Skip to content

Malware targets 6 countries using fake invoice emails

  • by
  • 2 min read

Security researchers have discovered a new phishing campaign spreading the Harabot malware to Windows users in Argentina, Chile, Colombia, Guatemala, Peru, and Mexico. The campaign seems only to be targeting Spanish-speaking users.

Researchers from Fortinet FortiGuard Labs documented the campaign after it was spotted in April 2025. Their report adds that threat actors are using maliciously crafted emails that impersonate invoices or financial documents attached to the email body.

The email’s content points the victim towards a ZIP attachment containing a PDF document — a malicious HTML file with Base64-encoded HTML data saved within a PDF. Additionally, the campaign uses Outlook COM automation to send messages from the victim’s inbox, spreading the infection within corporate or personal networks.

This is an image of harabot malware fake pop ups
Fake pop-ups are shown by the malware to capture user credentials. | Source: Fortinet FortiGuard Labs

Once the victim opens the malicious attachments, the file reaches out to a remote server and downloads the malicious payload, which can steal email and other sensitive credentials by showing fake pop-ups, harvest contact lists, and install banking trojans. The malware also steals browser data from multiple web browsers, including Brave, Cent Browser, Comodo Dragon, Epic Privacy Browser, Google Chrome, Microsoft Edge, Opera, and Yandex

The threat actors also execute a combination of VBScript, Autolt, and PowerShell scripts to conduct system recon and install additional payloads if required. The VBScript collects basic system information and sends it back to the attackers. The Autolt script includes the banking trojan, and the PowerShell script forwards the original phishing email after scanning the victim’s Outlook contact list.

However, no malicious activity is carried out before checking for security measures. The payload checks for an antivirus, specifically Avast, and whether or not the system has already been infected. It also checks whether or not the system is a virtual machine and stops the attack if one is detected. Finally, is the machine name is “JOHN-PC”, the attack doesn’t go through.

In the News: M&S confirms data leak during cyberattack

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

Related Reads

How to download print google calendar? | candid. Technology

Chinese hackers are using Google Calendar to target governments

Illustration: jmiks | shutterstock

Fake AI software installers are spreading ransomware

This is an image of router vs wifi

ASUS routers hacked in mass backdoor campaign

This is an image of dark web hacker security

Victoria’s Secret website taken down after cyber attack

This is an image of spyware malware cybersecurity privacy featured 31

Virgin Media’s O2 network exposed customer phone locations

This is an image of malware featured security

Hackers caught using fake AI websites to spread malware

>