Ousaban Banking Trojan Evolves: A Stealthy Cyber Threat Now Targeting Spain and Portugal with Advanced Evasion Techniques + Video

Listen to this Post

Featured ImageIntroduction: A New Generation of Banking Malware Raises the Stakes

Cybercriminals continue to refine their tactics, making modern banking malware more intelligent, stealthier, and significantly harder to detect. What was once considered a regional financial threat has now evolved into a sophisticated cyber espionage platform capable of bypassing traditional security controls through multiple layers of deception.

Security researchers at FortiGuard Labs recently uncovered an advanced campaign involving the Ousaban Banking Trojan, a malware family previously associated with attacks against Brazilian financial institutions. The latest operation demonstrates a major leap in sophistication by specifically targeting victims in Spain and Portugal using geofencing, steganography, dynamic infrastructure, and custom encryption techniques. The campaign illustrates how modern malware developers continuously adapt to defensive technologies while exploiting user trust through convincing phishing attacks.

Campaign Overview: Ousaban Expands Beyond Brazil

Originally developed to steal online banking credentials from Brazilian victims, Ousaban has now expanded its operational scope into Europe.

Researchers discovered that threat actors launched a carefully orchestrated campaign throughout May 2026 targeting Spanish and Portuguese users with customized phishing emails. Rather than relying on mass distribution, the attackers focused on precision targeting, ensuring that only intended victims could continue through the infection process.

This selective approach significantly reduces exposure while making analysis considerably more difficult for cybersecurity researchers.

Unlike many commodity banking Trojans, Ousaban demonstrates clear signs of ongoing development, indicating that its operators actively invest in improving its capabilities.

The Infection Chain Begins with a Fake Corrupted PDF

The attack starts with a seemingly harmless phishing email containing what appears to be a damaged or corrupted PDF document.

Victims attempting to open the file are presented with an embedded “Update” button, creating the illusion that a document viewer update is required.

Clicking this button redirects users to a malicious webpage where the real infection process begins.

Instead of immediately downloading malware, the attackers first evaluate whether the visitor matches their intended victim profile.

This additional validation stage dramatically increases operational security for the attackers while reducing accidental infections.

Geofencing Prevents Researchers from Seeing the Full Attack

One of the

Every visitor accessing the malicious webpage undergoes several environmental checks before malware delivery.

The server evaluates:

Public IP address

Geographic location

Time zone

Browser language

VPN usage

If any condition suggests the visitor is not located in Spain or Portugal, or appears to be using anonymization services such as a VPN, the server immediately responds with an “Access Denied” PDF instead of malware.

Because all filtering occurs on the

This represents a growing trend among modern cybercriminal operations.

Steganography Conceals the Malware Inside an Innocent-Looking Image

Victims who successfully pass the validation stage receive a malicious VBScript.

The script downloads what appears to be a normal PDF icon image.

However, the image is far from harmless.

Using steganography techniques, attackers embed a hidden ZIP archive inside the image itself.

The VBScript silently extracts the concealed archive before executing the next stage of the attack.

This method allows malicious payloads to bypass security solutions that only inspect visible file structures.

Steganography continues to gain popularity among advanced malware campaigns because it effectively disguises malicious content within legitimate-looking files.

DLL Side-Loading Launches the Final Ousaban Payload

Once extracted, the hidden archive deploys the primary Ousaban malware.

Instead of executing directly, the attackers abuse DLL side-loading, a technique that forces legitimate applications to load malicious libraries during startup.

Since trusted applications initiate the malicious code, many endpoint protection systems struggle to recognize abnormal behavior.

This tactic allows attackers to inherit the reputation of legitimate software while avoiding many traditional detection mechanisms.

Persistence Ensures Long-Term Access

After installation, Ousaban immediately establishes persistence.

The malware creates a Windows Registry Run key named Financeiro, allowing it to automatically execute every time Windows starts.

With persistence established, the Trojan quietly monitors browser activity while searching for predefined online banking websites.

