A targeted campaign that delivers the Ousaban banking Trojan to users in Spain and Portugal using sophisticated server-side geofencing and multi-stage delivery.
The adversary begins with a socially engineered phishing PDF that impersonates a corrupted document and coerces victims into visiting a malicious webpage through an “Atualizar” (Update) prompt.
The PDF’s JavaScript is hex-escaped to evade detection and triggers the same landing page while presenting an error box that lures users into clicking. If the victim follows the link, the webpage performs an extensive environment check before proceeding.
Unlike client-side checks that expose logic to analysts, the actor moved these controls to the server. The landing page impersonates legitimate tax or installer pages and collects IP, language, time zone, organization metadata and device characteristics such as screen resolution, font enumeration, and browser rendering fingerprint.
The server-side checks explicitly deny access to non-targets by returning a Spanish-language “Access denied. Service not available from your country” PDF if the request does not appear to originate from Spain or Portugal.
The page also filters VPN-linked IPs by inspecting organization strings for keywords like “vpn,” and evaluates browser capabilities to block sandboxes or crawlers.

This server-side gating both reduces collateral infection and hides the exact geofencing criteria from defenders.
The VBS then deletes the image, ZIP and script to minimize forensic traces. Earlier Ousaban campaigns in Brazil spread via an MSI installer with a Rust-based downloader; this campaign reuses that installer style and the same final payload family.
An appended ZIP from the image, retrieves the MSI/EXE payload inside, and drops the final executable to C:SysMain_5874288 before executing it.
In May 2026, FortiGuard Labs identified an attack targeting users in Spain and Portugal involving the banking Trojan Ousaban. This malware has been active in Brazil and is spread through an MSI downloader.
Once active, Ousaban ensures persistence by creating a “Financeiro” Run registry value and writes a timestamp file maisum.dat. The malware decrypts an embedded list of bank-targeting strings using a custom byte-offset XOR algorithm familiar from Latin American banking trojans such as Casbaneiro.
Ousaban Banking Trojan
A random initial byte produces variable ciphertexts for identical plaintexts, complicating static analysis. Ousaban monitors browser activity and triggers on visits to specific banking services, then resolves a daily-changing C2 hostname.
When the environment check passes, the server delivers a VBS downloader. That VBS contains benign-appearing helper calls while performing a stealthy sequence: it downloads a steganographic image disguised as a PDF icon.

The hostname generation concatenates a hard-coded string with the current date, computes an MD5 hash, and constructs a DDNS subdomain starting with “aki” plus the first eight hash characters; the malware obtains the current date by querying Google’s Automated Queries page to avoid local clock tampering.
Communication with C2 uses the same custom encryption and a lightweight command set: #Convite# (collect info), #Handle# (assign victim ID), #ON-LINE# (heartbeat), #xyScree# (screen resolution), #Iniciar# (start screenshots and remote control).
#Iniciar# enables screenshot capture, remote mouse/keyboard control, clipboard injection and keylogging to enable both credential capture and live fraud.

A Pastebin link discovered in the sample appears to be a decoy that contains a private IP address; Ousaban variants used similar posts in late 2025, making this artifact useful for hunting despite not being the primary C2 resolution method.
Analysts should track the DDNS domains, Pastebin references and the MSI downloader fingerprints, and look for creation of the Financeiro Run key and the maisum.dat timestamp file as host indicators.
This campaign highlights the operator’s operational discipline: deliberate geo-restriction via server-side checks, steganographic retrieval of payloads, and resilient C2 resolution.
Security teams in Spain and Portugal should prioritize email filtering for PDF-based phishes, detection rules for VBS downloaders and steganographic image+ZIP patterns, and monitoring for Ousaban’s persistence artifacts and DDNS resolution behavior.
IOCs
| Type | Value |
|---|---|
| Domain | faturanova.xyz |
| Domain | facture-in.pages.dev |
| Domain | facture-arsys.duckdns.org |
| Domain | faturanova.duckdns.org |
| Domain | controlfacturas.site |
| IP | 213.159.64.191 |
| IP | 162.33.179.46 |
| IP | 91.92.240.140 |
| IP | 78.40.209.32 |
| PDF (SHA‑256) | 6bc2e11b0917f47d0557288c4f0cb20bd7589185943b989a969fdc6d3704ee73 |
| PDF (SHA‑256) | 540ee1936e61d2344b5ebc93485589a351ec2f113a9b4940ae16f3baa4807392 |
| PDF (SHA‑256) | e2f0c2d4c1552cd81fa012043e4a5ac832582b639b7b6b7eccc0c4802d7a8ad8 |
| PDF (SHA‑256) | 9d07a83cf89685651ea8992047ae694c24f6ddef193044357debd15ce07a64fe |
| PDF (SHA‑256) | 4c9fdc2823da505ef339d43c6ad38499b7e3447736733e42b5ab6b1afcfd42aa |
| PDF (SHA‑256) | 5e06af187b45476ade0d953e834fced6197d0a33ac60c2575877660e26ab15e8 |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.

