Ousaban Malware Targets Iberian Banks with Phishing PDFs and VBS Downloader
Key Takeaways The Ousaban banking trojan has launched a new campaign primarily targeting Windows users in Spain and Portugal. Attackers are using sophisticated phishing PDFs and a multi-stage...
Key Takeaways
- The Ousaban banking trojan has launched a new campaign primarily targeting Windows users in Spain and Portugal.
- Attackers are using sophisticated phishing PDFs and a multi-stage infection process involving steganography and dynamic command and control infrastructure.
- The malware employs strict geofencing and anti-analysis techniques to evade detection by security researchers and automated systems.
- Ousaban aims to steal banking credentials and financial information by displaying fake login screens and logging user input.
A sophisticated new cyber campaign is actively compromising online banking sessions for users across Spain and Portugal. The attack chain leverages seemingly innocuous, corrupted PDF files to initiate a complex infection process.
Table Of Content
This resurgence of the Ousaban banking trojan features updated tactics specifically designed to target Windows operating systems within the Iberian Peninsula. The campaign was first identified in May 2026 by researchers at Fortinet’s FortiGuard Labs, who subsequently published a detailed analysis of its operations.
The attack begins with a phishing PDF that appears to be damaged, prompting the victim to click an “Atualizar” (Update) button. This action secretly redirects the user to a malicious webpage masquerading as a government tax portal. This initial redirection is critical, as it allows the attackers to perform preliminary checks.
Before proceeding with the attack, the malicious webpage verifies the visitor’s geographical location, ensuring they are indeed in Spain or Portugal. This geofencing mechanism is a key component of the campaign’s stealth, as Fortinet said in a report that the attackers use it, along with hidden payloads and constantly changing infrastructure, to bypass security defenses.
Should a user pass the location verification, the website delivers a script that downloads an image file. This image file, appearing as a standard PDF icon, contains a hidden ZIP archive embedded using steganography. This ZIP archive holds the actual Ousaban payload. Once installed, the malware takes steps to erase its own installation traces, complicating forensic analysis and detection.
Ousaban is part of a broader family of Brazilian banking trojans, often grouped with others like Grandoreiro, Guildma, and Melcoz under the collective moniker “Tetrade.” While the core malware may not be entirely new, this campaign distinguishes itself through its highly customized delivery mechanism, engineered to target specific regions while remaining largely invisible to global security scanning efforts.
Ousaban Malware Uses Phishing PDFs and VBS Downloader
The current Ousaban attack chain relies heavily on the coordinated action of a deceptive PDF and a VBS-style downloader, rather than a single malicious executable. The phishing PDF itself can contain embedded JavaScript capable of automatically opening the malicious webpage, meaning a deliberate click may not always be required to initiate the infection.
Upon reaching the malicious webpage, several checks are performed on the visitor’s system, including IP address, browser language, and time zone. Connections originating from VPNs are actively blocked. Fortinet observed that early iterations of this screening process ran client-side in the browser, but the attackers later moved these checks to their server, effectively concealing the precise rules from security analysts. Visitors who fail these checks are simply presented with a Spanish-language “access denied” message, preventing the malicious payload from being delivered.
Successful targets, however, receive the steganographic image, which ultimately leads to the deployment of the Ousaban payload. This payload installs silently and establishes persistence on the system by creating a registry entry named “Financeiro” (Portuguese for finance), ensuring it launches with Windows startup.
Credential Theft And Command Infrastructure
Once Ousaban is installed, it lies dormant, activating only when the victim navigates to one of over two dozen specific banking websites. These include major institutions such as Santander, BBVA, CaixaBank, Bankinter, and Caixa Geral de Depósitos. Upon activation, the trojan gains capabilities to capture screenshots, log keystrokes, manipulate the clipboard, and display fabricated bank screens to dupe users into divulging their login credentials and other sensitive financial information.
The command and control (C2) infrastructure supporting Ousaban is designed to resist takedown attempts. The malware contains a Pastebin link that appears to point to a server address, but Fortinet confirmed this to be a decoy, leading to a non-functional private IP address. The true C2 address changes daily, generated from a hash of the current date obtained from a Google error page. This dynamic C2 mechanism renders static blocking of domains largely ineffective.
What You Should Do
- Treat all suspicious emails and PDFs with extreme caution, particularly those claiming a file is corrupted and prompting you to “Atualizar” or “Update.”
- Be wary of unexpected attachments, especially invoices, “facturas,” or tax documents, even if they appear to be from known senders.
- Never paste commands into your system to “fix” an error, a tactic known as “ClickFix.”
- For organizations, enhance security awareness training for employees, especially those interacting with customers or partners in Spain and Portugal.
- Security teams should correlate logs from endpoint detection, email security, DNS, and proxy services. Do not solely rely on sandbox analysis, as the server-side geofencing may only present benign error pages to automated scanners.
- Ensure your antivirus and email security solutions are up-to-date, as Fortinet said its own products already identify samples and phishing messages associated with this campaign.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.