Researchers at BlueVoyant have uncovered a broad, multi-pronged phishing campaign orchestrated by the Brazil-based eCrime group Augmented Marauder (also known as Water Saci). This campaign targets Spanish-speaking users in organizations across Latin America and has recently expanded into Europe. The attackers use phishing messages, including those delivered via WhatsApp, to distribute the Casbaneiro banking trojan, a malware family designed to steal banking credentials and perform fraudulent transactions. The campaign employs multiple vectors and malicious domains such as facturastbs.shop and grupobedfs.com to host payloads and phishing pages. The malware is delivered through social engineering tactics that trick users into clicking malicious links or opening infected attachments. The campaign's multi-pronged nature increases its reach and effectiveness, targeting a wide range of organizations with Spanish-speaking personnel. Although there are no known CVEs or public exploits associated with this campaign, the presence of numerous malware hashes and URLs provides actionable indicators of compromise. The campaign reflects a continuation of Augmented Marauder's focus on financial crime, leveraging phishing and trojan malware to compromise victims. The threat intelligence is shared under TLP: White, allowing broad dissemination for defensive purposes.

This campaign poses a significant risk to organizations with Spanish-speaking employees, especially financial institutions and enterprises in Latin America and Europe. Successful infections can lead to credential theft, unauthorized access to banking accounts, and financial fraud, resulting in direct monetary losses. Beyond financial damage, compromised systems may be used for further lateral movement or data exfiltration, impacting confidentiality and integrity. The use of WhatsApp and other messaging platforms as delivery vectors increases the likelihood of user interaction and infection. Organizations lacking robust phishing defenses or user awareness training are particularly vulnerable. The campaign's expansion into Europe indicates a growing geographic scope, potentially affecting multinational companies and financial services providers. While the campaign is rated medium severity, the financial and reputational damage from successful intrusions can be substantial. The lack of known exploits in the wild suggests the threat is still emerging, offering a window for proactive defense.

1. Implement targeted phishing awareness training focused on recognizing social engineering tactics used in this campaign, including suspicious WhatsApp messages and email links. 2. Deploy advanced email and messaging security solutions capable of detecting and blocking phishing URLs and malicious attachments, including sandboxing suspicious files. 3. Block known malicious domains and URLs associated with the campaign (e.g., facturastbs.shop, grupobedfs.com) at network perimeter and DNS levels. 4. Monitor network traffic for connections to identified malicious IPs and domains and investigate any anomalies. 5. Enforce multi-factor authentication (MFA) on all financial and critical systems to reduce impact if credentials are compromised. 6. Regularly update endpoint protection platforms with the latest threat intelligence and malware signatures. 7. Conduct incident response exercises simulating phishing attacks to improve detection and containment capabilities. 8. Encourage users to verify unexpected financial or invoice-related communications through independent channels before taking action. 9. Collaborate with regional cybersecurity organizations to share intelligence and stay updated on evolving tactics used by Augmented Marauder. 10. Review and harden WhatsApp and other messaging platform usage policies to limit exposure to unsolicited messages from unknown contacts.