Ousaban Banking Trojan Targets Spanish and Portuguese Windows Users with Sophisticated Evasion Tactics
A Brazilian banking trojan dubbed **Ousaban** has resurfaced, specifically targeting Windows users in Spain and Portugal. This latest campaign, identified by **Fortinet's FortiGuard Labs**, employs advanced phishing, steganography, and dynamic command-and-control infrastructure to bypass traditional security measures and steal banking credentials.

A Brazilian banking trojan known as **Ousaban** is actively targeting Windows users who bank in Spain and Portugal. **Fortinet's FortiGuard Labs** identified this ongoing campaign in May 2026, revealing a sophisticated attack chain designed to evade detection and compromise financial accounts.
The attack typically initiates with a phishing PDF disguised as a corrupted file. This document then performs checks to confirm the victim's location within Spain or Portugal before delivering its hidden payload, cleverly concealed within an image file.
The primary objective of **Ousaban** is to steal banking login credentials and ultimately take over target accounts.
Once installed, **Ousaban** operates stealthily on a Windows PC, waiting for the user to access a banking website. When a target bank's site is loaded, the trojan can capture screenshots and keystrokes, tamper with the clipboard, display fake messages, and grant the attacker remote control. These combined capabilities enable the threat actor to hijack live banking sessions and compromise accounts. **Ousaban** monitors for over two dozen banks across the two countries, including prominent institutions like **Banco Santander**, **BBVA**, **CaixaBank**, **Bankinter**, and **Caixa Geral de DepΓ³sitos**.
## How the Attack Works
The attack begins with a phishing PDF, crafted to appear as a corrupted file. The PDF prompts the victim to click an "Atualizar" (Update) button, which then opens a malicious webpage. Hidden JavaScript within the PDF can also automatically open this page.
The malicious webpage masquerades as a tax-document and installer portal while simultaneously screening visitors. Earlier versions of this campaign, according to **Fortinet**, performed these checks client-side, examining the visitor's IP address, language, and time zone. It also blocked users connecting via **VPN** and filtered out automated security tools by checking details like screen size and installed fonts.
The current iteration moves this screening process to the operator's server, obscuring the precise rules. Regardless of the method, visitors outside of Spain or Portugal receive a Spanish "access denied" notice instead of the malware.
If the checks are cleared, the download process begins. A script downloads an image file that visually resembles a PDF icon but secretly conceals a **ZIP** archive within it β a technique known as steganography. The script then extracts **Ousaban** from the **ZIP** file, executes it, and subsequently deletes the image, the **ZIP** file, and itself to minimize forensic traces. Once running, **Ousaban** establishes persistence by adding a registry entry named 'Financeiro' (Portuguese for "finance") to ensure it starts with Windows.
**Ousaban**'s command-and-control (C2) server is designed to be deliberately elusive. It initially uses a **Pastebin** link that points to a decoy server address, as reported by **Fortinet**.

Hiding these details within web services is a characteristic behavior of **Ousaban**; previous campaigns stored configuration details in **Google Docs**. In this latest campaign, the actual C2 server address changes daily. The malware retrieves the current date from a **Google** page, constructs a web address using that date combined with a fixed secret, and then resolves it. This dynamic approach renders blocking yesterday's address largely ineffective.
## A Familiar Brazilian Playbook
Many of these tactics are not new. **Ousaban**, also tracked as **Javali**, belongs to a family of Brazilian banking Trojans that **Kaspersky** previously labeled as the "Tetrade," alongside **Grandoreiro**, **Guildma**, and **Melcoz**.
These malware families originated in Brazil and subsequently expanded their operations into Spain and Portugal, often sharing code and techniques. For instance, **Ousaban**'s string encryption scheme is identical to that used by another family, **Casbaneiro**.
**Grandoreiro**, arguably the most well-known of this group, exemplifies the resilience of this playbook. It survived an **Interpol**-coordinated takedown operation in January 2024 but resurfaced within months. Its loaders frequently relied on similar tactics, such as hiding downloads behind PDF-like lures and employing country-specific checks.
**Grandoreiro** remains active against Iberian targets, with a campaign reported this year that continued to hit Portuguese banks. **Fortinet** has linked the same infrastructure to **Ousaban** activity in late 2025, which utilized alternative entry points, including a scam dubbed "ClickFix." This scam tricks victims into pasting malicious commands themselves, believing they are rectifying an error.
## What to Do
The initial line of defense against this threat is recognizing the lure. Any PDF or email claiming a file is corrupted and prompting you to press "Update" should be treated as malicious. The same caution applies to prompts instructing users to paste a command to fix an "error." Be aware that the malicious page can even open automatically from the PDF.
Exercise extreme suspicion with unexpected invoice, *factura*, or tax-document attachments, especially if you operate in Spain or Portugal.
Due to the server-side screening, automated sandboxes that simply fetch the link may only receive the Spanish error page rather than the actual malware. Therefore, relying solely on gateway detonation may not be sufficient. This campaign exclusively targets Windows operating systems.
**Fortinet**'s report provides a list of domains, IP addresses, and file hashes that should be blocked. Defenders should also monitor for the 'Financeiro' registry Run key and files dropped to `C:\SysMain_5874288`. **Fortinet** states that its **FortiGuard** antivirus flags the samples, and its **FortiMail** product identifies the phishing emails.
While the **Ousaban** trojan itself is not new, and its custom encryption has historically proven effective against detection, the newer aspects of this campaign lie in its sophisticated wrapper: geofencing, a hidden payload, and a throwaway daily C2 address. These elements are meticulously designed to deliver the malware exclusively to genuine victims in the targeted countries while avoiding detection by security researchers.