New Horabot operation hijacks victims” Gmail and Outlook accounts (19th June 2023)

Ref# AL2023_48 | Date: Jun 19th 2023


Horabot allows a threat actor to take control of the victim”s Outlook mailbox, steal contacts” email addresses, and send phishing emails with malicious HTML attachments to all addresses in the victim”s mailbox. The botnet malware also includes a Windows-based financial trojan and a spam tool for harvesting online banking credentials and compromising Gmail, Outlook, and Yahoo! webmail accounts in order to send spam emails. 


The attacks first begin with phishing emails with tax-themed baits that encourage recipients to click an HTML attachment, which then embeds a link to a RAR archive. When the attachment is opened, it executes a PowerShell downloader script, which is responsible for rebooting the machine and retrieving a ZIP file from a remote server. The ZIP file contains the primary payloads for the Horabot malware which are then extracted. The system restart works as a launchpad for the banking malware and spam tool, allowing the threat actor to steal data, log keystrokes, collect screenshots, and send more phishing emails to the victim”s contacts. 

This attack employs a multi-stage attack chain that begins with a phishing email and progresses to payload distribution via PowerShell downloader script execution and sideloading to legal executables. The banking trojan is a 32-bit Windows DLL built in Delphi that bears similarities with other Brazilian malware families such as Mekotio and Casbaneiro. Horabot, for its part, is a PowerShell-based Outlook phishing botnet capable of sending phishing emails to all email addresses in the victim”s mailbox in order to spread the infection. It is also a conscious endeavor to keep the threat actor”s phishing infrastructure hidden. 

Indicators of compromises for New Horabot Malware: Horabot IOCS 


To protect yourself from Horabot attacks, specifically phishing emails, we recommend being skeptical of strange emails and any attachments attached. To launch the infection in this scenario, the attackers employ a malicious LNK file disguised as a PDF document, thus it is always advisable to examine email attachments and discard any attachments that appear suspicious.  

If you have been infected with a malware such as Horabot, here are some immediate recommendations:   

  • When an infected device is discovered, immediately unplug the affected device from the network to prevent any malicious activities from occurring.        

  • Launch the device in safe mode and have a reputable anti-virus installed.  

  • Run a comprehensive scan on the device and remove any threats detected.   

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary. 

PDF Download: New Horabot operation hijacks victims Gmail and Outlook accounts.pdf