Phishing Campaign Targets Latin American Windows Users

In a recent cybersecurity development, a new phishing campaign has targeted the Latin American region, aiming to deliver malicious payloads to Windows systems. Trustwave SpiderLabs researcher Karla Agregado stated that the phishing email contains a ZIP file attachment that, when extracted, reveals an HTML file leading to a malicious file download disguised as an invoice.

The phishing email originates from an address using the domain “temporary[.]link” and lists Roundcube Webmail as the User-Agent string. The HTML file contains a link (“facturasmex[.]cloud”) that shows an error message when accessed from certain locations but, when visited from an IP address geolocated in Mexico, loads a CAPTCHA page using Cloudflare Turnstile.

This process eventually leads to the download of a malicious RAR file containing a PowerShell script that gathers system information and checks for antivirus software presence. The campaign also incorporates Base64-encoded strings to run PHP scripts, determining the user’s country and retrieving suspicious files from Dropbox.

This phishing campaign bears similarities to previous Horabot malware campaigns that targeted Spanish-speaking users in Latin America. The researchers emphasized that threat actors constantly evolve their tactics to avoid detection by cloaking malicious activities and using newly created domains accessible only in specific countries.

Meanwhile, Malwarebytes uncovered a malvertising campaign targeting Microsoft Bing search users with fake NordVPN ads, distributing a remote access trojan dubbed SectopRAT via a phony website. Security researcher Jérôme Segura highlighted the ease with which threat actors can deploy malware under the guise of legitimate software downloads, emphasizing the importance of robust cybersecurity measures in today’s digital landscape.