Skip to content
Tech News
← Back to articles

Bank Trojan 'Casbaneiro' Worms Through Latin America

2026-04-02 | original
read original get Cybersecurity Anti-Malware Software → more articles
Why This Matters

The rise of sophisticated banking malware campaigns like 'Casbaneiro' highlights the increasing threat of financial cyberattacks in Latin America and Spain. These wormable, elusive malware campaigns pose significant risks to consumers and financial institutions, emphasizing the need for enhanced cybersecurity measures. As threat actors adapt their tactics, awareness and proactive defenses become crucial to protect sensitive financial data.

Key Takeaways

Brazilian threat actors are aiming to steal banking credentials across Spanish-speaking countries, using highly wormable and slightly elusive infection techniques.

As much as North Korea is known for large-scale cryptocurrency hacks and Israel dominates the spyware market, Brazil has become notorious as the banking malware capital of the world. Hackers there churn out money-stealing Trojans at a rate that challenges analysts' ability to come up with explanations.

The cybercrime operation known as Water Saci, or Augmented Marauder, has been near the heart of this movement for some years now. In more recent months, it has been splitting its time between two financially motivated cyberattack campaigns. One of them has been waged over WhatsApp, focused in Brazil, and tracked by researchers since last year.

BlueVoyant has now identified a parallel, in some ways similar, campaign, but it's being carried out via email, and might well spread through Latin America and Spain. This latest iteration on Water Saci's playbook is characterized by self-propagating malware, email security bypass, and financial information theft.

Related:Chinese Police Use ChatGPT to Smear Japan PM Takaichi

"This threat group seems as if they have a campaign that they try to launch [roughly] every quarter, and they keep changing it, so it's pretty clear whoever this is [is] very active [and] their end goal is to get access to users' bank accounts within the Latin American region," says Thomas Elkins, SOC security analyst for BlueVoyant. "To me, it's clear that they're going to keep ramping up."

A Wormable Banking Attack

On first impression, an Augmented Marauder attack is rather unexceptional. All victims receive the same notice in their inbox of some vague upcoming judicial summons. Victims who fall for the bait land on a site where they end up downloading a malicious zip file. Behind each step in this chain of events, though, is a trick that either modestly helps the attack evade detection, or significantly helps it spread to new targets.

The malicious file attached to the phishing email is password-protected, lending an air of legitimacy to the document and possibly helping it escape scrutiny from secure email gateways (SEGs). That zip file name is randomized for each victim — an obstacle for signature-based detection tools.

Most significant of all, though, is how victims end up with that judicial summons email in the first place. One of the scripts deployed later in the attack chain — a tool called Horabot — is designed to exploit the victim's email account, with the goal of self-propagation. It grabs their contacts, filters them, then blasts a new round of phishing emails to any number of new potential targets, with a modified version of the judicial summons file locked with a new password.

... continue reading

Explore topics: casbaneiro water saci bluevoyant whatsapp brazil
Related:
Meta alerts iPhone users who downloaded spyware-laced version of WhatsApp
WhatsApp notifies hundreds of users who installed a fake app that was actually government spyware
WhatsApp notifies hundreds of users who installed a fake app made by government spyware maker
Meta’s new Ray-Ban glasses aim to replace your regular prescription frames
This messaging app wins on every front, except the one that matters

© 2026 GoKawiil

About | Editorial Policy | Contact