Ousaban Banking Trojan Uses Daily-Changing DDNS Domains to Hide C2 Infrastructure
In May 2026, researchers at FortiGuard Labs uncovered a sophisticated new campaign delivering the Ousaban banking Trojan to users in Spain and Portugal. Originally known for targeting Brazil, this lat

In May 2026, researchers at FortiGuard Labs uncovered a sophisticated new campaign delivering the Ousaban banking Trojan to users in Spain and Portugal. Originally known for targeting Brazil, this latest iteration of Ousaban relies on a complex infection chain to steal financial data. The attack begins with a phishing PDF disguised as a corrupted file. […] The post Ousaban Banking Trojan Uses Daily-Changing DDNS Domains to Hide C2 Infrastructure appeared first on Cyber Security News.
In May 2026, researchers at FortiGuard Labs uncovered a sophisticated new campaign delivering the Ousaban banking Trojan to users in Spain and Portugal. Originally known for targeting Brazil, this latest iteration of Ousaban relies on a complex infection chain to steal financial data. The attack begins with a phishing PDF disguised as a corrupted file. When a victim clicks the embedded “Update” button, they are directed to a malicious webpage that sets the rest of the attack in motion. The threat actors use strict geofencing to ensure their malware only reaches intended targets. When a victim lands on the malicious webpage, a server-side check evaluates their IP address, time zone, and language. If the user is outside Spain or Portugal, or is using a VPN, the server returns an “Access denied” PDF. Handling these checks on the server side helps hide the attackers’ criteria from security analysts. Ousaban Hides C2 Daily If the victim passes the environment check, a VBScript is downloaded to their machine. This script uses steganography to hide its tracks by downloading an image file that appears to be a standard PDF icon but actually contains a hidden ZIP archive. The script extracts the ZIP to unleash the final Ousaban payload, utilizing DLL side-loading to execute the malware. Once active, Ousaban establishes persistence by creating a registry run key named “Financeiro” and begins monitoring the victim’s web browser for specific banking portals. Attack flow (Source: fortinet) Ousaban’s most notable feature in this campaign is its ability to hide its command and control (C2) infrastructure. Instead of relying on static IP addresses, the malware generates a new Dynamic DNS (DDNS) hostname every single day. According to Fortinet research, Ousaban scrapes the current date from a Google Automated Queries page. It combines this date with a hard-coded text string and generates an MD5 hash. The daily hostname is then built from the prefix “aki” and the first 8 characters of that hash. By constantly shifting its domains, the Trojan easily evades standard blocklists. The attackers even set up a decoy Pastebin post containing a private IP address to distract threat hunters. Screenshot of the phishing PDF (Source: fortinet) When communicating with its true C2 server, Ousaban encrypts its traffic using a custom XOR algorithm with a rotating base offset. For instance, if the XOR result of a byte is smaller than the current offset, the algorithm mathematically adjusts it by adding 0xFF0xFF0xFF to the difference. This inclusion of a random value ensures that identical heartbeat messages look completely different in network logs, frustrating automated detection tools. Indicators of Compromise IOC TypeIndicatorDomainfaturanova[.]xyzDomainfacture-in[.]pages[.]devDomainfacture-arsys[.]duckdns[.]org Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google. The post Ousaban Banking Trojan Uses Daily-Changing DDNS Domains to Hide C2 Infrastructure appeared first on Cyber Security News.
Join the Discussion
Comments coming soon. Follow us on social media for real-time discussions.


