### A Complex Attack Chain The **Augmented Marauder and Water Saci** group, first documented by **Trend Micro** in October 2025, is employing a multi-faceted approach to distribute banking trojans like **Casbaneiro** (aka Metamorfo) and **Horabot**. This includes email-centric phishing, WhatsApp automation, and **ClickFix** techniques. "This threat group employs a wider-ranging attack model focused on a bespoke delivery and propagation mechanism that includes WhatsApp, ClickFix techniques, and email-centric phishing," **BlueVoyant** security researchers Thomas Elkins and Joshua Green stated in their report. ### Phishing Lures and Malicious Payloads The attack begins with phishing emails disguised as court summons, enticing recipients to open password-protected PDF attachments. Clicking the embedded link leads to a malicious download of a ZIP archive containing HTML Application (HTA) and VBS payloads. The VBS script performs environment and anti-analysis checks, including searches for **Avast** antivirus, before retrieving further payloads from a remote server. These payloads include AutoIt-based loaders that extract and execute encrypted files, ultimately deploying **Casbaneiro** and **Horabot**. ### Casbaneiro and Horabot: A Dangerous Duo **Casbaneiro** serves as the primary payload, while **Horabot** acts as the propagation mechanism. The **Casbaneiro** Delphi DLL module communicates with a command-and-control (C2) server to obtain a PowerShell script. This script utilizes **Horabot** to distribute malware via phishing emails to contacts harvested from **Microsoft Outlook**. Instead of using static files, the script initiates an HTTP POST request to a remote PHP API to dynamically create a tailored, password-protected PDF impersonating a Spanish judicial summons, which is then sent to the infected host's email contacts. ### Account Hijacking and Spam A secondary **Horabot**-related DLL functions as a spam and account hijacking tool, targeting **Yahoo**, **Live**, and **Gmail** accounts to send phishing emails through **Outlook**. **Horabot** has been active in attacks targeting Latin America since at least November 2020. ### Evolving Tactics **Water Saci** has previously used WhatsApp Web to spread banking trojans like Maverick and **Casbaneiro**. More recent campaigns have incorporated the **ClickFix** social engineering tactic to trick users into running malicious HTA files, ultimately deploying **Casbaneiro** and **Horabot**. "Taken together, the integration of ClickFix social engineering, alongside dynamic PDF generation and WhatsApp automation, demonstrates an agile adversary that is continually innovating and executing diverse attack paths to bypass modern security controls," the **BlueVoyant** researchers concluded. "This adversary is maintaining a bifurcated, multi-pronged attack infrastructure, dynamically deploying the WhatsApp-centric Maverick chain and concurrently utilizing both ClickFix and email-based Horabot attack paths."