{ "type": "URL", "indicator": "https://evs.grupotuis.buzz/0capcha17/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://evs.grupotuis.buzz/0capcha17/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4271632109, "indicator": "https://evs.grupotuis.buzz/0capcha17/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "69ba893ac080b945c5abb563", "name": "How to uncover a Horabot campaign and detect this malware", "description": "This report details the discovery and analysis of a Horabot malware campaign targeting primarily Mexican users. The attack chain begins with a fake CAPTCHA page leading to multiple stages of obfuscated scripts, ultimately delivering an AutoIT loader and a Delphi-based banking Trojan. The malware employs sophisticated encryption techniques, anti-VM checks, and a custom protocol for C2 communication. It also includes a spreader component written in PowerShell that harvests and exfiltrates email addresses to distribute phishing emails. The analysis reveals Brazilian Portuguese comments in the code, suggesting the threat actor's origin. The report provides detection opportunities including YARA rules and hunting queries to identify this threat.", "modified": "2026-03-18T16:32:26.051000", "created": "2026-03-18T11:15:06.119000", "tags": [ "ponteiro", "delphi", "brazil", "zusy", "metamorfo", "multi-stage attack", "email spreader", "horabot", "casbaneiro", "powershell", "autoit", "mexico", "banking trojan" ], "references": [ "https://securelist.com/horabot-campaign/119033/" ], "public": 1, "adversary": "Horabot", "targeted_countries": [ "Mexico" ], "malware_families": [ { "id": "Horabot", "display_name": "Horabot", "target": null }, { "id": "Metamorfo - S0455", "display_name": "Metamorfo - S0455", "target": null }, { "id": "Casbaneiro", "display_name": "Casbaneiro", "target": null }, { "id": "Ponteiro", "display_name": "Ponteiro", "target": null }, { "id": "Metamorfo - S0455", "display_name": "Metamorfo - S0455", "target": null }, { "id": "Casbaneiro", "display_name": "Casbaneiro", "target": null }, { "id": "Zusy", "display_name": "Zusy", "target": null } ], "attack_ids": [ { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1114.001", "name": "Local Email Collection", "display_name": "T1114.001 - Local Email Collection" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1564.003", "name": "Hidden Window", "display_name": "T1564.003 - Hidden Window" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" } ], "industries": [ "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 2, "FileHash-SHA256": 1, "URL": 21, "domain": 3, "hostname": 7 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 386875, "modified_text": "75 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bbbb60a8390fc9a5e0e715", "name": "EbeeMar2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-18T08:06:12.483000", "created": "2026-03-19T09:01:20.593000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "email", "xdsfeerdfbn", "chlg url" ], "references": [ "IOCs.2026.4.csv" ], "public": 1, "adversary": "Operation GhostMail, CastleRAT, UNK_NightOwl, Fake Shipment Tracking Scams in MEA, Fake Claude Code ", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 77, "FileHash-MD5": 122, "FileHash-SHA1": 103, "FileHash-SHA256": 164, "CVE": 25, "URL": 58, "domain": 107, "email": 30 }, "indicator_count": 686, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "45 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bb26196eae1616acf9b1a8", "name": "How to uncover a Horabot campaign and detect this malware", "description": "", "modified": "2026-03-18T22:24:25.139000", "created": "2026-03-18T22:24:25.139000", "tags": [ "ponteiro", "delphi", "brazil", "zusy", "metamorfo", "multi-stage attack", "email spreader", "horabot", "casbaneiro", "powershell", "autoit", "mexico", "banking trojan" ], "references": [ "https://securelist.com/horabot-campaign/119033/" ], "public": 1, "adversary": "Horabot", "targeted_countries": [ "Mexico" ], "malware_families": [ { "id": "Horabot", "display_name": "Horabot", "target": null }, { "id": "Metamorfo - S0455", "display_name": "Metamorfo - S0455", "target": null }, { "id": "Casbaneiro", "display_name": "Casbaneiro", "target": null }, { "id": "Ponteiro", "display_name": "Ponteiro", "target": null }, { "id": "Metamorfo - S0455", "display_name": "Metamorfo - S0455", "target": null }, { "id": "Casbaneiro", "display_name": "Casbaneiro", "target": null }, { "id": "Zusy", "display_name": "Zusy", "target": null } ], "attack_ids": [ { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1114.001", "name": "Local Email Collection", "display_name": "T1114.001 - Local Email Collection" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1564.003", "name": "Hidden Window", "display_name": "T1564.003 - Hidden Window" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" } ], "industries": [ "Finance" ], "TLP": "white", "cloned_from": "69ba893ac080b945c5abb563", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 2, "FileHash-SHA256": 1, "URL": 21, "domain": 3, "hostname": 7 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "75 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "IOCs.2026.4.csv", "https://securelist.com/horabot-campaign/119033/" ], "related": { "alienvault": { "adversary": [ "Horabot" ], "malware_families": [ "Horabot", "Metamorfo - s0455", "Casbaneiro", "Ponteiro", "Zusy" ], "industries": [ "Finance" ], "unique_indicators": 37 }, "other": { "adversary": [ "Horabot", "Operation