Kaspersky Managed Detection and Response (MDR) experts have uncovered a targeted campaign involving Horabot, a Brazilian-origin threat that bundles a banking trojan, an email spreader, and a notably complex attack chain. A webpage exposed by the threat actor containing a database dating back to May 2025 was found, showing a total of 5,384 victims with 93% of them recorded in Mexico.
The initial lure is a fake CAPTCHA page that instructs the victim to open the Run dialog, paste a malicious command into it, and execute it. This action initiates a complex, multi-layered infection chain. The threat uses multiple layers of obfuscation to conceal its behavior, can remove temporary files and terminate selected processes, and leverages tools such as PowerShell and VBScript.
The malware gathers and exfiltrates information, sending the collected data to its own database that lists its victims. The collected data includes IP addresses, operating system information, and location. The malware also contains the Delphi banking trojan, which can display fake pop-ups stored as encrypted resources, prompting victims to enter their banking credentials by abusing well-known bank brands.
Using PowerShell, the threat actor exfiltrates unique email addresses to the C2 and mass-spreads phishing emails with malicious PDF attachments to the filtered addresses on behalf of selected already infected users. The emails ask new victims to click a button in the document to access a “confidential file” or an “invoice”, which eventually triggers the infection.
Examples of Horabot malicious attachments used in the campaign. All of them were edited in Spanish.
“Although Horabot has been detected by the cybersecurity community for several years, the threat remains highly active in 2026. Moreover, the malware continues to evolve and acquire new features, including updates to its encryption and protocol-handling logic. Therefore, it is crucial to keep security solutions up to date in order to stay protected,” says Mateus Salgado, SOC Team Lead in Kaspersky. Read the full report on Securelist.com to learn more about the new campaign technical details and IoCs. To mitigate the risk of such threats as Horabot, Kaspersky recommends business owners:
- Augment your existing security controls with human-led detection and global threat intelligence through solutions like Kaspersky Managed Detection and Response (MDR), which cover the entire incident management cycle – from threat identification to continuous protection and remediation.
- Protect your business from any kind of cybersecurity threat by establishing your own Security Operations Center. Kaspersky has developed a range of consulting services to help you build an SOC from scratch or improve your existing security operations.
Kaspersky experts provided the following recommendations to users:
- Cybercriminals often distribute fake email messages mimicking email notifications from an online store or a bank, luring a user to click on a malicious link and distribute malware. With that in mind, fine-tune your antispam settings and never open attachments sent by an unknown sender.
- Use a strong security solution on all computers and mobile devices, such as Kaspersky Premium.
- Look for urgency or threats. Phishing attempts frequently try to create a sense of urgency or fear. Be cautious of emails demanding immediate action, such as changing your password or providing personal information.
- Be cautious when opening or downloading files received via messengers or emails, as they may be able to execute malware.
