惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Microsoft Azure Blog
Microsoft Azure Blog
Cloudbric
Cloudbric
I
InfoQ
V
V2EX
博客园_首页
The Register - Security
The Register - Security
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
S
Secure Thoughts
Vercel News
Vercel News
Forbes - Security
Forbes - Security
云风的 BLOG
云风的 BLOG
PCI Perspectives
PCI Perspectives
L
LINUX DO - 最新话题
D
DataBreaches.Net
H
Hacker News: Front Page
Application and Cybersecurity Blog
Application and Cybersecurity Blog
B
Blog RSS Feed
A
About on SuperTechFans
N
News and Events Feed by Topic
Apple Machine Learning Research
Apple Machine Learning Research
Help Net Security
Help Net Security
Attack and Defense Labs
Attack and Defense Labs
N
Netflix TechBlog - Medium
Spread Privacy
Spread Privacy
F
Full Disclosure
Recorded Future
Recorded Future
AWS News Blog
AWS News Blog
博客园 - 【当耐特】
The Cloudflare Blog
T
Threatpost
T
Tor Project blog
Google DeepMind News
Google DeepMind News
C
CXSECURITY Database RSS Feed - CXSecurity.com
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Recent Announcements
Recent Announcements
M
MIT News - Artificial intelligence
A
Arctic Wolf
C
Check Point Blog
Stack Overflow Blog
Stack Overflow Blog
T
Threat Research - Cisco Blogs
Security Archives - TechRepublic
Security Archives - TechRepublic
Hacker News - Newest:
Hacker News - Newest: "LLM"
WordPress大学
WordPress大学
Cyberwarzone
Cyberwarzone
小众软件
小众软件
C
Cyber Attacks, Cyber Crime and Cyber Security
P
Proofpoint News Feed
Security Latest
Security Latest
The Last Watchdog
The Last Watchdog

Fortinet All Blogs

The TTF Trap: A Global Campaign of a Low-Detection Lua Loader | FortiGuard Labs Helping Law Enforcement Keep Pace with the Future of Cybercrime | Fortinet Blog FortiEndpoint Expands Security for the AI Era | Fortinet Blog Cyber Attacks Leveraging AI Require Behavior-First Security Training, Not Simply Better Awareness | Fortinet Blog The AI Era Needs a New SASE. Here’s What That Actually Looks Like. | Fortinet Blog Update on Fortinet Use of Frontier AI | CISO Collective Fortinet Supports INTERPOL Operation CyberProtect III Targeting Online Exploitation From CI/CD to Cloud Data: How Shai Hulud Persistence Leads to Redshift Breach | FortiGuard Labs Fortinet Launches Its Product Carbon Footprint Calculator FortiSASE Training Builds Skills for Secure Access Success | Fortinet Blog Analysis of Reported Credential Compromise of FortiGate Devices | Fortinet Blog Teaching Cybersecurity the Way It’s Actually Used | Fortinet Blog Introducing FortiSOC: One Platform, Total Control | Fortinet Blog Public-Private Cooperation Is Critical to AI-Driven Cyber Defense | Fortinet Advancing Threat-Informed Defense through Fortinet’s Collaboration with MITRE CTID | Fortinet Threat Actors Weaponize AI Hype to Deliver AsyncRAT | FortiGuard Labs Fortinet Achieves 1 Million People Trained in Cybersecurity Goal Ahead of Schedule | Fortinet Blog While OT Security Is Maturing, Risk Is Not Slowing Down | Fortinet Blog AI Policy Meets Operational Reality: White House AI Cybersecurity Order Calls for Public-Private Coordination | Fortinet Blog Executive Q&A: Strong Q1 Momentum Driven by Differentiated Innovation and Customer Demand | Fortinet Fortinet Earns AV-Comparatives Certification for EDR Detection Visibility | Fortinet Blog Cybercriminals Are Targeting the FIFA World Cup 2026 | FortiGuard Labs Fortinet Achieves AV-Comparatives Certification for Process Injection Protection | Fortinet Blog Inside the Cross-Platform Propagation of a New Gafgyt Variant C0XMO | FortiGuard Labs Battling AI-Based Threats with FortiNDR | Fortinet Blog Phishing Campaign Deploys JavaScript-Driven PureLogs Variant to Steal Sensitive Data Defending Critical Infrastructure: Why OT Security Demands a Threat-Informed Approach | CISO Collective Misconfigured, Enrolled and Dormant: Anatomy of a P2Pinfect Kubernetes Compromise | FortiGuard Labs Fortinet Expands Cybersecurity Investment in the United Arab Emirates | Fortinet Blog PureLogs: Delivery via PawsRunner Steganography | FortiGuard Labs The Future of Connectivity | Fortinet Blog Fortinet at the World Economic Forum: Frontier AI models, AI-Driven Threats, Deepfakes, and the Future of Cyber Defense | Fortinet Blog The Fortinet 2025 Sustainability Report | Fortinet Blog Supercharged Security: Security in the Time of Mythos | CISO Collective Tracking Mirai Variant Nexcorium: A Vulnerability-Driven IoT Botnet Campaign | FortiGuard Labs AI Security Is an Architectural Decision | Fortinet Blog Fortinet Training Institute Wins Industry Accolades | Fortinet Blog Shadow AI: The Invisible Risk Growing Inside Your Organization | Fortinet Blog Leading by Example in Sustainability: Fortinet Expands Global EPD Certification | Fortinet Blog When Cybercrime Becomes an Industry | Fortinet Blog FortiOS 8.0: Redefining Secure Networking in the AI and Quantum Era | Fortinet Blog Securing the Physical World as It Comes Online | Fortinet Blog Why the 2026 AI Cybersecurity Summit Matters | Fortinet Blog DPRK-Related Campaigns with LNK and GitHub C2 | FortiGuard Labs AI Is Changing Application Threats Faster Than Teams Can Adapt | Fortinet Blog Announcing the Fortinet Training Institute’s 2026 ATC Award Winners | Fortinet Blog Disrupting Cybercrime Networks at Scale Requires Sustained Global Collaboration | Fortinet Blog
Analysis of Ongoing Ousaban Attacks Targeting the Iberian Peninsula | FortiGuard Labs
Rachael Liao · 2026-07-01 · via Fortinet All Blogs

