Casbaneiro Phishing Targets Latin America and Europe Using Dynamic PDF Lures

The latest wave of phishing activity traced to the Brazilian threat actor Augmented Marauder—catalogued by Trend Micro as Water Saci—highlights a shift toward highly personalized, document‑based lures. By crafting password‑protected PDFs that imitate Spanish judicial summonses, the group exploits a trust gap in both Latin American and European enterprises. Unlike static attachments, these PDFs are generated on the fly through a remote PHP API, allowing the attackers to vary content, language, and PIN codes for each victim. This dynamic approach evades traditional signature‑based filters and forces defenders to rely on behavioral analytics.

The infection chain begins when a recipient clicks the link inside the forged PDF, triggering a download of a ZIP archive that drops an HTA file and a VBS script. at* extensions. The primary payload, Casbaneiro, establishes a PowerShell‑driven C2 channel, while the secondary Horobot DLL hijacks Outlook contacts and compromised email accounts to launch further phishing blasts. The inclusion of WhatsApp Web automation and ClickFix social‑engineering tactics adds a mobile vector, complicating detection across multiple platforms. For organizations, the campaign underscores the need for layered defenses that go beyond perimeter filters.

Email security gateways should enforce sandboxing of PDF attachments and block password‑protected documents from unknown senders. Endpoint solutions must monitor for HTA and VBS execution, as well as AutoIt activity, and flag anomalous PowerShell calls to unfamiliar domains. Finally, user education should cover the emerging threat of WhatsApp‑based malware distribution, reinforcing verification of unsolicited legal notices. By integrating threat‑intel feeds that flag Augmented Marauder indicators, enterprises can reduce the attack surface before the malware reaches critical systems.