Malware

Ousaban Banking Trojan Resurfaces With Steganographic PDF Lures Targeting Spain and Portugal

dark6 4 July 2026
Read Time:3 Minute, 4 Second

A newly documented campaign is quietly hijacking online banking sessions across Spain and Portugal, and it starts with something as ordinary as a supposedly broken PDF. The malware behind it, known as Ousaban, has resurfaced with a fresh set of evasion tricks aimed squarely at Iberian bank customers running Windows machines.

From a Fake Corrupted PDF to a Hidden Payload

Researchers at Fortinet’s FortiGuard Labs first spotted this wave of activity in May 2026 and published a detailed technical breakdown of how it operates. The infection begins when a victim opens a phishing PDF that claims to be corrupted and urges them to click an “Atualizar,” or Update, button. That click quietly opens a malicious webpage disguised as a government tax portal, which then checks whether the visitor is really located in Spain or Portugal before continuing.

Hidden JavaScript inside the PDF can trigger that malicious page automatically, so even a cautious user who avoids clicking is not always safe. The landing page also inspects IP address, browser language, and time zone, and blocks anyone connecting through a VPN. Fortinet noted that an earlier version of this screening ran directly in the browser; the operators have since moved it server-side so the exact filtering rules stay hidden from analysts. Visitors who fail the check simply see a Spanish-language “access denied” message instead of anything malicious.

Visitors who pass the check receive an image file crafted to look like a harmless PDF icon. Hidden inside that image is a ZIP archive containing the actual Ousaban payload, a technique known as steganography. The malware installs quietly, sets up persistence through a registry entry named “Financeiro,” the Portuguese word for finance, and deletes traces of its own installation to complicate later forensic review.

Credential Theft and Command Infrastructure Built to Evade Takedown

Ousaban is not new. It belongs to a well-known family of Brazilian banking trojans sometimes grouped with Grandoreiro, Guildma, and Melcoz under the nickname “Tetrade.” What has changed is the wrapper around it, purpose-built to reach real victims in two specific countries while staying invisible to researchers and automated scanners located elsewhere.

Once installed, Ousaban stays dormant until the victim visits one of more than two dozen targeted banking sites, including Santander, BBVA, CaixaBank, Bankinter, and Caixa Geral de Depósitos. At that point it can capture screenshots, log keystrokes, tamper with the clipboard, and display fake bank screens designed to trick users into handing over login credentials directly.

Its command-and-control setup is built to survive takedown attempts. A Pastebin link embedded in the malware appears to point to a server address but is actually a decoy leading nowhere, according to Fortinet. The real command server address changes every 24 hours, generated from a hash of the current date pulled from a Google error page, which makes blocking yesterday’s domain pointless for defenders relying on static indicator lists.

Defensive Guidance

Fortinet’s guidance centers on treating suspicious lures with immediate suspicion rather than relying solely on automated scanning, since server-side screening means a sandboxed scanner may only ever see the harmless error page rather than the actual payload delivery. Recommended steps include:

  • Treat any PDF or email claiming a file is “corrupted” and requesting an update click as hostile by default.
  • Watch for “ClickFix”-style prompts asking users to paste a command into a terminal or run dialog to fix an error.
  • Apply extra scrutiny to unexpected invoice, factura, or tax-document attachments, particularly for organizations with staff or customers in Spain and Portugal.
  • Correlate endpoint, mail, DNS, and proxy logs rather than trusting sandbox verdicts alone, since this campaign is specifically engineered to look benign to automated analysis.

Leave a Reply

💬 [[ unisciti alla discussione! ]]


Se vuoi commentare su Ousaban Banking Trojan Resurfaces With Steganographic PDF Lures Targeting Spain and Portugal, utilizza la discussione sul Forum.
Condividi esempi, IOCs o tecniche di detection efficaci nel nostro 👉 forum community