A sophisticated phishing campaign is targeting Spanish-speaking users in organizations across Latin America and Europe to deploy the Casbaneiro banking trojan, also known as Metamorfo. The threat actors use dynamic PDF lures as part of a multi-stage attack chain that delivers the malware through another piece of malicious software called Horabot.
The campaign has been attributed to a Brazilian cybercrime threat actor tracked under multiple aliases including Augmented Marauder and Water Saci. Security researchers at Trend Micro first documented this e-crime group's activities, noting their focus on financial institutions and organizations in Spanish-speaking regions.