A new phishing campaign is targeting Spanish-speaking users in Latin America. Cybercriminals are using harmful HTML files to deliver a malware strain known as Horabot.
Security experts at Fortinet’s FortiGuard Labs first identified Horabot in April 2025. The malware combines features for stealing credentials, sending automated emails, and acting as a banking Trojan. It can affect both business and personal devices.
How the Attack Works
The malware spreads through phishing emails disguised as financial invoices. These emails are usually titled “Factura Adjunta” (Attached Invoice) and carry a ZIP file attachment containing a malicious HTML file.
When opened, the HTML file decodes a hidden Base64 URL that redirects the user to a JavaScript-based download page. This script automatically downloads a second ZIP file named ADJUNTOS_23042025.zip, which contains a heavily disguised HTA file.
Once activated, Horabot uses Microsoft Outlook tools to take control of the victim’s email client. It then sends similar phishing emails to the victim’s contacts, helping the malware spread further.
Advanced Evasion Techniques
Horabot hides its presence using custom VBScript code. This script performs complex calculations to decode hidden strings, including command-and-control (C2) server addresses and PowerShell commands. These strings are only revealed while the malware is running.
A key function in the script, called detRBFJ_11, rebuilds malicious code by working through encoded text character by character. This method helps the malware avoid detection by tools that scan for known threats.
The malware also checks for signs of virtual machines like VirtualBox, VMware, or Hyper-V. If it detects a virtual environment, it stops running. Similarly, if Avast Antivirus is installed, it exits to avoid being blocked.
Persistence and Payload
To stay on the infected system, Horabot creates hidden files in the directory C:\Users\Public\LAPTOPOQFONEUP. It changes file properties to make them hidden and read-only, and it schedules tasks through PowerShell to keep running after reboot.
One notable trick is the use of an AutoIt script named winupdate_version_758.gif, which is converted into a compiled file to unlock another encrypted payload, winupdate_version_535.ia.
The final stage of the attack installs a banking Trojan. This Trojan shows fake login pages on top of real banking sites to steal user credentials.
Growing Phishing Threat in 2025
Horabot highlights how phishing attacks are becoming more advanced in 2025. By using trusted software like Outlook and PowerShell, it becomes harder to detect.
Fortinet has already added protections, including signatures such as HTML/Phishing.683A!tr and AutoIt/Agent.HA!tr, to block these threats. But experts warn that technology alone is not enough.
Organizations are advised to educate users about phishing tactics and to monitor for suspicious HTML files or script activity on their networks.
