FortiGuard Labs identified an ongoing Ousaban banking Trojan campaign targeting users in Spain and Portugal, delivered via phishing PDFs that redirect victims to geofenced malicious webpages. The attack chain involves a VBS script extracting a ZIP payload from a steganographic image, with the final Ousaban EXE establishing persistence via registry Run keys and communicating with C2 servers resolved through daily-changing DDNS hostnames. The malware targets over 25 Spanish and Portuguese financial institutions and employs a custom encryption algorithm shared with the Casbaneiro family to evade detection.