Ousaban Banking Heists in Spain and Portugal

Amber | Attack
Download Now
Ousaban Banking Trojan Targets Spain and Portugal (TA2026185) — Phishing PDF, VBS Downloader & Daily-Rotating C2

Threat Advisory • Attack Report • TA2026185

Ousaban Banking Heists in Spain and Portugal

A May 2026 Ousaban banking trojan campaign is targeting Windows users across Spain and Portugal with a phishing PDF disguised as a corrupted file. Once the victim clicks "Update," the Ousaban trojan quietly waits for a banking session and hands full remote control to the attacker.

SEVERITY: AMBER ADMIRALTY: A1 BANKING TROJAN FIRST SEEN: MAY 2026 PLATFORM: WINDOWS SESSION HIJACKING
TA Number
TA2026185
Published
July 03, 2026
Admiralty Code
A1
First Seen
May 2026
Malware
Ousaban (aka Javali)
Targeted Platform
Microsoft Windows
Targeted Regions
Spain, Portugal (Iberian Peninsula)
Targeted Industries
Banking, Financial Services
Targeted Products
Banco Santander, BBVA, CaixaBank, Bankinter, Caixa Geral de Depósitos, +20 more banking web services

Summary

A May 2026 Ousaban banking trojan campaign is actively targeting Windows users in Spain and Portugal, first seen in May 2026 and delivered through a phishing PDF disguised as a corrupted file. The lure pushes the victim to click an "Update" button, after which Ousaban quietly waits for the victim to open a monitored banking session before handing full remote control to the attacker.

Targeted products span more than 20 Spanish and Portuguese banking web services, including Banco Santander, BBVA, CaixaBank, Bankinter, and Caixa Geral de Depósitos. Ousaban, also tracked under the alias Javali, is a long-running Brazilian banking trojan family that has evolved its delivery chain — from a Rust-based MSI downloader to a ClickFix-style Run-dialog trick, and now a VBS downloader served by a fingerprinting webpage.


Attack Details

#1 — Phishing PDF and Fingerprinted VBS Delivery

In May 2026, a new Ousaban banking trojan campaign surfaced against Windows users in Spain and Portugal. The attack begins with a phishing PDF made to look like a broken file. A prompt inside pushes the victim to click an "Atualizar" (Update) button, and hex-escaped JavaScript embedded in the PDF can open the same malicious webpage on its own. Before serving a VBS downloader, the page screens each visitor server-side by checking IP address, language, time zone, VPN use, screen resolution, browser rendering, and installed fonts.

#2 — Banking Session Hijack and Prior Delivery Variants

Once active, Ousaban watches for banking sessions, captures screenshots and keystrokes, tampers with the clipboard, shows fake dialogs, and hands remote control to the attacker. Earlier variants of this Ousaban operation used the same lure to deliver a Rust-based MSI downloader, and in late 2025 the operators added a ClickFix twist that tricked the victim into pasting a malicious command into the Windows Run dialog under the pretense of fixing an error.

#3 — Ousaban (Javali) Internals and Daily-Rotating C2

Ousaban itself, also tracked as Javali, is a long-running Brazilian banking trojan. On execution, it decrypts a list of more than two dozen Spanish and Portuguese banks using a custom XOR-plus-offset algorithm also seen in the Casbaneiro malware family. After installation, Ousaban stays quiet until the victim opens one of the monitored banking sites. Instead of using the Pastebin dead-drop resolver seen in earlier variants, Ousaban now generates its command-and-control hostname daily, giving the operator full hijack of a live banking session to watch, tamper with, and impersonate the user in real time in order to move funds or capture credentials for a later takeover.


Recommendations

01

Alert on the Ousaban Run Key and Drop Path

Deploy endpoint detections that flag any new value under HKCU or HKLM\Software\Microsoft\Windows\CurrentVersion\Run named Financeiro, and any file activity under C:\SysMain_5874288, both distinctive host-based indicators of an installed Ousaban implant.

02

Hunt for the DDNS DGA Pattern

Query DNS logs for lookups matching the pattern aki<8-hex-chars>.<ddns-domain> across DuckDNS and similar free DDNS providers, since Ousaban derives its daily C2 hostname from an "aki" prefix plus the first eight characters of an MD5 hash — blocking a single hostname will not survive to the next day.

03

Restrict VBS Execution

Change the default handler for .vbs files from wscript.exe to a viewer such as Notepad via Group Policy, or block VBS execution outright with AppLocker or WDAC, since the VBS stage is the single choke point between the malicious webpage download and the Ousaban binary drop.

