A sophisticated banking trojan named Ousaban is currently targeting Windows users in Spain and Portugal, aiming to compromise their online banking credentials. This campaign, identified by Fortinet’s FortiGuard Labs in May 2026, employs deceptive tactics to lure victims into its trap.
Phishing Tactics and Initial Intrusion
The attack begins with a seemingly corrupted PDF file, which acts as a phishing lure. It specifically checks if the recipient is located in Spain or Portugal before executing its malicious payload hidden within an image. The primary objective is to steal banking details and gain unauthorized access to accounts.
Once installed on a Windows PC, Ousaban remains dormant until the user accesses a banking website. At this point, it can capture screenshots, record keystrokes, manipulate the clipboard, and even display fake messages. These tools enable attackers to hijack live banking sessions, targeting over two dozen banks in the region, including prominent names like Banco Santander, BBVA, and CaixaBank.
Technical Details of the Ousaban Attack
The attack is initiated through a phishing PDF, which prompts users to click an ‘Atualizar’ (Update) button, redirecting them to a malicious site. Hidden JavaScript can also trigger this redirect automatically. The site masquerades as a tax-document portal, screening visitors based on their location and other criteria. Previous versions conducted these checks client-side, but the latest iteration moves this process to the server, obscuring the exact parameters used.
If a visitor passes the checks, a download begins, employing steganography to conceal a ZIP file within an image. The script extracts and executes Ousaban, then cleans up traces by deleting the image, ZIP, and itself. The trojan ensures persistence by adding a registry entry named ‘Financeiro,’ allowing it to launch with Windows startup.
Challenges and Countermeasures
Ousaban’s command server is elusive, using a decoy address and frequently changing its actual location. The malware constructs a server address daily, based on a Google page date and a fixed secret, rendering previous day’s blocks ineffective.
Historically, Ousaban, also known as Javali, is part of a group of Brazilian banking trojans labeled the ‘Tetrade’ by Kaspersky. These trojans have expanded from Brazil to Iberia, sharing code and tactics. Despite law enforcement actions, such as an Interpol takedown in 2024, these threats persist, leveraging familiar methods like PDF lures and geofencing.
Protective Measures and Recommendations
To mitigate the risk, users should be cautious of any PDF or email indicating a file corruption and prompting an ‘Update.’ Such communications are likely hostile. Additionally, unexpected invoices or tax-document attachments should be treated with suspicion, particularly in Spain and Portugal.
Automated sandboxing may not detect the threat due to server-side screening, which could result in a benign Spanish error page instead of the malware. Fortinet advises blocking specific domains, IPs, and file hashes associated with the trojan and monitoring for the ‘Financeiro’ registry key and specific files. Their FortiGuard antivirus and FortiMail products can flag these threats effectively.
In summary, while the Ousaban trojan employs long-known strategies, its recent adaptations pose significant challenges. Continuous vigilance and updated cybersecurity measures are essential to protect against such sophisticated threats targeting Iberian banks.
