What do you do when the file you expect to carry an invoice or a contract instead carries a banking trojan? For organizations and users across Latin America and parts of Europe, that is not a hypothetical anymore. A concerted phishing campaign is using carefully crafted PDF lures to hand off a loader called Horabot, which in turn delivers the Casbaneiro (aka Metamorfo) banking trojan — a malware family long associated with financially motivated e-crime originating in Brazil.
Background: actors, tools and provenance
Security reporting ties the campaign to a Brazilian cybercrime cluster tracked under names such as Augmented Marauder and Water Saci. The group, described as an e-crime actor, was first documented by Trend Micro. Public reporting on the current activity was summarized by The Hacker News, which details a multi-pronged phishing effort focused on Spanish-language recipients in organizations across Latin America and Europe.
Casbaneiro (Metamorfo) is a well-known banking trojan that has appeared in regional campaigns before; it is built to steal credentials and interfere with web sessions to support fraud. Horabot — described in the reporting as a separate piece of malware used in the delivery chain — acts as the intermediary, enabling the final payload to reach targeted Windows systems.
The attack chain: dynamic PDFs, Horabot and the hand-off to Casbaneiro
What sets this campaign apart is its use of “dynamic PDF” lures. Unlike static documents, dynamic PDFs can change content per recipient, include embedded scripts, or contain links that trigger additional downloads. In this campaign, the PDFs serve as the initial social-engineering vector: they appear legitimate to Spanish-speaking audiences and prompt actions that lead to Horabot’s installation. Once Horabot is on a victim machine, it retrieves and executes Casbaneiro, completing the commodity finance-fraud pipeline.
The operational pattern is classic e-crime layering: phishing to gain an initial foothold; a lightweight loader to evade perimeter controls and download the primary trojan; and a banking-oriented payload that performs credential theft and session tampering. The targeting of Spanish-language users across national borders underscores the group’s regional focus and operational reach.
Why this matters: risk, response and the international angle
For technologists, the campaign is a reminder that attackers keep innovating at the edges of trust. PDFs are a near-universal business format, and so abuse of that trust yields high return on investment for criminal groups. The use of an intermediary loader also complicates detection: defenders must identify not one malicious binary, but a chain of small, often ephemeral components.
For policymakers and law enforcement, the episode highlights cross-border challenges. The actors are linked to Brazil, the victims span Latin America and Europe, and the infrastructure often uses rented or compromised cloud and hosting services. Coordinated international investigations and rapid information sharing are essential to disrupt such campaigns and to hold infrastructure providers to account.
For everyday users and corporate employees, the campaign reinforces two simple truths: vigilance about unsolicited documents remains necessary, and multi-layered defenses materially reduce risk. Banking trojans like Casbaneiro directly threaten financial assets and sensitive credentials; they also increase transaction friction for affected institutions and customers.
Practical steps: what defenders and users should do
- Harden email and gateway defenses: apply PDF scanning, block suspicious attachments, and use URL rewriting to inspect links before delivery.
- Limit PDF attack surface: disable JavaScript in PDF readers by policy where feasible, and restrict automatic external content retrieval.
- Layer endpoint protections: deploy behavior-based EDR, enforce least privilege, and maintain timely patching and application control for document viewers and browsers.
- Authentication and transaction controls: require multi-factor authentication for financial systems and monitor for unusual account behavior and rapid funds movement.
- User awareness and reporting: train staff to treat unexpected invoices or legal notices with caution and establish simple reporting paths for suspected phishing.
This campaign is not a singular curiosity; it is an instructive pattern. Criminal groups will continue to weaponize everyday business tools, test international boundaries, and refine chains that hide the real payload behind legitimate-looking intermediaries. If defenders hope to stay ahead, they must treat trust — and the erosion of it — as the primary battlefield. Who, then, will be trusted next?
https://thehackernews.com/2026/04/casbaneiro-phishing-targets-latin.html