Whenever victims access targeted financial institutions, Ousaban prepares to intercept sensitive information including credentials, authentication tokens, and potentially banking sessions.

Dynamic Command-and-Control Infrastructure Changes Every Day

Perhaps the

Instead of communicating with hardcoded IP addresses or permanent domains, Ousaban generates a completely new Dynamic DNS (DDNS) hostname every single day.

According to Fortinet researchers, the malware retrieves the current date from a Google Automated Queries page.

It then combines:

Current date

Hardcoded text string

The combined value is processed using an MD5 hash.

Finally, Ousaban creates a hostname beginning with “aki” followed by the first eight characters of the generated hash.

Because the destination changes daily, defenders cannot rely solely on traditional blocklists or domain blacklisting.

By the time security teams identify one malicious domain, attackers have already moved to another.

Decoy Infrastructure Misleads Threat Hunters

The operators went even further by publishing a fake Pastebin entry containing a private IP address.

This deliberate decoy serves one purpose:

Waste

Threat hunters investigating the malware may initially follow false infrastructure, delaying discovery of the real command-and-control servers.

Such deception demonstrates increasing operational maturity among financially motivated cybercriminal groups.

Custom XOR Encryption Hides Network Communications

Even if defenders capture

Instead of using standard encryption libraries, the malware implements its own customized XOR encryption algorithm featuring rotating offsets.

When encryption produces values below the current offset threshold, mathematical adjustments involving 0xFF are introduced.

Additional randomization ensures that identical heartbeat packets never appear identical across multiple sessions.

Consequently:

Network signatures become unreliable.

Pattern-based detection weakens.

Automated sandbox analysis becomes less effective.

Traffic correlation becomes increasingly difficult.

These design choices reveal an emphasis on defeating behavioral detection rather than simply hiding malware binaries.

Indicators of Compromise (IOCs)

Security teams identified several infrastructure indicators associated with the campaign.

IOC Type Indicator

Domain faturanova[.]xyz

Domain facture-in[.]pages[.]dev

Domain facture-arsys[.]duckdns[.]org

These indicators remain intentionally defanged using [.] notation to prevent accidental access. Security professionals should only restore these domains inside controlled threat intelligence platforms, malware analysis environments, SIEM solutions, or forensic laboratories.

Security Recommendations for Organizations

Organizations should strengthen multiple security layers to reduce exposure against campaigns similar to Ousaban.

Recommended defensive practices include:

Deploy advanced email filtering capable of detecting phishing attachments.

Block execution of unauthorized VBScript files.

Monitor abnormal Registry Run key creation.

Inspect outbound DNS requests for suspicious Dynamic DNS activity.

Detect DLL side-loading behavior through endpoint monitoring.

Educate employees to avoid clicking “Update” buttons embedded inside suspicious documents.

Implement behavioral endpoint detection capable of identifying process injection and persistence techniques.

Use threat intelligence feeds to continuously monitor newly generated malicious domains.

Because attackers increasingly rely on social engineering rather than software vulnerabilities, employee awareness remains one of the strongest defensive controls.

Deep Analysis: Hunting Ousaban Using Linux and Windows Security Commands

Cybersecurity analysts investigating possible Ousaban infections can leverage several native tools to identify suspicious behavior across enterprise environments.

Linux Threat Hunting

grep -Ri "duckdns" /var/log/
journalctl | grep VBScript
tcpdump -nn port 53
sudo ss -tunap
sudo lsof -i
find /tmp -type f -mtime -1
sha256sum suspicious_file.exe
strings suspicious_file.exe
file suspicious_file.exe
hexdump -C suspicious_image.png | head
binwalk suspicious_image.png
foremost suspicious_image.png
exiftool suspicious_image.png
curl -I suspicious-domain.example
dig suspicious-domain.example
whois suspicious-domain.example
python3 -m http.server
clamscan -r .
yara malware_rules.yar suspicious_file.exe
suricata -r capture.pcap
zeek -r capture.pcap

