Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Malware

Ousaban

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

MITRE ATT&CK

Techniques & procedures

23 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques
T1566PhishingEvidence2

It starts with a phishing PDF disguised as a corrupted file. The PDF shows a prompt telling the victim to press an "Atualizar" (Update) button, which opens a malicious webpage.

T1566.002Spearphishing LinkEvidence1

The Atualizar button, which translates to "Update" in English, links to a malicious webpage.

Execution

4 techniques
T1059.005Visual BasicEvidence1

If the user environment passes the server-side check, a VBS file is downloaded. The VBS file contains numerous benign function calls. The malicious code downloads a steganographic image that resembles a PDF icon.

T1059.007JavaScriptEvidence1

The PDF also includes JavaScript code that displays an error message and then accesses the same webpage. This JavaScript code is hex-escaped to evade detection.

T1204User ExecutionEvidence2

Fortinet links the same infrastructure to Ousaban activity in late 2025 that used other entry points, including "ClickFix," a scam that gets the victim to paste a malicious command themselves while thinking they are fixing an error.

T1204.002Malicious FileEvidence2

It opens with a phishing PDF disguised as a corrupted file... The PDF shows a prompt telling the victim to press an "Atualizar" (Update) button, which opens a malicious webpage. Hidden JavaScript in the PDF can open the same page on its own.

Persistence

1 technique
T1547.001Registry Run Keys / Startup FolderEvidence2

Once running, Ousaban adds a registry entry named Financeiro (Portuguese for "finance") so it starts up with Windows.

Privilege Escalation

2 techniques
T1055Process InjectionEvidence1

The malicious payload involves a DLL file that is run via DLL side-loading or process injection.

T1547.001Registry Run Keys / Startup FolderEvidence2

Once running, Ousaban adds a registry entry named Financeiro (Portuguese for "finance") so it starts up with Windows.

Stealth

7 techniques
T1027Obfuscated Files or InformationEvidence1

This JavaScript code is hex-escaped to evade detection.

T1027.003SteganographyEvidence2

A script downloads an image that looks like a PDF icon but hides a ZIP file inside, a trick called steganography.

T1055Process InjectionEvidence1

The malicious payload involves a DLL file that is run via DLL side-loading or process injection.

T1070Indicator RemovalEvidence1

After execution, the ZIP file, image file, and VBS file are deleted to minimize the footprint.

T1070.004File DeletionEvidence1

The script unpacks Ousaban from that ZIP, runs it, then deletes the image, the ZIP, and itself to leave less behind.

T1497Virtualization/Sandbox EvasionEvidence1

Additionally, it evaluates user behavior and device characteristics, such as screen resolution, browser rendering, and font enumeration, to identify and block automated tools, such as sandboxes and crawlers, that tend to have limited browser capabilities.

T1497.001System ChecksEvidence2

it looked at the visitor's IP address, language, and time zone, blocked anyone coming through a VPN, and filtered out automated security tools by checking details like screen size and installed fonts.

Credential Access

1 technique
T1056.001KeyloggingEvidence2

When a target bank loads, it can capture screenshots and keystrokes, tamper with the clipboard, show fake messages, and give the attacker remote control.

Discovery

2 techniques
T1497Virtualization/Sandbox EvasionEvidence1

Additionally, it evaluates user behavior and device characteristics, such as screen resolution, browser rendering, and font enumeration, to identify and block automated tools, such as sandboxes and crawlers, that tend to have limited browser capabilities.

T1497.001System ChecksEvidence2

it looked at the visitor's IP address, language, and time zone, blocked anyone coming through a VPN, and filtered out automated security tools by checking details like screen size and installed fonts.

Lateral Movement

1 technique
T1021.005VNCEvidence1

When a target bank loads, it can capture screenshots and keystrokes, tamper with the clipboard, show fake messages, and give the attacker remote control.

Collection

3 techniques
T1056.001KeyloggingEvidence2

When a target bank loads, it can capture screenshots and keystrokes, tamper with the clipboard, show fake messages, and give the attacker remote control.

T1113Screen CaptureEvidence2

When a target bank loads, it can capture screenshots and keystrokes, tamper with the clipboard, show fake messages, and give the attacker remote control.

T1115Clipboard DataEvidence2

When a target bank loads, it can capture screenshots and keystrokes, tamper with the clipboard, show fake messages, and give the attacker remote control.

Command and Control

5 techniques
T1071Application Layer ProtocolEvidence1

If the hostname is resolvable, Ousaban establishes a connection to the C2 server. Below is the basic command list: #Convite# Collect user information #Handle# Assign a victim ID #ON-LINE# Heartbeat

T1102Web ServiceEvidence1

It carries a Pastebin link that points to one server address, but Fortinet says that address is a decoy. Hiding these details in web services is an old Ousaban habit: earlier campaigns stashed the configuration in Google Docs.

T1219Remote Access ToolsEvidence1

#Iniciar# starts screenshot capture and initializes various functions for further actions, such as controlling the mouse and keyboard

T1568Dynamic ResolutionEvidence2

This time, the real server moves every day. The malware reads the current date off a Google page, builds a web address from that date plus a fixed secret, and looks it up.

T1568.001Fast Flux DNSEvidence1

The hostnames belong to a DDNS-managed domain. The subdomains consist of a hard-coded string "aki" and the first eight characters of an MD5 hash.

INDICATORS OF COMPROMISE

IOCs tracked for this family

30 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
9 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
20 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other
1 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
uri●●●●●●●●●●●●View more in apptoday
domain●●●●●●●●●●●●View more in apptoday
domain●●●●●●●●●●●●View more in apptoday
hash.sha256●●●●●●●●●●●●View more in apptoday
hash.sha256●●●●●●●●●●●●View more in apptoday
hash.sha256●●●●●●●●●●●●View more in apptoday
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
IOC matching30

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping23

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.