Horabot Unleashed: A Stealthy Phishing Threat

    Tuesday, May 13, 2025 In: Threat Research Print

    Date: 05/13/2025

    Severity: Critical

    Summary

    A threat actor has been using phishing emails with malicious HTML attachments to distribute Horabot malware, primarily targeting Spanish-speaking users. The campaign impersonates invoices to steal email credentials and spread banking trojans across Latin America. Horabot uses Outlook COM automation to send phishing emails from compromised inboxes, aiding lateral movement. It also executes VBScript, AutoIt, and PowerShell for reconnaissance, credential theft, and deploying additional payloads. These attacks target users in Latin America, including Mexico, Guatemala, Colombia, Peru, Chile, and Argentina.

    Indicators of Compromise (IOC) List

    Domains \ Urls :

    t4.contactswebaccion.store

    f5.contactswebaccion.space

    Labodeguitaup.space

    d1.webcorreio.pics

    updatec.lat

    IP Address : 

    209.74.71.168

    93.127.200.211

    Hash : 

    523d7e9005b2e431068130989caf4a96062a029b50a5455d37a2b88e6d04f83d

    84d77737196ea5a8cb0efd8fc3ea61a878d1e1851cc63bcb1e0868019c71996f

    13a5c60a799c104a7bb1ff1489b82031c2ea1ed10712ca019e996fc0e37e9dfa

    2ba471519bed0a5503408fee0593bc13547c88cfb10872a9739c2b1eaa5a287c

    a885b89bb145dde56f6b63fcbf3560fb7179df43df5d212217ca583405beceb8

    25be06643204fc7386db3af84b200d362c3287b30c7491b666c4fe821a8c6eb4

    5368f9f0994b28295aaf7d7af586d78827a95c6eb359a3921ebaa8d2fe1c98a9

    f7140c28921dcf9ac542965a37b5473432f39b34f00161b6f0c0f8af7c9551a5

    265a11951f6ac1fd1f150d2711e0158a59416dd709759b39904470f44c83272a

    370ccca7392282056f20b45829d0cac92acacfc07ab9699c54b3695649713854

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection 

    Domains\Urls : 

    domainname like "labodeguitaup.space" or url like "labodeguitaup.space" or siteurl like "labodeguitaup.space" or domainname like "t4.contactswebaccion.store" or url like "t4.contactswebaccion.store" or siteurl like "t4.contactswebaccion.store" or domainname like "updatec.lat" or url like "updatec.lat" or siteurl like "updatec.lat" or domainname like "f5.contactswebaccion.space" or url like "f5.contactswebaccion.space" or siteurl like "f5.contactswebaccion.space" or domainname like "d1.webcorreio.pics" or url like "d1.webcorreio.pics" or siteurl like "d1.webcorreio.pics"

    IP Address : 

    dstipaddress IN ("209.74.71.168","93.127.200.211") or srcipaddress IN ("209.74.71.168","93.127.200.211")

    Hash :

    sha256hash IN ("84d77737196ea5a8cb0efd8fc3ea61a878d1e1851cc63bcb1e0868019c71996f","a885b89bb145dde56f6b63fcbf3560fb7179df43df5d212217ca583405beceb8","523d7e9005b2e431068130989caf4a96062a029b50a5455d37a2b88e6d04f83d","13a5c60a799c104a7bb1ff1489b82031c2ea1ed10712ca019e996fc0e37e9dfa","2ba471519bed0a5503408fee0593bc13547c88cfb10872a9739c2b1eaa5a287c","25be06643204fc7386db3af84b200d362c3287b30c7491b666c4fe821a8c6eb4","5368f9f0994b28295aaf7d7af586d78827a95c6eb359a3921ebaa8d2fe1c98a9","f7140c28921dcf9ac542965a37b5473432f39b34f00161b6f0c0f8af7c9551a5","265a11951f6ac1fd1f150d2711e0158a59416dd709759b39904470f44c83272a","370ccca7392282056f20b45829d0cac92acacfc07ab9699c54b3695649713854")

    Reference:

    https://www.fortinet.com/blog/threat-research/horabot-unleashed-a-stealthy-phishing-threat


    Tags

    MalwareHorabotPhishingSpanish-SpeakingCredentialTheftLatin AmericaMexicoGuatemalaColombiaPeruChileArgentina

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.