Windows Users Beware: Phishing Threat Hits Latin America

According to Trustwave SpiderLabs, Latin America has been hit by a new phishing campaign that infects Windows systems through emails.

The attack begins with the distribution of emails containing a ZIP file attachment. Upon unpacking the archive, an HTML file opens, which redirects the user to download a fraudulent file, masquerading as an invoice. The email sender used an address with the domain “temporary[.]link”, and Roundcube Webmail is listed as the mail agent.

A distinctive feature of the HTML file is a link leading to a page with a message about account suspension, which occurs when the connection is not from Mexico. However, when accessed from a Mexican IP address, a page with a CAPTCHA from Cloudflare Turnstile opens, serving as a gateway for downloading a malicious RAR archive. This archive contains a PowerShell script that gathers system information and checks for antivirus software on the infected computer.

The archive includes strings encoded in Base64, intended for executing PHP scripts that determine the user’s country and download a ZIP file from Dropbox containing “a multitude of suspicious files.” Trustwave experts note that this campaign shares similarities with the previous Horabot botnet campaign aimed at Spanish-speaking users in Latin America.

Specialists highlighted that the use of newly created domains and granting access to them only in certain countries is another method of evasion, especially if the domain behaves differently depending on the target country.