Ousaban Banking Trojan Targets Spain and Portugal
A July 2026 Ousaban campaign uses phishing PDFs, geofencing, VBS, MSI, DLL side-loading, and process injection against Windows users in Spain and Portugal.

FortiGuard Labs reported a high-severity Ousaban banking Trojan campaign targeting Windows users in Spain and Portugal. The campaign starts with a phishing PDF, filters victims by geography and environment, launches a VBS downloader, installs a Rust-based MSI loader, and executes Ousaban through DLL side-loading or process injection.
The important defensive lesson is not limited to one malware family. Geofencing, environmental checks, daily-changing command-and-control domains, steganography, and living-off-the-land scripts can make a campaign nearly invisible to researchers outside the intended region. Security teams need behavioral detections that survive those infrastructure changes.
Ousaban campaign summary
Ousaban is a Windows banking Trojan associated with credential theft, screen capture, keylogging, clipboard manipulation, and remote control. FortiGuard observed the current campaign in May 2026 and published its technical analysis on July 1, 2026. The company rates the campaign High severity and identifies users in Spain and Portugal as its primary targets.
- Target platforms: Microsoft Windows endpoints
- Primary delivery: phishing PDFs that redirect to a malicious webpage
- Execution chain: webpage to VBS script to MSI downloader to Ousaban payload
- Evasion: country filtering, environmental checks, daily-changing domains, decoy infrastructure, and encrypted C2 traffic
- Impact: stolen credentials, screenshots, keystrokes, clipboard data, and interactive control
FortiGuard published file hashes, domains, and IP addresses with its report. Those indicators are useful for retrospective hunting, but defenders should pair them with process and network behavior because the infrastructure is designed to change.
How the 2026 Ousaban attack chain works
1. A phishing PDF creates the first click
The victim receives a PDF that directs them to an attacker-controlled webpage. A PDF is useful to the attacker because it can pass through controls that focus narrowly on executable attachments, while the visible document supplies a plausible business reason to click. The report does not identify one universal lure, so defenders should avoid assuming the campaign uses only invoices or only one language.
This stage maps to MITRE ATT&CK T1566.002, Spearphishing Link. The protective controls are familiar but still valuable: detonate PDFs and URLs, rewrite and inspect links at click time, block newly registered domains, and teach users to treat document-driven downloads as executable delivery.
2. The landing page filters the victim
The malicious site checks the visitor before releasing the next stage. FortiGuard found geographic restrictions focused on Spain and Portugal as well as environmental checks intended to reduce exposure to automated sandboxes and researchers. A visitor outside the target profile may see nothing malicious, making a conventional security review produce a false negative.
For defenders, this changes how a suspicious URL should be tested. A single request from a United States-based cloud sandbox is not enough to declare it clean. Preserve the original redirect chain, user agent, referrer, DNS history, and endpoint telemetry. If policy permits, reproduce the request from an isolated environment that matches the victim’s geography and browser profile.
3. VBS and MSI bridge the browser-to-endpoint boundary
A qualifying visitor receives a Visual Basic Script file. The VBS stage retrieves an MSI installer, which contains a Rust-based downloader. This layered design gives the attacker several chances to change one component without rebuilding the entire chain. It also splits the malicious behavior across script execution, installer activity, network retrieval, and a final executable.
Monitor for script hosts such as wscript.exe or cscript.exe launching after a browser, PDF reader, archive tool, or user download. Correlate those events with msiexec.exe making external network connections or installing content from user-writable directories. None of those behaviors is automatically malicious, but the sequence is unusual enough to investigate.
4. The payload uses side-loading or injection
FortiGuard observed Ousaban delivered as an executable payload that can run through DLL side-loading or process injection. DLL side-loading places a malicious library beside a legitimate executable that searches its local directory before trusted system paths. Process injection moves malicious code into another process to blend execution with a trusted image.
Detection should focus on a trusted executable loading an unsigned or newly created DLL from Downloads, AppData, Temp, or another user-writable path. For injection, correlate suspicious cross-process handle access, memory allocation, memory writes, and remote thread creation. Endpoint products expose these behaviors differently, so validate the exact telemetry in your EDR.
What Ousaban can do after execution
FortiGuard’s protocol analysis documents commands for collecting victim information, assigning a victim identifier, checking in with a heartbeat, reading screen resolution, starting screenshot capture, and enabling remote-control functions. The malware can also control the mouse and keyboard, manipulate the clipboard, and operate a keylogger.
Those capabilities are especially dangerous for banking fraud because they combine credential theft with interactive session control. A password reset may not be enough if the attacker observed a session, stole cookies, captured a one-time code, or changed a payment destination through clipboard injection. Incident response should therefore treat confirmed execution as possible account and transaction compromise.
Detection opportunities for security teams
Email and web telemetry
- Flag PDFs that link to recently created, low-reputation, dynamic DNS, or free-hosting domains.
- Hunt for users who opened a PDF and downloaded a VBS or MSI file within the same session.
- Review proxy logs for redirects to facture-in.pages.dev, facture-arsys.duckdns.org, faturanova.duckdns.org, faturanova.xyz, or controlfacturas.site. Defang these indicators before sharing them outside security tooling.
- Do not rely on one sandbox verdict when geofencing or environment checks may suppress delivery.
