Analysis of Ongoing Ousaban Attacks Targeting the Iberian Peninsula
In May 2026, an attack campaign targeting banking users in Spain and Portugal was identified involving the Ousaban banking Trojan. The malware, previously active in Brazil, spreads through phishing PDFs that redirect victims to malicious webpages performing environment checks to ensure targets are located in Spain or Portugal. The attack chain involves VBS scripts downloading steganographic images containing the payload, which is then dropped and executed on victims' systems. Ousaban establishes persistence, monitors banking activity across multiple financial institutions, and uses daily-changing DDNS domains to resolve C2 server addresses. The malware employs screenshot capture, keylogging, clipboard injection, and remote control capabilities to steal banking credentials. It utilizes custom encryption algorithms and geofencing techniques to evade detection and limit exposure to intended targets.
AI Analysis
Technical Summary
In May 2026, a targeted attack campaign involving the Ousaban banking Trojan was identified affecting users in Spain and Portugal. The malware spreads via phishing PDFs that redirect victims to malicious sites which verify the victim's location before proceeding. The infection chain includes VBS scripts that download payloads hidden in steganographic images. Once executed, Ousaban establishes persistence, monitors multiple financial institutions for banking activity, and uses daily-changing DDNS domains to communicate with its command and control servers. It incorporates multiple credential theft techniques including screenshot capture, keylogging, clipboard injection, and remote control. The malware also uses custom encryption and geofencing to limit exposure and evade detection.
Potential Impact
Ousaban enables attackers to steal banking credentials from victims in Spain and Portugal by monitoring banking activity and capturing sensitive input through keylogging, clipboard injection, and screenshots. The malware's persistence and remote control capabilities allow ongoing unauthorized access to victim systems. Its use of geofencing and custom encryption reduces detection likelihood and restricts the attack to intended geographic targets, increasing the risk to affected users' financial assets.
Mitigation Recommendations
No official patch or remediation is available for this malware campaign. Mitigation should focus on user awareness to avoid phishing PDFs and suspicious links, especially targeting banking users in Spain and Portugal. Network defenses should monitor for unusual DNS activity related to daily-changing DDNS domains. Endpoint detection solutions should look for behaviors consistent with VBS script execution, steganographic payloads, and credential theft techniques described. Incident response teams should isolate infected systems and perform credential resets for affected banking accounts.
Affected Countries
Spain, Portugal
Indicators of Compromise
- ip: 162.33.179.46
- ip: 91.92.240.140
- ip: 78.40.209.32
- hash: d4eb4ff02df659fdeec17d36b77084627469623bb3c7d16383d257404b52d1c3
- hash: 18205d398e5df7d38705dbdc700ccb46
- hash: 22e3cd043e36a9c0bad1479ad4c3214a
- hash: 26c0aee6c79935ee6da46e6444f1c109
- hash: ebb680f7ae4db6cdc426b8112d2536b6
- hash: 11ca4e19ea79f68aaf23c4afe472dbc03833002c
- hash: 1ec576cf0c82c023f2eb380809588980b98cd296
- hash: 26b9b123e0f664dd9792b820255fe991496cf2d6
- hash: 6e37b4a0c1d747d19abb6736a1ec3293972d3e0f
- hash: 18fd38988d58dd930f5992d448cc09a9400c1eafba76b820b9a83239ac48cf4e
- hash: 19ac18a50abb48dc0ea9524850acfaec49359e6b3bcc67c6193c2d56da812c71
- hash: 1e77992666acbbfa0d01fcefa9cc8fbdac291e0681b35745be27c6dfb159a375