Affected Platforms: Microsoft Windows
Impacted Users: Microsoft Windows
Impact: The stolen information can be used for future attacks
Severity Level: High

In May 2026, FortiGuard Labs identified an attack targeting users in Spain and Portugal involving the banking Trojan Ousaban. This malware has been active in Brazil and is spread through an MSI downloader. The malicious payload involves a DLL file that is run via DLL side-loading or process injection.

In this campaign, the threat actor primarily targets users in Spain and Portugal. Figure 1 shows how the attack unfolds. The phishing PDF tricks victims into visiting a malicious webpage that scans the user's environment. If they are in Spain or Portugal, the webpage downloads a VBS file to kickstart the next part of the attack. The final payload is an EXE file that is dropped onto the victim’s computer and executed by the VBS script.

Figure 1: Attack flow

PDF

As shown in Figure 2, the phishing PDF is disguised as a corrupted file and contains a deceptive message box that prompts the victim to update it. The Atualizar button, which translates to "Update" in English, links to a malicious webpage. The PDF also includes JavaScript code that displays an error message and then accesses the same webpage. This JavaScript code is hex-escaped to evade detection.

Figure 2: Screenshot of the phishing PDF

Figure 3: The JavaScript code included in the PDF file

HTML

Figure 4: The malicious webpage

The second phase of the attack involves a webpage that masquerades as a legitimate source of tax documents and system installers. A previous version of the webpage used detailed code for enforcing access controls. The webpage checks IP and device data to block unauthorized users and ensure that files are downloaded only by the intended recipients. It verifies language, time zone, and IP details to limit access to users in Spain and Portugal. To prevent bypassing this geo-restriction, the code also blocks IP addresses linked to VPNs by looking for keywords such as 'vpn' in the organization info.

Additionally, it evaluates user behavior and device characteristics, such as screen resolution, browser rendering, and font enumeration, to identify and block automated tools, such as sandboxes and crawlers, that tend to have limited browser capabilities.

Figure 5: Part of the anti-analysis code

It has a 50% chance of showing an error message and a 50% chance of downloading the fake file if the user doesn’t pass the environment check.

