Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

Analysis of Ongoing Ousaban Attacks Targeting the Iberian Peninsula

0
Medium
Published: 07/01/2026 (07/01/2026, 21:35:11 UTC)
Source: AlienVault OTX General

Description

In May 2026, an attack campaign targeting banking users in Spain and Portugal was identified involving the Ousaban banking Trojan. The malware, previously active in Brazil, spreads through phishing PDFs that redirect victims to malicious webpages performing environment checks to ensure targets are located in Spain or Portugal. The attack chain involves VBS scripts downloading steganographic images containing the payload, which is then dropped and executed on victims' systems. Ousaban establishes persistence, monitors banking activity across multiple financial institutions, and uses daily-changing DDNS domains to resolve C2 server addresses. The malware employs screenshot capture, keylogging, clipboard injection, and remote control capabilities to steal banking credentials. It utilizes custom encryption algorithms and geofencing techniques to evade detection and limit exposure to intended targets.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/02/2026, 07:21:24 UTC

Technical Analysis

In May 2026, a targeted attack campaign involving the Ousaban banking Trojan was identified affecting users in Spain and Portugal. The malware spreads via phishing PDFs that redirect victims to malicious sites which verify the victim's location before proceeding. The infection chain includes VBS scripts that download payloads hidden in steganographic images. Once executed, Ousaban establishes persistence, monitors multiple financial institutions for banking activity, and uses daily-changing DDNS domains to communicate with its command and control servers. It incorporates multiple credential theft techniques including screenshot capture, keylogging, clipboard injection, and remote control. The malware also uses custom encryption and geofencing to limit exposure and evade detection.

Potential Impact

Ousaban enables attackers to steal banking credentials from victims in Spain and Portugal by monitoring banking activity and capturing sensitive input through keylogging, clipboard injection, and screenshots. The malware's persistence and remote control capabilities allow ongoing unauthorized access to victim systems. Its use of geofencing and custom encryption reduces detection likelihood and restricts the attack to intended geographic targets, increasing the risk to affected users' financial assets.

Mitigation Recommendations

No official patch or remediation is available for this malware campaign. Mitigation should focus on user awareness to avoid phishing PDFs and suspicious links, especially targeting banking users in Spain and Portugal. Network defenses should monitor for unusual DNS activity related to daily-changing DDNS domains. Endpoint detection solutions should look for behaviors consistent with VBS script execution, steganographic payloads, and credential theft techniques described. Incident response teams should isolate infected systems and perform credential resets for affected banking accounts.

Affected Countries

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://www.fortinet.com/blog/threat-research/analysis-of-ongoing-ousaban-attacks-targeting-the-iberian-peninsula"]
Adversary
null
Pulse Id
6a45880f3df872860c77a553
Threat Score
null

Indicators of Compromise

Ip

ValueDescriptionCopy
ip162.33.179.46
ip91.92.240.140
ip78.40.209.32
ip213.159.64.191

Hash

ValueDescriptionCopy
hashd4eb4ff02df659fdeec17d36b77084627469623bb3c7d16383d257404b52d1c3
hash18205d398e5df7d38705dbdc700ccb46
hash22e3cd043e36a9c0bad1479ad4c3214a
hash26c0aee6c79935ee6da46e6444f1c109
hashebb680f7ae4db6cdc426b8112d2536b6
hash11ca4e19ea79f68aaf23c4afe472dbc03833002c
hash1ec576cf0c82c023f2eb380809588980b98cd296
hash26b9b123e0f664dd9792b820255fe991496cf2d6
hash6e37b4a0c1d747d19abb6736a1ec3293972d3e0f
hash18fd38988d58dd930f5992d448cc09a9400c1eafba76b820b9a83239ac48cf4e
hash19ac18a50abb48dc0ea9524850acfaec49359e6b3bcc67c6193c2d56da812c71
hash1e77992666acbbfa0d01fcefa9cc8fbdac291e0681b35745be27c6dfb159a375
hash21b24f7ee1f6bdbbb670f0394d66009ee0daa8ced57048298da715e88f7a7cdd
hash48723a33bab89f174750576f9a62da35b3b9e5ac31a5a8f1ce9859a1b35bf8b8
hash4c9fdc2823da505ef339d43c6ad38499b7e3447736733e42b5ab6b1afcfd42aa
hash4ca2c863d740bb7022776dccabd8ae34bb9998768928042d76ebcf08984eefcb
hash540ee1936e61d2344b5ebc93485589a351ec2f113a9b4940ae16f3baa4807392
hash5837e47198a20877e1b04b270c36d9194206ee38d4f32fe3151b3c3b396c4f0d
hash5a2ed557c357ba8f96f2d55a8a00695987806b5df766cd1dfdab0cbed111774a
hash5e06af187b45476ade0d953e834fced6197d0a33ac60c2575877660e26ab15e8
hash65c1a998bac48e02b52b1c850cd500e9fb87521e21755c3a4a491243f5f9a700
hash6bc2e11b0917f47d0557288c4f0cb20bd7589185943b989a969fdc6d3704ee73
hash9d07a83cf89685651ea8992047ae694c24f6ddef193044357debd15ce07a64fe
hash9e81ade09cc18f0fc09d73e72d2e0bffad02f52fdcc26553e473cee8cabc1567
hashe2f0c2d4c1552cd81fa012043e4a5ac832582b639b7b6b7eccc0c4802d7a8ad8
hashe6e78eb2e9bd41a4bc62f7ad54d095ea9813864bebe37172ae30a1afa631fe14
hashfadbb8061715128bebecf7bc59132b6bb04fe8cc39b965aa5b8722dffe28d7e7
hashffb9eb47cc0cb2f43e04a10dc84df13d04bca1ebacbe47fad0b669728de2f59c

Domain

ValueDescriptionCopy
domaincontrolfacturas.site
domainfaturanova.xyz
domainfacture-arsys.duckdns.org
domainfaturanova.duckdns.org

Threat ID: 6a460e0327e9c7971954d7a1

Added to database: 07/02/2026, 07:06:43 UTC

Last enriched: 07/02/2026, 07:21:24 UTC

Last updated: 07/03/2026, 03:25:23 UTC

Views: 101

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses