A Brazilian banking trojan called Ousaban is going after Windows users who bank in Spain and Portugal. Fortinet’s FortiGuard Labs identified the campaign in May 2026.
It opens with a phishing PDF disguised as a corrupted file, checks that the visitor is really in Spain or Portugal, and hides its real payload inside an image.
The goal is the usual one: steal banking logins and take over accounts.
Ousaban sits quietly on a Windows PC and waits for the user to open a banking site. When a target bank loads, it can capture screenshots and keystrokes, tamper with the clipboard, show fake messages, and give the attacker remote control.
Together, those are the tools for hijacking a live banking session and taking over an account. Ousaban watches for more than two dozen banks across the two countries, among them Banco Santander, BBVA, CaixaBank, Bankinter, and Caixa Geral de Depósitos.
How the attack works
It starts with a phishing PDF disguised as a corrupted file. The PDF shows a prompt telling the victim to press an “Atualizar” (Update) button, which opens a malicious webpage.
Hidden JavaScript in the PDF can open the same page on its own. The page poses as a tax-document and installer portal while screening visitors. Fortinet says an earlier version ran these checks in the browser: it looked at the visitor’s IP address, language, and time zone, blocked anyone coming through a VPN, and filtered out automated security tools by checking details like screen size and installed fonts.
The current version moves that screening to the operator’s server, so the exact rules are hidden. Either way, visitors outside Spain or Portugal get a Spanish “access denied” notice instead of malware.
Clear the check, and the download starts. A script downloads an image that looks like a PDF icon but hides a ZIP file inside, a trick called steganography. The script unpacks Ousaban from that ZIP, runs it, then deletes the image, the ZIP, and itself to leave less behind. Once running, Ousaban adds a registry entry named Financeiro (Portuguese for “finance”) so it starts up with Windows.
Ousaban’s command server, the machine that controls it, is deliberately hard to find. It carries a Pastebin link that points to one server address, but Fortinet says that address is a decoy.
Hiding these details in web services is an old Ousaban habit:Â earlier campaigns stashed the configuration in Google Docs. This time, the real server moves every day. The malware reads the current date off a Google page, builds a web address from that date plus a fixed secret, and looks it up. Blocking yesterday’s address does little good.
A familiar Brazilian playbook
None of this is new. Ousaban, also tracked as Javali, is one of a group of Brazilian banking trojans that Kaspersky labeled years ago as the “Tetrade,” alongside Grandoreiro, Guildma, and Melcoz.
These families started in Brazil and pushed into Spain and Portugal, borrowing code from each other as they went;…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]

