The malware spreads via phishing emails disguised as financial invoices, often titled “Factura Adjunta” (Attached Invoice), and uses a multi-stage payload delivery system involving HTML, VBScript, and PowerShell. To establish persistence, Horabot creates hidden files in C:\Users\Public\LAPTOPOQFONEUP, modifies file attributes to “hidden, system, and read-only,” and schedules tasks via PowerShell. A new wave of sophisticated phishing campaigns targeting Spanish-speaking users in Latin America has emerged, leveraging weaponized HTML files to deploy the Horabot malware. First identified in April 2025 by Fortinet’s FortiGuard Labs, Horabot combines credential theft, email automation, and banking Trojan capabilities to compromise both corporate and personal networks. The script employs mathematical transformations to decode hidden strings, such as command-and-control (C2) server URLs and PowerShell commands, which are dynamically reconstructed during execution. Fortinet researchers noted that the malware’s ability to blend with legitimate Windows processes-such as leveraging AutoIt scripts and PowerShell for payload decryption-makes it particularly challenging to detect. Horabot then uses Outlook COM objects to hijack the victim’s email client, sending phishing messages to contacts and propagating laterally. It queries BIOS and system model strings via Windows Management Instrumentation (WMI) for keywords like “VirtualBox,” “VMware,” or “Hyper-V”. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 15 May 2025 12:09:58 +0000