216.73.217.22

How to uncover a Horabot campaign and detect this malware

· Published 18/03/2026 11:15 · Modified 18/03/2026 16:52

Export JSON

Essential information

Published
18/03/2026 11:15
Modified
18/03/2026 16:52
Tags
2026-03-18 autoit banking trojan brazil casbaneiro delphi email spreader horabot metamorfo mexico multi-stage attack ponteiro powershell zusy
Related entities
22 observables, 1 intrusion sets (apt), 19 techniques (mitre), 5 malware, 12 others

Description

This report details the discovery and analysis of a malware campaign targeting primarily Mexican users. The attack chain begins with a fake CAPTCHA page leading to multiple stages of obfuscated scripts, ultimately delivering an loader and a -based . The malware employs sophisticated encryption techniques, anti-VM checks, and a custom protocol for C2 communication. It also includes a spreader component written in that harvests and exfiltrates email addresses to distribute phishing emails. The analysis reveals Brazilian Portuguese comments in the code, suggesting the threat actor's origin. The report provides detection opportunities including YARA rules and hunting queries to identify this threat.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Observables (22)

  • https://cfg.brasilinst.site/a/br/logs/index.php?CHLG
  • https://cgf.facturastbs.shop/a/08/150822/au/app
  • http://evs.grupotuis.buzz/0capcha17/DMEENLIGGB.hta
  • https://thea.gruposhac.space/0out0408
  • https://cgf.midasx.site/a/08/150822/au/au
  • https://labodeguitaup.space/a/08/150822/au/au
  • https://evs.grupotuis.buzz/0capcha17/
  • https://aufal.filevexcasv.buzz/on7all/index15.php
  • https://aufal.filevexcasv.buzz/on7/index15.php
  • https://evs.grupotuis.buzz/0capcha17/DMEENLIGGB/GRXUOIWCEKVX
  • https://cgf.facturastbs.shop/a/08/150822/au/at.html
  • https://pdj.gruposhac.lat/g1/gerador.php
  • https://pdj.gruposhac.lat/g1/
  • https://cgf.facturastbs.shop/a/08/150822/au/gerauto.php
  • https://evs.grupotuis.buzz/0capcha17/DMEENLIGGB.hta
  • https://cgf.facturastbs.shop/a/08/150822/au/gerapdf/blqs1
  • https://pdj.gruposhac.lat/g1/ld1/
  • https://pdj.gruposhac.lat/g1/ctld/
  • https://pdj.gruposhac.lat/g1/auxld1
  • https://cgf.facturastbs.shop/0725/a/home
  • https://upstar.pics/a/08/150822/up/up
  • 474b25badb40f524a7b2fe089e51eb7dbafd2e3e03a9f6750f72055d05b13d76

Intrusion sets (APT) (1)

  • Horabot
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 18/03/2026 17:51 · Modified 18/03/2026 17:51

Techniques (MITRE) (19)

Malware (5)

  • Metamorfo - S0455
    Family
    Published 19/05/2026 22:26 · Modified 19/05/2026 22:26
  • Horabot
    Family
    Published 18/03/2026 11:15 · Modified 18/03/2026 11:15
  • Casbaneiro
    Family
    Published 19/05/2026 22:26 · Modified 19/05/2026 22:26
  • Zusy
    Family
    Published 18/03/2026 11:15 · Modified 18/03/2026 11:15
  • Ponteiro
    Family
    Published 18/03/2026 11:15 · Modified 18/03/2026 11:15

Others (12)

  • Mexico
  • Finance
  • thea.gruposhac.space
  • pdj.gruposhac.lat
  • evs.grupotuis.buzz
  • aufal.filevexcasv.buzz
  • upstar.pics
  • lifenews.pro
  • cgf.midasx.site
  • labodeguitaup.space
  • cgf.facturastbs.shop
  • cfg.brasilinst.site

External references