logo

Hackers Use Geofenced Webpages to Deliver Ousaban Banking Trojan in Spain and Portugal

ID: 6bc41a39-ea27-5cda-a5ab-73604315f2d4

STIX ID: report--6bc41a39-ea27-5cda-a5ab-73604315f2d4

Feed Name: GBHackers

Threat Score
75/100

Date Published: 2026-07-02

Date Updated: 2026-07-02

Author: Mayura Kathir

...
...

A targeted phishing campaign is distributing the Ousaban banking Trojan to users in Spain and Portugal via a malicious PDF that leads to a geofenced webpage; the actor uses server-side environment checks, steganographic images with appended ZIPs, a VBS downloader, and DLL side-loading to deliver a feature-rich banking Trojan that supports keylogging, remote control, and adaptive C2 resolution. The report includes multiple IOCs (domains, IPs, PDF SHA256s), details on persistence (Run key Financeiro, C:\SysMain_* staging), and recommendations to monitor these artifacts.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.