04

Enable Transaction-Level MFA and Session Anomaly Detection at Iberian Banks

Recommend that customer-facing Spanish and Portuguese banks, including the named Ousaban targets Santander, BBVA, CaixaBank, Bankinter, and Caixa Geral de Depósitos, enforce out-of-band step-up authentication on transfers and monitor for behavioral anomalies such as mouse jitter, clipboard-driven paste of destination IBANs, and screenshot API calls indicating an active Ousaban session.


Potential MITRE ATT&CK TTPs

T1566.001
Initial Access
Phishing: Spearphishing Attachment
T1204.002
Initial Access
User Execution: Malicious File
T1059.005
Execution
Command and Scripting Interpreter: Visual Basic
T1218.007
Execution
System Binary Proxy Execution: Msiexec
T1547.001
Persistence
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1027.003
Defense Evasion
Obfuscated Files or Information: Steganography
T1027.010
Defense Evasion
Obfuscated Files or Information: Command Obfuscation
T1574.001
Defense Evasion
Hijack Execution Flow: DLL
T1140
Defense Evasion
Deobfuscate/Decode Files or Information
T1070.004
Defense Evasion
Indicator Removal: File Deletion
T1480
Defense Evasion
Execution Guardrails
T1497.001
Defense Evasion
Virtualization/Sandbox Evasion: System Checks
T1082
Discovery
System Information Discovery
T1010
Discovery
Application Window Discovery
T1113
Collection
Screen Capture
T1056.001
Collection
Input Capture: Keylogging
T1115
Collection
Clipboard Data
T1568.002
Command and Control
Dynamic Resolution: Domain Generation Algorithms
T1102.001
Command and Control
Web Service: Dead Drop Resolver
T1071.001
Command and Control
Application Layer Protocol: Web Protocols
T1573.001
Command and Control
Encrypted Channel: Symmetric Cryptography
T1185
Impact
Browser Session Hijacking

Indicators of Compromise (IoCs)

Type Value
File Path C:\SysMain_5874288
maisum.dat
Registry Key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Financeiro
SHA256 6bc2e11b0917f47d0557288c4f0cb20bd7589185943b989a969fdc6d3704ee73
540ee1936e61d2344b5ebc93485589a351ec2f113a9b4940ae16f3baa4807392
e2f0c2d4c1552cd81fa012043e4a5ac832582b639b7b6b7eccc0c4802d7a8ad8
9d07a83cf89685651ea8992047ae694c24f6ddef193044357debd15ce07a64fe
4c9fdc2823da505ef339d43c6ad38499b7e3447736733e42b5ab6b1afcfd42aa
5e06af187b45476ade0d953e834fced6197d0a33ac60c2575877660e26ab15e8
65c1a998bac48e02b52b1c850cd500e9fb87521e21755c3a4a491243f5f9a700
9e81ade09cc18f0fc09d73e72d2e0bffad02f52fdcc26553e473cee8cabc1567
1e77992666acbbfa0d01fcefa9cc8fbdac291e0681b35745be27c6dfb159a375
fadbb8061715128bebecf7bc59132b6bb04fe8cc39b965aa5b8722dffe28d7e7
5a2ed557c357ba8f96f2d55a8a00695987806b5df766cd1dfdab0cbed111774a
19ac18a50abb48dc0ea9524850acfaec49359e6b3bcc67c6193c2d56da812c71
48723a33bab89f174750576f9a62da35b3b9e5ac31a5a8f1ce9859a1b35bf8b8
21b24f7ee1f6bdbbb670f0394d66009ee0daa8ced57048298da715e88f7a7cdd
d4eb4ff02df659fdeec17d36b77084627469623bb3c7d16383d257404b52d1c3
ffb9eb47cc0cb2f43e04a10dc84df13d04bca1ebacbe47fad0b669728de2f59c
18fd38988d58dd930f5992d448cc09a9400c1eafba76b820b9a83239ac48cf4e
4ca2c863d740bb7022776dccabd8ae34bb9998768928042d76ebcf08984eefcb
5837e47198a20877e1b04b270c36d9194206ee38d4f32fe3151b3c3b396c4f0d
e6e78eb2e9bd41a4bc62f7ad54d095ea9813864bebe37172ae30a1afa631fe14
Domains faturanova[.]xyz
facture-in[.]pages[.]dev
facture-arsys[.]duckdns[.]org
faturanova[.]duckdns[.]org
controlfacturas[.]site
IPv4 213[.]159[.]64[.]191
162[.]33[.]179[.]46
91[.]92[.]240[.]140
78[.]40[.]209[.]32

References & Patch Links