payloads. The VBScript phase conducts anti-analysis checks such as terminating if Avast antivirus is present or if the system appears to be running in a virtual machine. It then performs reconnaissance, gathers system and network details, and sends them via POST requests to attacker-controlled infrastructure.
AutoIt scripting plays a central role in decrypting and executing payloads. The malware downloads legitimate AutoIt tools like AutoIt3.exe and Aut2Exe.exe, alongside obfuscated payloads. Using a hard-coded key (99521487), it decrypts a malicious DLL and executes it via AutoIt, ensuring that “the attributes of these critical files [are] hidden, system, and read-only.”
Once active, Horabot’s decrypted DLL exfiltrates valuable information, including operating system details, antivirus presence, and sensitive browser data from Chromium-based browsers such as Chrome, Edge, Brave, and Opera. The malware is also capable of injecting fake pop-up windows designed to phish for login credentials, an operation made stealthier by embedding these overlays in the DLL’s RCData section.
What makes Horabot particularly dangerous is its ability to propagate itself through the victim’s Outlook email client. Fortinet explains that Horabot “leverages Outlook COM automation to send phishing messages from the victim’s mailbox,” allowing it to spread within corporate and personal networks.
This email automation system filters out domains like Gmail, Hotmail, and .edu to avoid consumer accounts and academic institutions, focusing instead on harvesting enterprise contacts. It constructs phishing emails using pre-written Spanish-language messages and the same malicious invoice attachments, maintaining the illusion of legitimate business communication.
After delivering its payload and phishing emails, Horabot removes all traces of its presence. The script “a6” cleans up artifacts, deletes payloads, and ensures minimal forensic evidence is left behind—a hallmark of professional malware operations.
Organizations must enhance their email filtering systems, closely monitor script execution behavior, and train employees to be skeptical of unexpected attachments—even if they appear to come from trusted sources.
Donate