The SOC Files: Time to “Sapecar”. Unpacking a new Horabot campaign in Mexico

This report analyzes an active Horabot criminal campaign that uses social-engineered fake CAPTCHA pages to execute polymorphic HTA/VBScript loaders, an AutoIt-based loader that decrypts and loads an in-memory Delphi banking Trojan (Casbaneiro family), and a PowerShell email spreader to harvest and mass-mail victims; it includes detailed reverse engineering of obfuscation and custom C2 protocols, evidence of thousands of victims (predominantly in Mexico), and ready-to-use detection artifacts (YARA, Suricata, hunting queries).