Analysis of Ongoing Ousaban Attacks Targeting the Iberian Peninsula
Essential information
- Published
- 01/07/2026 23:35
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- banking trojan casbaneiro credential theft geofencing iberian peninsula ousaban phishing portugal spain
- Related entities
- 28 indicators, 8 observables, 20 techniques (mitre), 3 malware
Description
In May 2026, an attack campaign targeting banking users in Spain and Portugal was identified involving the Ousaban banking Trojan. The malware, previously active in Brazil, spreads through phishing PDFs that redirect victims to malicious webpages performing environment checks to ensure targets are located in Spain or Portugal. The attack chain involves VBS scripts downloading steganographic images containing the payload, which is then dropped and executed on victims' systems. Ousaban establishes persistence, monitors banking activity across multiple financial institutions, and uses daily-changing DDNS domains to resolve C2 server addresses. The malware employs screenshot capture, keylogging, clipboard injection, and remote control capabilities to steal banking credentials. It utilizes custom encryption algorithms and geofencing techniques to evade detection and limit exposure to intended targets.