- hash: 21b24f7ee1f6bdbbb670f0394d66009ee0daa8ced57048298da715e88f7a7cdd
- hash: 48723a33bab89f174750576f9a62da35b3b9e5ac31a5a8f1ce9859a1b35bf8b8
- hash: 4c9fdc2823da505ef339d43c6ad38499b7e3447736733e42b5ab6b1afcfd42aa
- hash: 4ca2c863d740bb7022776dccabd8ae34bb9998768928042d76ebcf08984eefcb
- hash: 540ee1936e61d2344b5ebc93485589a351ec2f113a9b4940ae16f3baa4807392
- hash: 5837e47198a20877e1b04b270c36d9194206ee38d4f32fe3151b3c3b396c4f0d
- hash: 5a2ed557c357ba8f96f2d55a8a00695987806b5df766cd1dfdab0cbed111774a
- hash: 5e06af187b45476ade0d953e834fced6197d0a33ac60c2575877660e26ab15e8
- hash: 65c1a998bac48e02b52b1c850cd500e9fb87521e21755c3a4a491243f5f9a700
- hash: 6bc2e11b0917f47d0557288c4f0cb20bd7589185943b989a969fdc6d3704ee73
- hash: 9d07a83cf89685651ea8992047ae694c24f6ddef193044357debd15ce07a64fe
- hash: 9e81ade09cc18f0fc09d73e72d2e0bffad02f52fdcc26553e473cee8cabc1567
- hash: e2f0c2d4c1552cd81fa012043e4a5ac832582b639b7b6b7eccc0c4802d7a8ad8
- hash: e6e78eb2e9bd41a4bc62f7ad54d095ea9813864bebe37172ae30a1afa631fe14
- hash: fadbb8061715128bebecf7bc59132b6bb04fe8cc39b965aa5b8722dffe28d7e7
- hash: ffb9eb47cc0cb2f43e04a10dc84df13d04bca1ebacbe47fad0b669728de2f59c
- ip: 213.159.64.191
- domain: controlfacturas.site
- domain: faturanova.xyz
- domain: facture-arsys.duckdns.org
- domain: faturanova.duckdns.org
Analysis of Ongoing Ousaban Attacks Targeting the Iberian Peninsula
Description
In May 2026, an attack campaign targeting banking users in Spain and Portugal was identified involving the Ousaban banking Trojan. The malware, previously active in Brazil, spreads through phishing PDFs that redirect victims to malicious webpages performing environment checks to ensure targets are located in Spain or Portugal. The attack chain involves VBS scripts downloading steganographic images containing the payload, which is then dropped and executed on victims' systems. Ousaban establishes persistence, monitors banking activity across multiple financial institutions, and uses daily-changing DDNS domains to resolve C2 server addresses. The malware employs screenshot capture, keylogging, clipboard injection, and remote control capabilities to steal banking credentials. It utilizes custom encryption algorithms and geofencing techniques to evade detection and limit exposure to intended targets.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
In May 2026, a targeted attack campaign involving the Ousaban banking Trojan was identified affecting users in Spain and Portugal. The malware spreads via phishing PDFs that redirect victims to malicious sites which verify the victim's location before proceeding. The infection chain includes VBS scripts that download payloads hidden in steganographic images. Once executed, Ousaban establishes persistence, monitors multiple financial institutions for banking activity, and uses daily-changing DDNS domains to communicate with its command and control servers. It incorporates multiple credential theft techniques including screenshot capture, keylogging, clipboard injection, and remote control. The malware also uses custom encryption and geofencing to limit exposure and evade detection.
Potential Impact
Ousaban enables attackers to steal banking credentials from victims in Spain and Portugal by monitoring banking activity and capturing sensitive input through keylogging, clipboard injection, and screenshots. The malware's persistence and remote control capabilities allow ongoing unauthorized access to victim systems. Its use of geofencing and custom encryption reduces detection likelihood and restricts the attack to intended geographic targets, increasing the risk to affected users' financial assets.
