Skip to main content
Emerging ThreatsMalware & Ransomware

Ousaban Trojan Expands to Spain, Portugal with Advanced Evasion Tactics

Southern European city street with a blurred laptop on a desk in a small business district.

"Ousaban is not a fundamentally new type of attack, but rather a highly optimized evolution of traditional, decade-old Latin American banking trojan strategies," said Li Zhao, a consultant at application security firm Black Duck.

Phishing chain that profiles Spain and Portugal

Fortinet's FortiGuard Labs reports that Ousaban, a banking trojan long used in Brazil, has been retooled and active against banking customers in Spain and Portugal since May 2026. The intrusion begins with a phishing PDF presented as a broken file. The bogus PDF prompts victims to click an Update button; that action opens a malicious webpage that impersonates a government tax portal.

The server hosting the fake portal does not serve every visitor. Instead, it profiles each connection and advances the attack only for visitors who present as being in Spain or Portugal. That server-side screening inspects language settings, time zone and IP data; it blocks VPN connections and screens out sandbox environments. FortiGuard said the screening criteria are hidden from analysts on purpose, keeping the campaign focused on the intended countries while avoiding outside observers.

Steganography and payload delivery

Visitors who pass the geographic and environment checks receive a script that pulls down an image resembling a PDF icon. That image uses steganography to conceal an appended archive that contains the Ousaban payload. FortiGuard’s analysis highlights this multi-step delivery as an intentional effort to hide the malware until it reaches targeted victims in the specified countries.

According to Black Duck consultant Li Zhao, the malware is written in Delphi and reuses a 2008-era encryption scheme, emphasizing evolution of older Latin American banking-trojan tactics rather than wholly new technical foundations.

Targets and in-browser fraud toolkit

Once launched on a host, Ousaban monitors the victim's activity and waits for the user to open one of dozens of targeted banking services. FortiGuard lists named targets that include Santander, BBVA, CaixaBank, Revolut and Caixa Geral de Depósitos. When a target bank session is detected, the trojan deploys a set of browser- and system-level fraud tools: it can take screenshots, capture keystrokes, inject into the clipboard, and offer remote-control capabilities. It also displays counterfeit bank screens designed to trick users into surrendering credentials and other sensitive details.

FortiGuard’s telemetry indicates the campaign’s aim is straightforward: credential theft directed at bank fraud.

Command-and-control evasion: daily domains and decoys

Ousaban avoids a single fixed command server address. FortiGuard describes a routine in which the malware resolves a domain that changes daily; the domain is derived from a hash of the current date pulled from a Google error page. That ephemeral addressing reduces the chance that analysts outside the target region observe the infrastructure. To slow investigation, the campaign also plants a decoy Pastebin link that points analysts toward a dead-end private IP.

Jason Soroko, a senior fellow at certificate-management firm Sectigo, summarized the operational effect: "Geofenced malware can look absent from outside the target region," and urged teams to correlate multiple logs rather than rely on sandbox tests alone.

What this means for security teams, affected banks, and end users

  • Security teams: FortiGuard’s findings highlight an operator preference for server-side geofencing and ephemeral C2 domains. Jason Soroko’s recommendation in the report — to correlate endpoint, mail, DNS and proxy logs — is the only mitigation step explicitly noted in the source.
  • Affected banks (Santander, BBVA, CaixaBank, Revolut, Caixa Geral de Depósitos): Fortinet’s telemetry places credential theft "squarely at bank fraud," signalling that institutions named in the analysis should expect attempted account takeover activity tied to the campaign.
  • End users in Spain and Portugal: The attack vector begins with a phishing PDF disguised as a broken file and a fake tax-portal page. Users encountering such prompts may be at heightened risk if they are routed through the full, geographically constrained chain described by FortiGuard.

Fortinet’s FortiGuard Labs says the campaign remains live as of its analysis. The operation’s combination of old-school banking-trojan capabilities, Delphi-era code and 2008-style encryption, plus layered evasion — steganography, server-side geofencing and ephemeral C2 resolution tied to a Google error page hash — is designed to keep the malware visible only to intended victims and invisible to many outside observers. That deliberate invisibility is the campaign’s core strength and the principal challenge for detection and response teams in Spain and Portugal.

Source: Infosecurity Magazine / Fortinet FortiGuard Labs analysis