
Threat Advisory • Attack Report • TA2026185
A May 2026 Ousaban banking trojan campaign is targeting Windows users across Spain and Portugal with a phishing PDF disguised as a corrupted file. Once the victim clicks "Update," the Ousaban trojan quietly waits for a banking session and hands full remote control to the attacker.
Javali)Section 01
A May 2026 Ousaban banking trojan campaign is actively targeting Windows users in Spain and Portugal, first seen in May 2026 and delivered through a phishing PDF disguised as a corrupted file. The lure pushes the victim to click an "Update" button, after which Ousaban quietly waits for the victim to open a monitored banking session before handing full remote control to the attacker.
Targeted products span more than 20 Spanish and Portuguese banking web services, including Banco Santander, BBVA, CaixaBank, Bankinter, and Caixa Geral de Depósitos. Ousaban, also tracked under the alias Javali, is a long-running Brazilian banking trojan family that has evolved its delivery chain — from a Rust-based MSI downloader to a ClickFix-style Run-dialog trick, and now a VBS downloader served by a fingerprinting webpage.
Section 02
In May 2026, a new Ousaban banking trojan campaign surfaced against Windows users in Spain and Portugal. The attack begins with a phishing PDF made to look like a broken file. A prompt inside pushes the victim to click an "Atualizar" (Update) button, and hex-escaped JavaScript embedded in the PDF can open the same malicious webpage on its own. Before serving a VBS downloader, the page screens each visitor server-side by checking IP address, language, time zone, VPN use, screen resolution, browser rendering, and installed fonts.
Once active, Ousaban watches for banking sessions, captures screenshots and keystrokes, tampers with the clipboard, shows fake dialogs, and hands remote control to the attacker. Earlier variants of this Ousaban operation used the same lure to deliver a Rust-based MSI downloader, and in late 2025 the operators added a ClickFix twist that tricked the victim into pasting a malicious command into the Windows Run dialog under the pretense of fixing an error.
Ousaban itself, also tracked as Javali, is a long-running Brazilian banking trojan. On execution, it decrypts a list of more than two dozen Spanish and Portuguese banks using a custom XOR-plus-offset algorithm also seen in the Casbaneiro malware family. After installation, Ousaban stays quiet until the victim opens one of the monitored banking sites. Instead of using the Pastebin dead-drop resolver seen in earlier variants, Ousaban now generates its command-and-control hostname daily, giving the operator full hijack of a live banking session to watch, tamper with, and impersonate the user in real time in order to move funds or capture credentials for a later takeover.
Section 03
Alert on the Ousaban Run Key and Drop Path
Deploy endpoint detections that flag any new value under HKCU or HKLM\Software\Microsoft\Windows\CurrentVersion\Run named Financeiro, and any file activity under C:\SysMain_5874288, both distinctive host-based indicators of an installed Ousaban implant.
Hunt for the DDNS DGA Pattern
Query DNS logs for lookups matching the pattern aki<8-hex-chars>.<ddns-domain> across DuckDNS and similar free DDNS providers, since Ousaban derives its daily C2 hostname from an "aki" prefix plus the first eight characters of an MD5 hash — blocking a single hostname will not survive to the next day.
Restrict VBS Execution
Change the default handler for .vbs files from wscript.exe to a viewer such as Notepad via Group Policy, or block VBS execution outright with AppLocker or WDAC, since the VBS stage is the single choke point between the malicious webpage download and the Ousaban binary drop.
Enable Transaction-Level MFA and Session Anomaly Detection at Iberian Banks
Recommend that customer-facing Spanish and Portuguese banks, including the named Ousaban targets Santander, BBVA, CaixaBank, Bankinter, and Caixa Geral de Depósitos, enforce out-of-band step-up authentication on transfers and monitor for behavioral anomalies such as mouse jitter, clipboard-driven paste of destination IBANs, and screenshot API calls indicating an active Ousaban session.
Section 04
Section 05
| Type | Value |
|---|---|
| File Path | C:\SysMain_5874288maisum.dat |
| Registry Key | HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Financeiro |
| SHA256 |
6bc2e11b0917f47d0557288c4f0cb20bd7589185943b989a969fdc6d3704ee73540ee1936e61d2344b5ebc93485589a351ec2f113a9b4940ae16f3baa4807392e2f0c2d4c1552cd81fa012043e4a5ac832582b639b7b6b7eccc0c4802d7a8ad89d07a83cf89685651ea8992047ae694c24f6ddef193044357debd15ce07a64fe4c9fdc2823da505ef339d43c6ad38499b7e3447736733e42b5ab6b1afcfd42aa5e06af187b45476ade0d953e834fced6197d0a33ac60c2575877660e26ab15e865c1a998bac48e02b52b1c850cd500e9fb87521e21755c3a4a491243f5f9a7009e81ade09cc18f0fc09d73e72d2e0bffad02f52fdcc26553e473cee8cabc15671e77992666acbbfa0d01fcefa9cc8fbdac291e0681b35745be27c6dfb159a375fadbb8061715128bebecf7bc59132b6bb04fe8cc39b965aa5b8722dffe28d7e75a2ed557c357ba8f96f2d55a8a00695987806b5df766cd1dfdab0cbed111774a19ac18a50abb48dc0ea9524850acfaec49359e6b3bcc67c6193c2d56da812c7148723a33bab89f174750576f9a62da35b3b9e5ac31a5a8f1ce9859a1b35bf8b821b24f7ee1f6bdbbb670f0394d66009ee0daa8ced57048298da715e88f7a7cddd4eb4ff02df659fdeec17d36b77084627469623bb3c7d16383d257404b52d1c3ffb9eb47cc0cb2f43e04a10dc84df13d04bca1ebacbe47fad0b669728de2f59c18fd38988d58dd930f5992d448cc09a9400c1eafba76b820b9a83239ac48cf4e4ca2c863d740bb7022776dccabd8ae34bb9998768928042d76ebcf08984eefcb5837e47198a20877e1b04b270c36d9194206ee38d4f32fe3151b3c3b396c4f0de6e78eb2e9bd41a4bc62f7ad54d095ea9813864bebe37172ae30a1afa631fe14
|
| Domains |
faturanova[.]xyzfacture-in[.]pages[.]devfacture-arsys[.]duckdns[.]orgfaturanova[.]duckdns[.]orgcontrolfacturas[.]site
|
| IPv4 |
213[.]159[.]64[.]191162[.]33[.]179[.]4691[.]92[.]240[.]14078[.]40[.]209[.]32
|
Section 06