Mitigation Recommendations
No official patch or remediation is available for this malware campaign. Mitigation should focus on user awareness to avoid phishing PDFs and suspicious links, especially targeting banking users in Spain and Portugal. Network defenses should monitor for unusual DNS activity related to daily-changing DDNS domains. Endpoint detection solutions should look for behaviors consistent with VBS script execution, steganographic payloads, and credential theft techniques described. Incident response teams should isolate infected systems and perform credential resets for affected banking accounts.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.fortinet.com/blog/threat-research/analysis-of-ongoing-ousaban-attacks-targeting-the-iberian-peninsula"]
- Adversary
- null
- Pulse Id
- 6a45880f3df872860c77a553
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip162.33.179.46 | — | |
ip91.92.240.140 | — | |
ip78.40.209.32 | — | |
ip213.159.64.191 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hashd4eb4ff02df659fdeec17d36b77084627469623bb3c7d16383d257404b52d1c3 | — | |
hash18205d398e5df7d38705dbdc700ccb46 | — | |
hash22e3cd043e36a9c0bad1479ad4c3214a | — | |
hash26c0aee6c79935ee6da46e6444f1c109 | — | |
hashebb680f7ae4db6cdc426b8112d2536b6 | — | |
hash11ca4e19ea79f68aaf23c4afe472dbc03833002c | — | |
hash1ec576cf0c82c023f2eb380809588980b98cd296 | — | |
hash26b9b123e0f664dd9792b820255fe991496cf2d6 | — | |
hash6e37b4a0c1d747d19abb6736a1ec3293972d3e0f | — | |
hash18fd38988d58dd930f5992d448cc09a9400c1eafba76b820b9a83239ac48cf4e | — | |
hash19ac18a50abb48dc0ea9524850acfaec49359e6b3bcc67c6193c2d56da812c71 | — | |
hash1e77992666acbbfa0d01fcefa9cc8fbdac291e0681b35745be27c6dfb159a375 | — | |
hash21b24f7ee1f6bdbbb670f0394d66009ee0daa8ced57048298da715e88f7a7cdd | — | |
hash48723a33bab89f174750576f9a62da35b3b9e5ac31a5a8f1ce9859a1b35bf8b8 | — | |
hash4c9fdc2823da505ef339d43c6ad38499b7e3447736733e42b5ab6b1afcfd42aa | — | |
hash4ca2c863d740bb7022776dccabd8ae34bb9998768928042d76ebcf08984eefcb | — | |
hash540ee1936e61d2344b5ebc93485589a351ec2f113a9b4940ae16f3baa4807392 | — | |
hash5837e47198a20877e1b04b270c36d9194206ee38d4f32fe3151b3c3b396c4f0d | — | |
hash5a2ed557c357ba8f96f2d55a8a00695987806b5df766cd1dfdab0cbed111774a | — | |
hash5e06af187b45476ade0d953e834fced6197d0a33ac60c2575877660e26ab15e8 | — | |
hash65c1a998bac48e02b52b1c850cd500e9fb87521e21755c3a4a491243f5f9a700 | — | |
hash6bc2e11b0917f47d0557288c4f0cb20bd7589185943b989a969fdc6d3704ee73 | — | |
hash9d07a83cf89685651ea8992047ae694c24f6ddef193044357debd15ce07a64fe | — | |
hash9e81ade09cc18f0fc09d73e72d2e0bffad02f52fdcc26553e473cee8cabc1567 | — | |
hashe2f0c2d4c1552cd81fa012043e4a5ac832582b639b7b6b7eccc0c4802d7a8ad8 | — | |
hashe6e78eb2e9bd41a4bc62f7ad54d095ea9813864bebe37172ae30a1afa631fe14 | — | |
hashfadbb8061715128bebecf7bc59132b6bb04fe8cc39b965aa5b8722dffe28d7e7 | — | |
hashffb9eb47cc0cb2f43e04a10dc84df13d04bca1ebacbe47fad0b669728de2f59c | — |
Domain
| Value | Description | Copy |
|---|---|---|
domaincontrolfacturas.site | — | |
domainfaturanova.xyz | — | |
domainfacture-arsys.duckdns.org | — | |
domainfaturanova.duckdns.org | — |
Threat ID: 6a460e0327e9c7971954d7a1
Added to database: 07/02/2026, 07:06:43 UTC
Last enriched: 07/02/2026, 07:21:24 UTC
Last updated: 07/03/2026, 03:25:23 UTC
Views: 101
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.