Ousaban Banking Trojan Uses Fake PDF Campaigns to Target Banks in Spain and Portugal

Security researchers have uncovered a renewed campaign distributing the Ousaban banking trojan to Windows users in Spain and Portugal through phishing PDFs that imitate broken or incomplete files. For...

Security researchers have uncovered a renewed campaign distributing the Ousaban banking trojan to Windows users in Spain and Portugal through phishing PDFs that imitate broken or incomplete files. Fortinet’s FortiGuard Labs said it observed the activity in May 2026 and noted that the attackers are using multiple layers of evasion to keep the malware hidden from anyone outside their intended target region.

Ousaban, which has long been associated with Brazilian banking malware operations, is designed to steal financial credentials and hijack live banking sessions. Once installed, it can monitor browsing activity, capture keystrokes and screenshots, alter clipboard contents, display fake prompts, and provide remote access to the attacker. The current campaign focuses on more than two dozen banks across the Iberian Peninsula, including major institutions such as Banco Santander, BBVA, CaixaBank, Bankinter, and Caixa Geral de Depósitos.

How the infection chain works

The attack begins with a PDF attachment that tells the recipient to click an “update” button to view a supposedly corrupted file. That action sends the victim to a malicious website, and in some cases the PDF contains hidden JavaScript that opens the page automatically. The site presents itself as a tax or document portal, but first checks whether the visitor appears to be in Spain or Portugal.

Earlier versions of the campaign performed this filtering in the browser by checking indicators such as IP address, language, time zone, screen settings, and installed fonts, while also trying to block VPN users and automated analysis tools. Fortinet says the latest version moves those checks to the attacker’s server, making the screening logic harder to see. Anyone who fails the test is shown an access-denied message instead of the malware.

  • A downloaded image contains a hidden ZIP archive that carries the trojan.
  • The malware deletes the image, archive, and loader after execution to reduce traces.
  • Persistence is established through a Windows Run registry entry named Financeiro.
  • The command-and-control address changes daily and is rebuilt using a date-based lookup method.

Fortinet linked the tactics to a broader pattern seen in other Brazilian banking trojans, including the use of geofencing, disguised downloads, and throwaway infrastructure. For defenders, the company recommends treating unexpected PDF invoices, tax forms, and “corrupted file” prompts with caution, especially when they urge users to click or paste commands. Fortinet’s products detect the samples, and the company provided indicators of compromise for blocking.