Hackers Use Geofenced Webpages to Deliver Ousaban Banking Trojan in Spain and Portugal
ID: 6bc41a39-ea27-5cda-a5ab-73604315f2d4
STIX ID: report--6bc41a39-ea27-5cda-a5ab-73604315f2d4
Feed Name: GBHackers
A targeted phishing campaign is distributing the Ousaban banking Trojan to users in Spain and Portugal via a malicious PDF that leads to a geofenced webpage; the actor uses server-side environment checks, steganographic images with appended ZIPs, a VBS downloader, and DLL side-loading to deliver a feature-rich banking Trojan that supports keylogging, remote control, and adaptive C2 resolution. The report includes multiple IOCs (domains, IPs, PDF SHA256s), details on persistence (Run key Financeiro, C:\SysMain_* staging), and recommendations to monitor these artifacts.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
