Casbaneiro Phishing Hits Latin America & Europe

Michael Miller · 2026-04-01

Let's talk about a phishing campaign that's got security teams on high alert. It's not your average spam email. This one's sophisticated, targeted, and it's causing real headaches for Spanish-speaking organizations across two continents. We're seeing a multi-pronged attack that's cleverly designed to slip past traditional defenses. The goal? To deliver nasty Windows banking trojans, primarily one called Casbaneiro. You might also hear it referred to as Metamorfo in some circles. Here's the tricky part. They're not delivering Casbaneiro directly. Instead, they're using another piece of malware as a delivery vehicle. That malware is called Horabot. Think of it like a Trojan horse within a Trojan horse. It's a layered approach that makes detection much harder. ### Who's Behind This Campaign? The activity has been firmly attributed to a Brazilian cybercrime threat actor. They're tracked under two names in the security community: Augmented Marauder and Water Saci. This isn't some random script kiddie operation. This is an organized e-crime group with a clear methodology. They were first documented by security researchers, and their tactics have evolved since then. They understand their targets, and they're patient. That's what makes them dangerous.  ### How Does This Phishing Campaign Work? The initial lure is often a dynamic PDF file. Now, most people see a PDF and think it's safe. That's the psychological trick they're playing. The PDF looks legitimate—it might mimic an invoice, a shipping notice, or an official document from a trusted organization. Once opened, the PDF contains malicious code or a link that triggers the download of Horabot. From there, Horabot works to establish a foothold and then pulls down the final payload: the Casbaneiro banking trojan. - The attack starts with a targeted email to Spanish-speaking employees. - The email contains a link to or an attachment of a dynamic PDF. - The PDF exploits a vulnerability or tricks the user into enabling content. - Horabot malware is downloaded and installed silently. - Horabot then downloads and executes Casbaneiro. The final stage is where the real financial damage happens. Casbaneiro is designed to steal banking credentials and financial data. It can log keystrokes, hijack banking sessions, and even initiate fraudulent transactions directly from the infected machine. ### Why Should You Care? If you're operating in or with organizations in Latin America or Europe, this is a direct threat. The attackers are focusing on businesses, not just individuals. They're after bigger payouts. The cost of a single successful breach can run into the tens of thousands of dollars, not to mention the reputational damage. It's a reminder that our digital defenses need to be multi-layered too. Relying on just an antivirus or a spam filter isn't enough anymore. User training is critical. Teaching teams to be skeptical of unexpected attachments, even PDFs, is a first line of defense. As one seasoned security analyst put it, 'The most expensive security tool is the one you don't use properly. Awareness is free, and it's often the most effective shield.' We need to build a culture where verifying the source of a document is second nature. ### What Can You Do Right Now? First, don't panic. Awareness is the first step. Make sure your IT and security teams are aware of this specific campaign's indicators. Update your email filtering rules to be extra cautious with PDF attachments from external sources, especially those targeting Spanish-language departments. Ensure all systems are patched. Many PDF exploits rely on known vulnerabilities in software like Adobe Reader or web browsers. A simple patch can close the door. Finally, communicate with your team. A quick, clear warning about this specific threat can prevent a costly mistake. The digital landscape is always changing, and so are the threats. Staying informed, staying patched, and fostering a cautious culture are the best ways to navigate it safely.