Figure 6: Malware behavior when the environment check fails

In this new version, anti-analysis code is not used. Environmental information is sent to the threat actor, and a PDF containing a Spanish message that translates to "Access denied. Service not available from your country" is downloaded from the webpage if access does not originate from Spain or Portugal. By performing the environment check on the server side, the threat actor obscures specific indicators, making it harder for analysts to identify the criteria used in the check.

VBS

If the user environment passes the server-side check, a VBS file is downloaded. The VBS file contains numerous benign function calls. The malicious code downloads a steganographic image that resembles a PDF icon. It extracts a ZIP file from the image and retrieves the Ousaban payload. The image and ZIP archive are dropped into the Temp folder, and the payload is dropped to C:\SysMain_5874288. After execution, the ZIP file, image file, and VBS file are deleted to minimize the footprint.

Figure 7: A ZIP file is appended to the image file

Once executed, Ousaban creates a registry value named Financeiro (meaning Finance in English) in the CurrentVersion\Run registry key to ensure persistence, and creates an empty file named maisum.dat, using its creation time as the installation timestamp. It then decrypts bank-related strings, which are subsequently used to check if the victim accesses a particular bank service. The list of banks is provided below:

Figure 8: Bank list

The strings are encrypted with a custom algorithm widely used by Latin American banking Trojans, including Casbaneiro.

Figure 9: Example of decryption

The first byte of the encrypted data is a random value generated during encryption and is used as the base offset. Encryption begins with the second byte. The second byte is XORed with the corresponding key character, and subtracting the base offset from the result yields the decrypted value. The second byte then becomes the new base offset, and the process continues with the next byte. If the XOR result of the current byte and the corresponding key byte is smaller than the current base offset, it adds 0xFF to the difference between the XOR result and the current base offset.

Including a random value ensures that identical plaintexts produce different ciphertexts, thereby increasing the complexity of analysis. For example, the screenshot below shows a Heartbeat packet: all data from the server is encrypted #ON-LINE#, and the client responses are #StrPingOK#, yet all encrypted data are different strings. 

Figure 10: Heartbeat packet

Previous variants stored configurations remotely. In this attack, Ousaban decrypts a Pastebin link that points to configuration data containing a private IP address.

Figure 11: The configuration data containing a private IP address

Ousaban does not use the Pastebin post to retrieve the actual IP address. Instead, it resolves the C2 IP address by looking up a hostname that changes daily when it detects the victim accessing specific banking services via a web browser. The hostnames belong to a DDNS-managed domain. The subdomains consist of a hard-coded string "aki" and the first eight characters of an MD5 hash. The MD5 hash is generated from a string that combines a hard-coded string "a9f8b7c6e5d4f3a2b1c8d7e6f5g4h3i2j1k9l8m7n6o5p4q" and the current date. To obtain the current date, Ousaban intentionally accesses the Google Automated Queries page and extracts the date from the page.

If the hostname is resolvable, Ousaban establishes a connection to the C2 server. Below is the basic command list:

#Convite#Collect user information
#Handle#Assign a victim ID
#ON-LINE#Heartbeat
#xyScree#Get screen resolution
#Iniciar#Start screenshot capture and remote control capability

Most of the traffic between the server and Ousaban is encrypted using the previously described algorithm. Some messages consist of a command followed by its argument. For example, the following is the response when Ousaban receives the #Convite# command. The command and its arguments are separated by <#>.

#Iniciar# starts screenshot capture and initializes various functions for further actions, such as controlling the mouse and keyboard, performing clipboard injection, implementing a keylogger, and creating a more realistic scenario to deceive the victim. The following is an example of the fake message generated in response to the C2 server's command.

Figure 12: An example of a fake message used to deceive the victim

Pastebin

The Pastebin post containing a private IP address appears to be a decoy designed to divert attention from the actual method used to retrieve the C2 IP address. However, it still provides useful threat-hunting context because Ousaban variants used in late 2025 also accessed the post. Below is the attack flow:

Figure 13: Attack flow of the attack that occurred in late 2025

There are two types of initial attack vectors. One uses a ClickFix technique to trick the victim into executing malicious code. The code downloads a VBS file, which then retrieves an MSI installer. The other uses a PDF file that directs the victim to a phishing webpage, where the MSI installer is delivered. The MSI installer contains a Rust-based downloader that downloads and executes the Ousaban payload.

