Pulse Detail — Threat Intelligence

PULSE NAME

How to uncover a Horabot campaign and detect this malware

WHITE Horabot AlienVault 2026-03-18 Modified: 2026-03-18

IOCs

MEDIUM VOLUME

This report details the discovery and analysis of a Horabot malware campaign targeting primarily Mexican users. The attack chain begins with a fake CAPTCHA page leading to multiple stages of obfuscated scripts, ultimately delivering an AutoIT loader and a Delphi-based banking Trojan. The malware employs sophisticated encryption techniques, anti-VM checks, and a custom protocol for C2 communication. It also includes a spreader component written in PowerShell that harvests and exfiltrates email addresses to distribute phishing emails. The analysis reveals Brazilian Portuguese comments in the code, suggesting the threat actor's origin. The report provides detection opportunities including YARA rules and hunting queries to identify this threat.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1132.001 T1056.001 T1114.001 T1204.002 T1082 T1140 T1059.001 T1547.001 T1027 T1573.002 T1095 T1012 T1518.001 T1564.003 T1059.003 T1070.004 T1071.001 T1059.005 T1584.004

MALWARE FAMILIES

Horabot Metamorfo - S0455 Casbaneiro Ponteiro Metamorfo - S0455 Casbaneiro Zusy

Indicators of Compromise (37)

All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	4caa797130b5f7116f11c0b48013e430	—	2026-03-18
FileHash-MD5	6272ef6ac1de8fb4bdd4a760be7ba5ed	—	2026-03-18
FileHash-MD5	c882d948d44a65019df54b0b2996677f	—	2026-03-18
FileHash-SHA1	b6144f80b32b37393b2da565326cd5085c6842e1	—	2026-03-18
FileHash-SHA256	474b25badb40f524a7b2fe089e51eb7dbafd2e3e03a9f6750f72055d05b13d76	—	2026-03-18
URL	http://evs.grupotuis.buzz/0capcha17/DMEENLIGGB.hta	—	2026-03-18
URL	https://aufal.filevexcasv.buzz/on7/index15.php	—	2026-03-18
URL	https://aufal.filevexcasv.buzz/on7all/index15.php	—	2026-03-18
URL	https://cfg.brasilinst.site/a/br/logs/index.php?CHLG	—	2026-03-18
URL	https://cgf.facturastbs.shop/0725/a/home	—	2026-03-18
URL	https://cgf.facturastbs.shop/a/08/150822/au/app	—	2026-03-18
URL	https://cgf.facturastbs.shop/a/08/150822/au/at.html	—	2026-03-18
URL	https://cgf.facturastbs.shop/a/08/150822/au/gerapdf/blqs1	—	2026-03-18
URL	https://cgf.facturastbs.shop/a/08/150822/au/gerauto.php	—	2026-03-18
URL	https://cgf.midasx.site/a/08/150822/au/au	—	2026-03-18
URL	https://evs.grupotuis.buzz/0capcha17/	—	2026-03-18
URL	https://evs.grupotuis.buzz/0capcha17/DMEENLIGGB.hta	—	2026-03-18
URL	https://evs.grupotuis.buzz/0capcha17/DMEENLIGGB/GRXUOIWCEKVX	—	2026-03-18
URL	https://labodeguitaup.space/a/08/150822/au/au	—	2026-03-18
URL	https://pdj.gruposhac.lat/g1/	—	2026-03-18
URL	https://pdj.gruposhac.lat/g1/auxld1	—	2026-03-18
URL	https://pdj.gruposhac.lat/g1/ctld/	—	2026-03-18
URL	https://pdj.gruposhac.lat/g1/gerador.php	—	2026-03-18
URL	https://pdj.gruposhac.lat/g1/ld1/	—	2026-03-18
URL	https://thea.gruposhac.space/0out0408	—	2026-03-18
URL	https://upstar.pics/a/08/150822/up/up	—	2026-03-18
FileHash-SHA1	e6a6e282a94c7724f5d9ac54d60d8cbd0e3ce892	—	2026-03-18
domain	labodeguitaup.space	—	2026-03-18
domain	lifenews.pro	—	2026-03-18
domain	upstar.pics	—	2026-03-18
hostname	aufal.filevexcasv.buzz	—	2026-03-18
hostname	cfg.brasilinst.site	—	2026-03-18
hostname	cgf.facturastbs.shop	—	2026-03-18
hostname	cgf.midasx.site	—	2026-03-18
hostname	evs.grupotuis.buzz	—	2026-03-18
hostname	pdj.gruposhac.lat	—	2026-03-18
hostname	thea.gruposhac.space	—	2026-03-18

References (1)

↗ https://securelist.com/horabot-campaign/119033/