216.73.217.172

Analysis of Ongoing Ousaban Attacks Targeting the Iberian Peninsula

· Published 01/07/2026 23:35

Export JSON

Essential information

Published
01/07/2026 23:35
Modified
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
banking trojan casbaneiro credential theft geofencing iberian peninsula ousaban phishing portugal spain
Related entities
28 indicators, 8 observables, 20 techniques (mitre), 3 malware

Description

In May 2026, an attack campaign targeting banking users in and Portugal was identified involving the Ousaban . The malware, previously active in Brazil, spreads through PDFs that redirect victims to malicious webpages performing environment checks to ensure targets are located in or Portugal. The attack chain involves VBS scripts downloading steganographic images containing the payload, which is then dropped and executed on victims' systems. Ousaban establishes persistence, monitors banking activity across multiple financial institutions, and uses daily-changing DDNS domains to resolve C2 server addresses. The malware employs screenshot capture, keylogging, clipboard injection, and remote control capabilities to steal banking credentials. It utilizes custom encryption algorithms and techniques to evade detection and limit exposure to intended targets.

External references