A new wave of sophisticated phishing campaigns targeting Spanish-speaking users in Latin America has emerged, leveraging weaponized HTML files to deploy the Horabot malware.
First identified in April 2025 by Fortinet’s FortiGuard Labs, Horabot combines credential theft, email automation, and banking Trojan capabilities to compromise both corporate and personal networks.
The malware spreads via phishing emails disguised as financial invoices, often titled “Factura Adjunta” (Attached Invoice), and uses a multi-stage payload delivery system involving HTML, VBScript, and PowerShell.
.png
)
The attack begins with a ZIP attachment containing a malicious HTML file (Figure 3). When opened, the HTML decodes a Base64-embedded URL (hxxps://t4.contactswebaccion.store/0704/) that redirects to a JavaScript-driven download page.
.webp)
This script automatically fetches a second ZIP archive, ADJUNTOS_23042025.zip, which deploys a heavily obfuscated HTA file.
Horabot then uses Outlook COM objects to hijack the victim’s email client, sending phishing messages to contacts and propagating laterally.
Fortinet researchers noted that the malware’s ability to blend with legitimate Windows processes-such as leveraging AutoIt scripts and PowerShell for payload decryption-makes it particularly challenging to detect.
Stealthy Execution and Evasion Techniques
A critical component of Horabot’s success lies in its evasion mechanisms, orchestrated through a custom VBScript.
.webp)
The script employs mathematical transformations to decode hidden strings, such as command-and-control (C2) server URLs and PowerShell commands, which are dynamically reconstructed during execution.
The function detRBFJ_11 processes pairs of characters from an encoded string, subtracting ASCII values and reconstructing payloads.
This technique allows Horabot to evade static analysis tools that rely on signature-based detection.
The malware further avoids execution in sandboxed environments by checking for virtualization artifacts. It queries BIOS and system model strings via Windows Management Instrumentation (WMI) for keywords like “VirtualBox,” “VMware,” or “Hyper-V”.
If detected, the script terminates. Similarly, it checks for the presence of Avast Antivirus by verifying the folder C:\Program Files\Avast Software and halts if found.
To establish persistence, Horabot creates hidden files in C:\Users\Public\LAPTOPOQFONEUP, modifies file attributes to “hidden, system, and read-only,” and schedules tasks via PowerShell.
One notable tactic involves converting an AutoIt script (winupdate_version_758.gif) into a compiled .a3x file to decrypt an encrypted payload (winupdate_version_535.ia).
.webp)
The final stage injects a banking Trojan designed to overlay fake login forms on legitimate banking sites, capturing credentials.
Horabot exemplifies the escalating sophistication of phishing campaigns in 2025, blending social engineering with technical obfuscation.
.webp)
Its reliance on trusted tools like Outlook and PowerShell complicates detection, underscoring the need for proactive defense strategies.
Fortinet’s protections, including signatures like HTML/Phishing.683A!tr and Autolt/Agent.HA!tr, already block these threats.
However, organizations must prioritize user education and monitor for anomalous HTML or script executions to mitigate risks effectively.
How SOC Teams Save Time and Effort with ANY.RUN - Live webinar for SOC teams and managers
