A complex phishing scheme is going after people who speak Spanish This article explores attacks whatsapp clickfix. . The goal of the operation is to use a second piece of malware called Horabot to spread Windows banking Trojans.

Trend Micro first found a group in October 2025 that is linked to the Brazilian cybercriminals known as Augmented Marauder and Water Saci. BlueVoyant security researchers went into detail about the group's methods, which included attacks on WhatsApp, ClickFix techniques, and phishing campaigns that focused on email. The researchers came to the conclusion that this enemy is creative and adaptable, always changing its attack plans to get around modern security measures. The bad guys now use a more advanced attack model that includes script-driven WhatsApp automation aimed at retail and consumer users in Latin America, as well as an advanced email-hijacking engine that can get into enterprise networks in both regions.

The campaign starts with a phishing email that looks like a court summons and tricks people into opening a password-protected PDF file. When you click on it, a link in the document opens up, and a ZIP file is automatically downloaded. This ZIP file then runs HTA and VBS payloads through an HTML Application (HTA) and VBScript (VBS) that are in between.

It then gets payloads for the next stage from a server that is not local. Some of the files that were downloaded are AutoIt-based loaders that extract and run encrypted payload files with extensions like ".ia" or ".at." These files then launch two types of malware: Casbaneiro ("staticdata.dll") and Horabt ("at.dll"). CasbaneIRO is the main payload, and HorabOT is the malware's way of spreading.