GhostMail, CastleRAT, UNK_NightOwl, Fake Shipment Tracking Scams in MEA, Fake Claude Code " ], "malware_families": [ "Horabot", "Metamorfo - s0455", "Casbaneiro", "Ponteiro", "Zusy" ], "industries": [ "Finance" ], "unique_indicators": 798 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/grupotuis.buzz", "whois": "http://whois.domaintools.com/grupotuis.buzz", "domain": "grupotuis.buzz", "hostname": "evs.grupotuis.buzz" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "69ba893ac080b945c5abb563", "name": "How to uncover a Horabot campaign and detect this malware", "description": "This report details the discovery and analysis of a Horabot malware campaign targeting primarily Mexican users. The attack chain begins with a fake CAPTCHA page leading to multiple stages of obfuscated scripts, ultimately delivering an AutoIT loader and a Delphi-based banking Trojan. The malware employs sophisticated encryption techniques, anti-VM checks, and a custom protocol for C2 communication. It also includes a spreader component written in PowerShell that harvests and exfiltrates email addresses to distribute phishing emails. The analysis reveals Brazilian Portuguese comments in the code, suggesting the threat actor's origin. The report provides detection opportunities including YARA rules and hunting queries to identify this threat.", "modified": "2026-03-18T16:32:26.051000", "created": "2026-03-18T11:15:06.119000", "tags": [ "ponteiro", "delphi", "brazil", "zusy", "metamorfo", "multi-stage attack", "email spreader", "horabot", "casbaneiro", "powershell", "autoit", "mexico", "banking trojan" ], "references": [ "https://securelist.com/horabot-campaign/119033/" ], "public": 1, "adversary": "Horabot", "targeted_countries": [ "Mexico" ], "malware_families": [ { "id": "Horabot", "display_name": "Horabot", "target": null }, { "id": "Metamorfo - S0455", "display_name": "Metamorfo - S0455", "target": null }, { "id": "Casbaneiro", "display_name": "Casbaneiro", "target": null }, { "id": "Ponteiro", "display_name": "Ponteiro", "target": null }, { "id": "Metamorfo - S0455", "display_name": "Metamorfo - S0455", "target": null }, { "id": "Casbaneiro", "display_name": "Casbaneiro", "target": null }, { "id": "Zusy", "display_name": "Zusy", "target": null } ], "attack_ids": [ { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1114.001", "name": "Local Email Collection", "display_name": "T1114.001 - Local Email Collection" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1564.003", "name": "Hidden Window", "display_name": "T1564.003 - Hidden Window" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" } ], "industries": [ "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 2, "FileHash-SHA256": 1, "URL": 21, "domain": 3, "hostname": 7 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 386875, "modified_text": "75 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bbbb60a8390fc9a5e0e715", "name": "EbeeMar2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-18T08:06:12.483000", "created": "2026-03-19T09:01:20.593000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "email", "xdsfeerdfbn", "chlg url" ], "references": [ "IOCs.2026.4.csv" ], "public": 1, "adversary": "Operation GhostMail, CastleRAT, UNK_NightOwl, Fake Shipment Tracking Scams in MEA, Fake Claude Code ", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 77, "FileHash-MD5": 122, "FileHash-SHA1": 103, "FileHash-SHA256": 164, "CVE": 25, "URL": 58, "domain": 107, "email": 30 }, "indicator_count": 686, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "45 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bb26196eae1616acf9b1a8", "name": "How to uncover a Horabot campaign and detect this malware", "description": "", "modified": "2026-03-18T22:24:25.139000", "created": "2026-03-18T22:24:25.139000", "tags": [ "ponteiro", "delphi", "brazil", "zusy", "metamorfo", "multi-stage attack", "email spreader", "horabot", "casbaneiro", "powershell", "autoit", "mexico", "banking trojan" ], "references": [ "https://securelist.com/horabot-campaign/119033/" ], "public": 1, "adversary": "Horabot", "targeted_countries": [ "Mexico" ], "malware_families": [ { "id": "Horabot", "display_name": "Horabot", "target": null }, { "id": "Metamorfo - S0455", "display_name": "Metamorfo - S0455", "target": null }, { "id": "Casbaneiro", "display_name": "Casbaneiro", "target": null }, { "id": "Ponteiro", "display_name": "Ponteiro", "target": null }, { "id": "Metamorfo - S0455", "display_name": "Metamorfo - S0455", "target": null }, { "id": "Casbaneiro", "display_name": "Casbaneiro", "target": null }, { "id": "Zusy", "display_name": "Zusy", "target": null } ], "attack_ids": [ { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1114.001", "name": "Local Email Collection", "display_name": "T1114.001 - Local Email Collection" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1564.003", "name": "Hidden Window", "display_name": "T1564.003 - Hidden Window" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" } ], "industries": [ "Finance" ], "TLP": "white", "cloned_from": "69ba893ac080b945c5abb563", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 2, "FileHash-SHA256": 1, "URL": 21, "domain": 3, "hostname": 7 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "75 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://evs.grupotuis.buzz/0capcha17/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://evs.grupotuis.buzz/0capcha17/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780403456.357005 }