Figure 14: The PDF file used in late 2025

Conclusion

The threat actor constantly advances and refines their malware delivery methods. In this campaign, they use various techniques to restrict access to the malware, such as geofencing and environmental checks, to limit exposure to the target audience. Apart from the distribution method, Ousaban depends on daily-changing domains to access the C2 IP and employs a traditional C2 setup as a decoy. Additionally, its encryption algorithm has been in use for a long time and remains effective at avoiding detection by security systems. 

This malware employs numerous advanced distribution and evasion methods. FortiGuard will continue to monitor these attack campaigns and provide appropriate protections as needed.

Fortinet Protections

The malware described in this report is detected and blocked by FortiGuard Antivirus as:

W32/Ousaban.EY!tr.spy
VBS/Agent.TPX!tr.dldr
PDF/Agent.STG!tr

FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard AntiVirus engine is part of each of these solutions. As a result, customers who have these products with up-to-date protections are protected.

FortiMail recognizes the phishing email as “virus detected.” In addition, real-time anti-phishing provided by FortiSandbox embedded in Fortinet’s FortiMail, web filtering, and antivirus solutions provides advanced protection against both known and unknown phishing attempts.

The FortiGuard CDR (Content Disarm and Reconstruction) service, which runs on both FortiGate and FortiMail, can disarm the malicious macros in the document.

We also suggest that organizations complete Fortinet’s free NSE training module, FCF Fortinet Certified Fundamentals. This module is designed to help end users learn how to identify and protect themselves from phishing attacks.

FortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources.

If you believe this or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard Incident Response Team.

IOCs

Domains

faturanova[.]xyz
facture-in[.]pages[.]dev
facture-arsys[.]duckdns[.]org
faturanova[.]duckdns[.]org
controlfacturas[.]site

IPs

213[.]159[.]64[.]191
162[.]33[.]179[.]46
91[.]92[.]240[.]140
78[.]40[.]209[.]32

PDFs

6bc2e11b0917f47d0557288c4f0cb20bd7589185943b989a969fdc6d3704ee73
540ee1936e61d2344b5ebc93485589a351ec2f113a9b4940ae16f3baa4807392
e2f0c2d4c1552cd81fa012043e4a5ac832582b639b7b6b7eccc0c4802d7a8ad8
9d07a83cf89685651ea8992047ae694c24f6ddef193044357debd15ce07a64fe
4c9fdc2823da505ef339d43c6ad38499b7e3447736733e42b5ab6b1afcfd42aa
5e06af187b45476ade0d953e834fced6197d0a33ac60c2575877660e26ab15e8

HTML

65c1a998bac48e02b52b1c850cd500e9fb87521e21755c3a4a491243f5f9a700
9e81ade09cc18f0fc09d73e72d2e0bffad02f52fdcc26553e473cee8cabc1567
1e77992666acbbfa0d01fcefa9cc8fbdac291e0681b35745be27c6dfb159a375
fadbb8061715128bebecf7bc59132b6bb04fe8cc39b965aa5b8722dffe28d7e7

VBS

5a2ed557c357ba8f96f2d55a8a00695987806b5df766cd1dfdab0cbed111774a
19ac18a50abb48dc0ea9524850acfaec49359e6b3bcc67c6193c2d56da812c71
48723a33bab89f174750576f9a62da35b3b9e5ac31a5a8f1ce9859a1b35bf8b8

MSI

21b24f7ee1f6bdbbb670f0394d66009ee0daa8ced57048298da715e88f7a7cdd
d4eb4ff02df659fdeec17d36b77084627469623bb3c7d16383d257404b52d1c3

EXEs

ffb9eb47cc0cb2f43e04a10dc84df13d04bca1ebacbe47fad0b669728de2f59c
18fd38988d58dd930f5992d448cc09a9400c1eafba76b820b9a83239ac48cf4e
4ca2c863d740bb7022776dccabd8ae34bb9998768928042d76ebcf08984eefcb
5837e47198a20877e1b04b270c36d9194206ee38d4f32fe3151b3c3b396c4f0d
e6e78eb2e9bd41a4bc62f7ad54d095ea9813864bebe37172ae30a1afa631fe14