Windows Investigation

Get-ItemProperty HKCU:\Software\Microsoft\Windows\CurrentVersion\Run
tasklist
netstat -ano
Get-Process
Get-ScheduledTask
Get-Service
wmic startup get caption,command
Get-FileHash suspicious.dll
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
dir AppData /s
Get-WinEvent -LogName Security
Get-ChildItem Env:
Resolve-DnsName suspicious-domain
nslookup suspicious-domain
ipconfig /displaydns
Get-NetTCPConnection
Get-MpThreatDetection
Get-ComputerInfo
Get-CimInstance Win32_Process
schtasks /query /fo LIST /v
What Undercode Say:

The newest Ousaban campaign reflects a broader transformation occurring across the cybercrime ecosystem. Malware developers are no longer relying solely on malicious code; they are investing heavily in operational security, infrastructure resilience, and deception techniques that rival those used by advanced persistent threat groups.

One of the

The adoption of geofencing demonstrates that cybercriminals increasingly value precision over volume. Infecting fewer, carefully selected victims reduces operational noise and lowers the chance of triggering global security responses.

Steganography also deserves attention. While hiding malware inside images is not a new concept, combining it with staged delivery and DLL side-loading creates multiple opportunities to evade endpoint security products that rely on conventional scanning.

Another remarkable innovation is the dynamically generated command-and-control infrastructure. Daily hostname generation weakens one of the industry’s most common defensive techniques: static blocklists. Modern defenders must shift toward behavioral detection instead of depending solely on indicators of compromise.

The custom XOR implementation further illustrates the

The fake Pastebin infrastructure is equally significant because it targets researchers rather than victims. This psychological layer of defense reflects an increasingly mature criminal ecosystem where slowing investigators is almost as valuable as stealing credentials.

Organizations should recognize that phishing remains the initial entry point. Technical controls alone cannot eliminate this risk without consistent employee education and realistic phishing simulations.

The campaign also reinforces the growing importance of DNS monitoring. Since malware infrastructure now changes rapidly, unusual DNS behavior often becomes one of the earliest indicators of compromise.

Endpoint Detection and Response (EDR) platforms capable of correlating Registry modifications, script execution, DNS anomalies, and browser monitoring will likely outperform traditional antivirus solutions against threats like Ousaban.

From a strategic perspective, Ousaban is no longer just another banking Trojan. It has evolved into a modular financial attack platform built around adaptability, stealth, and operational longevity.

Its developers appear focused on remaining invisible rather than spreading quickly, a philosophy increasingly common among financially motivated malware operations.

Security teams should expect future variants to incorporate AI-assisted phishing, stronger cryptography, and even more sophisticated anti-analysis techniques.

Ultimately, this campaign serves as another reminder that cybersecurity is an ongoing contest of adaptation, where defenders must evolve as rapidly as the adversaries they face.

✅ Confirmed: FortiGuard Labs publicly documented a May 2026 campaign in which the Ousaban banking Trojan targeted users in Spain and Portugal using phishing, geofencing, and staged malware delivery.

✅ Confirmed: The reported techniques—including VBScript execution, steganography, DLL side-loading, registry persistence, and dynamically generated DDNS hostnames—are consistent with the technical analysis published by the researchers.

✅ Context: While the indicators of compromise listed are accurate for this observed campaign, threat actors frequently rotate domains and infrastructure. Organizations should treat IOCs as temporary detection aids and prioritize behavioral monitoring alongside threat intelligence.

Prediction

(+1) Ousaban will likely continue expanding beyond the Iberian Peninsula, targeting additional European financial institutions while adopting even more advanced evasion methods such as AI-generated phishing content, cloud-hosted infrastructure, and faster domain rotation.

(-1) If organizations continue relying primarily on signature-based antivirus and static blocklists without investing in behavioral detection, endpoint monitoring, and employee awareness, future Ousaban variants could achieve higher success rates while remaining undetected for longer periods.

▶️ Related Video (74% Match):

🕵️‍📝Let’s dive deep and fact‑check.

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

References:

Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.digitaltrends.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube