Skip to main content
ThreatOther

LATAM banking-trojan lure via court-summons / tax-debt narrative — Spanish or Brazilian Portuguese phrasing ("citación judicial", "notificación judicial", "intimação judicial", "mandado", "auto de infração") paired with a password-protected PDF/ZIP attachment (password revealed inline in the body: "contraseña: ...", "senha: ..."). Delivers Casbaneiro / Metamorfo + Horabot banking trojans targeting Santander, Banco do Brasil, Caixa, Sicredi, Bradesco, Itaú, BBVA, Banamex, Mercado Pago. Hacker News Apr 2026 + SC Media Apr 2026 + Cybereason + DarkReading + Trend Micro Water Saci / Augmented Marauder actor

casbaneiro-latam-court-summons-password-pdf-lure

What this tier means

High-confidence threat indicator — phishing, impersonation, BEC, or scam pattern. Strong contributor to the trash decision.

How Gorganizer detects this

Email in Spanish or Brazilian Portuguese claiming a court summons, judicial notification, or tax-debt summons ("citación judicial", "notificación judicial", "intimação judicial", "mandado", "auto de infração", "multa de trânsito") with a password-protected PDF or ZIP attachment. The password is revealed in the body ("contraseña: 1234", "senha: abc123", "clave de acceso: ..."). The password-protected archive bypasses most mail-filter content scanners; when the victim opens it, it drops Casbaneiro (aka Metamorfo) or Horabot banking trojans. These trojans overlay fake login screens on Brazilian and Latin American bank sites (Santander, Banco do Brasil, Caixa, Sicredi, Bradesco, Itaú, BBVA, Banamex, Mercado Pago, Scotiabank) and harvest credentials + second-factor tokens. The Hacker News covered the April 2026 campaign ("Casbaneiro Phishing Targets Latin America and Europe Using Dynamic PDF Lures"); SC Media, Cybereason, and DarkReading all tracked the same Water Saci / Augmented Marauder actor cluster that Trend Micro flagged in October 2025; a December 2025 variant spread via WhatsApp worm + RelayNFC NFC-relay fraud. Distinct from generic password-protected attachment heuristics because the combination of LATAM-language legal phrasing + inline password reveal + PDF/ZIP attachment is uniquely diagnostic — legitimate attorneys in Spain or Brazil thread legal correspondence (In-Reply-To set) and typically do not send unsolicited password-protected PDFs with the password in the same email.

False-positive guard

Every signal in Gorganizer feeds a multi-module score — never a sole verdict. This is a threat-tier signal — it adds a strong contribution to the trash score. The full pipeline still requires convergence across multiple modules + a margin over the safety floor before deletion happens, and Gmail's trash (30-day recovery) is always used — never permanent delete.

About the scoring engine

Gorganizer's scoring engine emits over 1,800 signals across six modules — headers, sender, subject, body, attachments, and structural metadata. Every email is scored by every module independently; the final verdict requires multiple modules to agree and the trash score to beat the safety floor by a margin.

Sacred safety guards — never delete starred emails, replies, calendar invites, receipts/invoices, or attachments — apply unconditionally regardless of any signal.

Browse all signalsSafety guaranteesJSON

Ready to clean your inbox?

Gorganizer scans your Gmail with this signal and 1,800+ others, then cleans everything in one click. $4.99 one-time, no subscription.

Get started