Endpoint telemetry
- PDF reader or browser followed by wscript.exe, cscript.exe, powershell.exe, or msiexec.exe
- VBS execution from Downloads, Temp, AppData, browser cache, or email attachment paths
- msiexec.exe retrieving remote content or spawning an unexpected executable
- Legitimate signed binaries loading unsigned DLLs from user-writable directories
- Unexpected cross-process memory access, injection, keylogging, screen capture, or clipboard activity
Network telemetry
- DNS lookups to the published domains and connections to 213.159.64.191, 162.33.179.46, 91.92.240.140, or 78.40.209.32
- New domains with very short lifetimes that resolve to recurring infrastructure
- Regular encrypted heartbeats from a workstation with no matching approved application
- Endpoints that contact Pastebin near suspicious script or MSI execution
Treat the published indicators as leads, not permanent signatures. FortiGuard reports that the malware uses daily-changing domains to retrieve C2 information and can use a traditional C2 setup as a decoy. Historical DNS, certificate, and endpoint behavior will remain useful after a domain is abandoned.
Example Microsoft Sentinel hunting approach
The following hunting logic is intentionally generic because table and field names differ between Microsoft Defender XDR, Sentinel connectors, and other EDR products. Adapt it to your schema and validate it against normal administrative software before turning it into an alert.
ousaban-behavior-hunt.kqlDeviceProcessEvents | where Timestamp > ago(30d) | where FileName in~ ("wscript.exe", "cscript.exe", "msiexec.exe") | where InitiatingProcessFileName in~ ("acrord32.exe", "msedge.exe", "chrome.exe", "firefox.exe", "explorer.exe") or ProcessCommandLine has_any ("\\AppData\\", "\\Temp\\", "\\Downloads\\", "http://", "https://") | project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine, SHA256 | order by Timestamp desc
A second correlation should join these processes to outbound connections from the same device during the following minutes. For broader KQL design and investigation patterns, see the Protego Microsoft Sentinel threat-hunting guide.
MITRE ATT&CK mapping
| Observed behavior | ATT&CK technique | Defensive focus |
|---|---|---|
| Phishing PDF with link | T1566.002 Spearphishing Link | URL inspection, sandboxing, click-time protection |
| VBS execution | T1059.005 Visual Basic | Script control and process ancestry |
| MSI installer | T1218.007 Msiexec | Installer command line and network activity |
| DLL side-loading | T1574.002 DLL Side-Loading | Image-load paths and signature mismatch |
| Process injection | T1055 Process Injection | Cross-process memory behavior |
| Input capture and keylogging | T1056 Input Capture | Keyboard hooks and credential response |
| Screen capture | T1113 Screen Capture | Unusual capture APIs and repeated screenshots |
The mapping above is Protego’s defensive interpretation of behavior described in the FortiGuard report. It is not presented as a vendor-published ATT&CK mapping.
Containment and response checklist
- Isolate any endpoint that executed a matching VBS, MSI, or Ousaban payload.
- Collect volatile process, network, DNS, and logged-on-user evidence before reimaging when possible.
- Block the published domains, IPs, and hashes while also deploying behavior-based detections.
- Reset credentials used on the affected endpoint from a known-clean device.
- Revoke active sessions and tokens for email, banking, VPN, and business applications.
- Review payment changes, clipboard-sensitive workflows, browser sessions, and account recovery settings.
- Search the rest of the environment for the same parent-child process chains, MSI hashes, DLL paths, and network indicators.
- Notify affected financial institutions and follow local reporting requirements if fraud or regulated data exposure is suspected.
For campaigns delivered through deceptive authentication or document workflows, also review the Protego OAuth device-code phishing guide. The delivery mechanism differs, but both cases require token revocation and lateral-phishing checks after credential exposure.
Frequently asked questions
What is Ousaban?
Ousaban is a Windows banking Trojan with credential theft, keylogging, screenshot, clipboard, and remote-control capabilities. The July 2026 FortiGuard analysis describes a campaign aimed mainly at users in Spain and Portugal.
How does the current Ousaban campaign begin?
The observed chain begins with a phishing PDF that leads to a malicious webpage. The site filters visitors, delivers a VBS file to qualifying victims, and uses that script to retrieve an MSI downloader and the final malware payload.
Why can a normal sandbox miss this campaign?
The delivery site applies geofencing and environmental checks. A sandbox outside Spain or Portugal, or one that exposes obvious automation traits, may not receive the malicious VBS stage even when the URL is dangerous to the intended victim.
Which indicators should defenders block?
FortiGuard published domains, IP addresses, and file hashes in its report. Block and hunt those indicators, but do not stop there: the campaign uses changing domains and decoy infrastructure, so process ancestry, script execution, side-loading, injection, and beaconing detections are more durable.
What should an organization do after confirmed Ousaban execution?
Isolate the endpoint, preserve evidence, revoke sessions, reset credentials from a clean system, and inspect financial and business accounts for unauthorized changes. Hunt across the environment for the same scripts, installers, process chain, hashes, and network behavior.
Sources and limitations
The factual campaign details, commands, indicators, and Fortinet detection names in this article come from the FortiGuard Labs campaign analysis published July 1, 2026. Protego independently organized the defensive recommendations and ATT&CK mapping. Public reporting currently provides one detailed primary technical source, so claims not present in that source have been excluded.
Recommended: Pluralsight
Level up your cybersecurity skills with expert-led courses and labs.
Security Hardening Checklist
Essential security controls for cloud-native applications and infrastructure.
No spam. Unsubscribe anytime.
Get weekly security insights
Cloud security, zero trust, and identity guides: straight to your inbox.
Continue Learning
SOC Analyst Level 1 Roadmap
Get job-ready for your first Security Operations Center role.
Microsoft Cloud Solution Architect
Cloud Solution Architect with deep expertise in Microsoft Azure and a strong background in systems and IT infrastructure. Passionate about cloud technologies, security best practices, and helping organizations modernize their infrastructure.
Share this article
Questions & Answers
Related Articles
Need Help with Your Security?
Our team of security experts can help you implement the strategies discussed in this article.
Contact Us