Kaspersky SOC uncovered and analyzed a complex Horabot campaign in Mexico. In this article we share insights into how it is unleashed and how to hunt for this threat.

Securelist is a cybersecurity blog and research platform operated by Kaspersky Lab. It offers insights, analysis, and reports on cybersecurity threats, vulnerabilities, and malware campaigns. Developers can learn about emerging cyber threats, security best practices, and mitigation strategies to protect their applications and systems. Additionally, Securelist provides insights into cybersecurity trends, threat intelligence, and industry developments, offering resources for cybersecurity professionals.

Securelist

Kaspersky's MDR team uncovered an active Horabot campaign targeting Mexico, with over 5,000 victims identified. The attack chain begins with a fake CAPTCHA page using a ClickFix-style lure, progresses through multiple polymorphic VBScript and HTA stages, and ultimately deploys a Delphi banking Trojan (Casbaneiro/Ponteiro) via AutoIt. The Trojan uses a stateful XOR-subtraction cipher for C2 communication, displays fake banking overlays to steal credentials, and includes a PowerShell-based email spreader that harvests MAPI contacts and mass-distributes phishing emails. The post details the full kill chain, decryption routines in Python, a Suricata network detection rule, YARA rules for the AutoIt loader and Delphi DLL, and VirusTotal/URLScan hunting queries.

How we uncovered a Horabot campaign and how you can detect this malware

Detection engineering and threat hunting opportunities