← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
IOC - Unpacking Augmented Marauder’s Multi-Pronged Casbaneiro Campaigns
BlueVoyant researchers have uncovered a broad, multi-pronged phishing campaign targeting Spanish-speaking users in organizations across Latin America and now Europe as well. While recent industry intelligence heavily documented attacks utilizing WhatsApp to deliver banking trojans under the umbrella of the Brazil-based eCrime group Augmented Marauder (a.k.a. Water Saci), the BlueVoyant Threat Fusion Cell (TFC) identified concurrent, ongoing attack activity showing this threat group employs a wider-ranging attack model focused on a bespoke delivery and propagation mechanism that includes WhatsApp, ClickFix techniques and email-centric phishing. This in-depth analysis shows how Augmented Marauder is simultaneously deploying Horabot to deliver the Casbaneiro (a.k.a. Metamorfo) banking trojan through a comprehensive phishing operation targeting Latin America that has also extended its attacks to users in Spain.
Indicators of Compromise (20)
| TYPE | INDICATOR | DESCRIPTION | CREATED | |
|---|---|---|---|---|
| FileHash-MD5 | 31c7c479b03aef2f5cf4947149d69f52 | MD5 of 4e08a1525a62a387595a2e4942b56ec3f3b3259996115ea2e6ea3638ccb87705 | 2026-04-03 | |
| FileHash-MD5 | a112765dd04547072d649afe7deeb3b7 | MD5 of 1693448804bf1c90ad7317af250bcd6ea021256e33e983b224aea81d4ecc2e20 | 2026-04-03 | |
| FileHash-MD5 | aec9ed01b85713acc6a7f1da4d94ee1b | MD5 of 1af69a3283e28a8cc9a11819ecc2f2cff46dcabbfa78cefc71a02b881a064593 | 2026-04-03 | |
| FileHash-SHA1 | 3b9dcee197955dc5fd4b15205543cec319003b00 | SHA1 of 4e08a1525a62a387595a2e4942b56ec3f3b3259996115ea2e6ea3638ccb87705 | 2026-04-03 | |
| FileHash-SHA1 | 3d93f46449d76aebd41cf77144839e83ab1d42a4 | SHA1 of 1693448804bf1c90ad7317af250bcd6ea021256e33e983b224aea81d4ecc2e20 | 2026-04-03 | |
| FileHash-SHA1 | a5eacd9028639a7b148b66de168037c3cea78ecf | SHA1 of 1af69a3283e28a8cc9a11819ecc2f2cff46dcabbfa78cefc71a02b881a064593 | 2026-04-03 | |
| FileHash-SHA256 | 1693448804bf1c90ad7317af250bcd6ea021256e33e983b224aea81d4ecc2e20 | — | 2026-04-03 | |
| FileHash-SHA256 | 1af69a3283e28a8cc9a11819ecc2f2cff46dcabbfa78cefc71a02b881a064593 | — | 2026-04-03 | |
| FileHash-SHA256 | 239cb9232fe01c8b82eb627f66acc6848cb223dfea46d4923844c1fe20f1de49 | — | 2026-04-03 | |
| FileHash-SHA256 | 3e4002c7f0909d3c743b3586098e248d413f485c6bb033cafdb322bd8b206ebb | — | 2026-04-03 | |
| FileHash-SHA256 | 4e08a1525a62a387595a2e4942b56ec3f3b3259996115ea2e6ea3638ccb87705 | — | 2026-04-03 | |
| FileHash-SHA256 | 69fc15919044fc6a94bb251afd90a0a07204b79df3bc62c49ba6b0febefbc33e | — | 2026-04-03 | |
| FileHash-SHA256 | b56d00addd6c6a266de3c739dad22aa1de52624066544929754d47332257cba6 | — | 2026-04-03 | |
| FileHash-SHA256 | d1d08f7e44641d921fad22ed175b928c696befd14a55271eb203f8fcaff553d5 | — | 2026-04-03 | |
| URL | https://cgf.facturastbs.shop/a/08/150822/au | — | 2026-04-03 | |
| URL | https://tt.grupobedfs.com/.../gera_pdf.php | — | 2026-04-03 | |
| domain | facturastbs.shop | — | 2026-04-03 | |
| domain | grupobedfs.com | — | 2026-04-03 | |
| hostname | cgf.facturastbs.shop | — | 2026-04-03 | |
| hostname | tt.grupobedfs.com | — | 2026-04-03 |