Pulse Detail — Threat Intelligence

PULSE NAME

How to uncover a Horabot campaign and detect this malware

WHITE Horabot Tr1sa111 2026-03-18 Modified: 2026-03-18

IOCs

MEDIUM VOLUME

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1132.001 T1056.001 T1114.001 T1204.002 T1082 T1140 T1059.001 T1547.001 T1027 T1573.002 T1095 T1012 T1518.001 T1564.003 T1059.003 T1070.004 T1071.001 T1059.005 T1584.004

MALWARE FAMILIES

Horabot Metamorfo - S0455 Casbaneiro Ponteiro Metamorfo - S0455 Casbaneiro Zusy

Indicators of Compromise (37)

All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	4caa797130b5f7116f11c0b48013e430	—	2026-03-18
FileHash-MD5	6272ef6ac1de8fb4bdd4a760be7ba5ed	—	2026-03-18
FileHash-MD5	c882d948d44a65019df54b0b2996677f	—	2026-03-18
FileHash-SHA1	b6144f80b32b37393b2da565326cd5085c6842e1	—	2026-03-18
FileHash-SHA256	474b25badb40f524a7b2fe089e51eb7dbafd2e3e03a9f6750f72055d05b13d76	—	2026-03-18
URL	http://evs.grupotuis.buzz/0capcha17/DMEENLIGGB.hta	—	2026-03-18
URL	https://aufal.filevexcasv.buzz/on7/index15.php	—	2026-03-18
URL	https://aufal.filevexcasv.buzz/on7all/index15.php	—	2026-03-18
URL	https://cfg.brasilinst.site/a/br/logs/index.php?CHLG	—	2026-03-18
URL	https://cgf.facturastbs.shop/0725/a/home	—	2026-03-18
URL	https://cgf.facturastbs.shop/a/08/150822/au/app	—	2026-03-18
URL	https://cgf.facturastbs.shop/a/08/150822/au/at.html	—	2026-03-18
URL	https://cgf.facturastbs.shop/a/08/150822/au/gerapdf/blqs1	—	2026-03-18
URL	https://cgf.facturastbs.shop/a/08/150822/au/gerauto.php	—	2026-03-18
URL	https://cgf.midasx.site/a/08/150822/au/au	—	2026-03-18
URL	https://evs.grupotuis.buzz/0capcha17/	—	2026-03-18
URL	https://evs.grupotuis.buzz/0capcha17/DMEENLIGGB.hta	—	2026-03-18
URL	https://evs.grupotuis.buzz/0capcha17/DMEENLIGGB/GRXUOIWCEKVX	—	2026-03-18
URL	https://labodeguitaup.space/a/08/150822/au/au	—	2026-03-18
URL	https://pdj.gruposhac.lat/g1/	—	2026-03-18
URL	https://pdj.gruposhac.lat/g1/auxld1	—	2026-03-18
URL	https://pdj.gruposhac.lat/g1/ctld/	—	2026-03-18
URL	https://pdj.gruposhac.lat/g1/gerador.php	—	2026-03-18
URL	https://pdj.gruposhac.lat/g1/ld1/	—	2026-03-18
URL	https://thea.gruposhac.space/0out0408	—	2026-03-18
URL	https://upstar.pics/a/08/150822/up/up	—	2026-03-18
FileHash-SHA1	e6a6e282a94c7724f5d9ac54d60d8cbd0e3ce892	—	2026-03-18
domain	labodeguitaup.space	—	2026-03-18
domain	lifenews.pro	—	2026-03-18
domain	upstar.pics	—	2026-03-18
hostname	aufal.filevexcasv.buzz	—	2026-03-18
hostname	cfg.brasilinst.site	—	2026-03-18
hostname	cgf.facturastbs.shop	—	2026-03-18
hostname	cgf.midasx.site	—	2026-03-18
hostname	evs.grupotuis.buzz	—	2026-03-18
hostname	pdj.gruposhac.lat	—	2026-03-18
hostname	thea.gruposhac.space	—	2026-03-18

References (1)

↗ https://securelist.com/horabot-campaign/119033/