SHIELD: ACTIVE // NETWORK SECURE

2026-07-06 - Evasive Ousaban Banking Trojan RETOOLS to Target Spain and Portugal

Evasive Evolution: Retooled Ousaban Banking Trojan Targets Europe with Daily-Changing C2 Infrastructure

Executive Summary

The notorious Brazilian banking trojan Ousaban (also tracked as Javali) has undergone a major strategic upgrade, expanding its operations out of Latin America to target financial institutions across Spain and Portugal. Uncovered by researchers at FortiGuard Labs, the latest campaign leverages a highly evasive attack chain involving geofenced phishing portals, steganography, and an advanced Command and Control (C2) domain generation scheme that changes daily. Once established, Ousaban monitors browser sessions to target over 50 major European financial services—including BBVA, Santander, CaixaBank, and Revolut—using custom-tailored overlay windows to hijack credentials and take over user accounts.

Technical Deep-Dive and Phishing Chain

Ousaban is a highly active, Delphi-developed banking trojan from the same Latin American malware family as Guildma, Casbaneiro, and Grandoreiro. Historically focused on Brazil, the malware has been extensively retooled to target the Iberian Peninsula.

The Phishing and Evasion Pipeline

1. The Phishing PDF Lure: Victims receive an email containing a phishing PDF disguised as a corrupted or encrypted official tax document, prompting the user to click an "Update" button.

2. Server-Side Geofencing: Clicking the link redirects the user to a malicious webpage disguised as a government tax portal. This server-side check profiles the visitor, evaluating their IP address, system language, time zone, and browser environment. If the visitor is using a VPN or is located outside Spain or Portugal, the site displays a dead-end page, hiding the attack chain from global analysts.

3. Steganography Delivery: Visitors who pass the geofence receive a script that downloads a ZIP archive disguised as a standard image file (resembling a PDF icon). The archive uses steganography to conceal the appended Ousaban payload.

4. DLL Side-Loading: The script extracts the archive, which contains a legitimate, trusted executable and an encrypted Ousaban DLL file. The Trojan is decrypted and executed in memory via DLL side-loading.

The Daily-Changing C2 Mechanism

Ousaban avoids the use of fixed C2 IP addresses or static domains, which are easily blocked by traditional security appliances. Instead, the malware's C2 infrastructure uses daily-changing Dynamic DNS (DDNS) domains:

* Generation Logic: The C2 domains are generated dynamically on a daily cadence, derived from a hash of the current date pulled from a Google error page, while a decoy Pastebin link points analysts to a dead-end private IP.

* C2 Configuration Retrieval: The trojan communicates with cloud-hosted platforms (such as Pastebin or Google Docs) via Webhooks or API calls to fetch its active, daily C2 configuration.

Threat Summary

Attribute

Details

Malware Family

Ousaban (a.k.a. Javali)

Delivery Vector

Phishing PDFs, Steganography, MSI downloaders

Downstream Target Scope

Over 50 financial institutions across Spain and Portugal

Platform Affected

Microsoft Windows

Industry Impact and Threat Landscape

Ousaban represents the growing sophistication of banking trojans in 2026. Rather than relying on simple automated credential harvesting, modern trojans operate as multi-stage tools that facilitate complete account takeovers.

Once active on a victim's machine, Ousaban monitors browser sessions. When a target banking site is accessed, the trojan launches an injection-overlay window crafted to match the bank's login portal, capturing credentials, session cookies, and multi-factor authentication codes in real time. Because these actions are selectively triggered by human operators observing the session, they are exceptionally difficult for automated endpoint detection systems to identify.

Recommendations and Mitigations

Organizations and financial consumers can protect themselves from Ousaban attacks by adopting the following security postures:

1. Deploy Robust Email Security Filters: Implement advanced email security tools that scan inbound PDFs for malicious redirection URLs and block known phishing templates.

2. Implement Strong Endpoint Protection (EDR): Utilize EDR agents that monitor system processes for DLL side-loading behaviors and anomalous executable execution initiated by VBS scripts.

3. Establish DNS Threat Intelligence: Enforce strict DNS filtering that blocks newly registered or dynamic DDNS domains, specifically analyzing outbound connections to daily-changing hosts.

4. Train Staff in Phishing Awareness: Educate employees to never open attached PDFs claiming to be "corrupted tax documents" or click external update links from untrusted sources.

Category: Cyber Security Intelligence