Skip to main content
Emerging ThreatsMalware & Ransomware

Ousaban Trojan Targets Iberian Bank Users with Sophisticated PDF Lures

Person working on laptop at bank desk with papers, surrounded by calm environment and natural daylight.

The malware reads the current date off a Google page and builds a web address from that date plus a fixed secret to find its controller — a daily-changing rendezvous designed to frustrate defenders.

Discovery and scope: Fortinet finds Ousaban in May 2026

Fortinet's FortiGuard Labs identified a campaign involving the Brazilian banking trojan Ousaban in May 2026 that specifically targets Windows users who bank in Spain and Portugal. The trojan — also tracked as Javali — aims to steal banking logins and hijack live banking sessions, giving attackers the ability to capture screenshots and keystrokes, tamper with the clipboard, display fraudulent messages, and take remote control of infected machines.

How the infection chain works, step by step

The campaign opens with a phishing PDF masquerading as a corrupted file. The visible lure asks the victim to press an "Atualizar" (Update) button; hidden JavaScript in the PDF can also open the same malicious webpage autonomously. That page poses as a tax-document and installer portal while screening visitors.

Visitors must pass geofencing and anti-automation checks: if the site determines the visitor is outside Spain or Portugal it returns a Spanish "access denied" notice instead of malware. Earlier campaign variants ran checks in the browser — examining IP, language, time zone, VPN usage, screen size and installed fonts — but the current version pushes that screening to the operator's server, hiding the exact rules.

Once a visitor clears those checks a script downloads an image that looks like a PDF icon but actually hides a ZIP file inside — steganography. The script unpacks Ousaban from the ZIP, executes it, then deletes the image, the ZIP, and the script to remove traces. The malware establishes persistence by adding a Run registry entry named Financeiro (Portuguese for "finance"). Fortinet notes dropped files appear under C:\SysMain_5874288.

Command-and-control: decoys, Google pages and a daily-moving server

Fortinet describes the command server as deliberately hard to find. The initial configuration carries a Pastebin link that points to a decoy server; earlier Ousaban campaigns stashed configuration data in Google Docs. In this campaign the real controller moves every day: Ousaban reads the current date off a Google page, combines it with a fixed secret, constructs a web address and queries it. That throwaway daily address model makes blocking yesterday's address ineffective.

Ties to a resilient Brazilian playbook

Fortinet places Ousaban among a cluster of Brazilian banking trojans that Kaspersky labeled the "Tetrade," alongside Grandoreiro, Guildma, and Melcoz. These families began in Brazil and expanded into Spain and Portugal, borrowing code and techniques as they evolved; Fortinet says Ousaban's string-encryption uses the same custom scheme seen in Casbaneiro.

Fortinet points to continuity across the playbook: Grandoreiro survived an Interpol-coordinated takedown in January 2024 and returned months later, and its loaders used the same PDF-looking lures and country checks. Fortinet also links infrastructure used by Ousaban activity in late 2025 to other entry points, including a "ClickFix" scam that tricks victims into pasting a malicious command while attempting to fix an error.

What this means for technologists, regulators, and end users

  • Technologists and security teams: Fortinet's report contains domains, IP addresses, and file hashes to block; defenders should also monitor for the Financeiro Run registry key and files dropped to C:\SysMain_5874288. Note that server-side screening can make simple URL fetches return only a Spanish error page, so gateway detonation and automated sandboxes may miss the malware. FortiGuard antivirus flags the samples and FortiMail flags the phishing emails, per Fortinet.
  • Policymakers and regulators: The campaign underscores cross-border targeting and quick infrastructure turnover — a daily-moving controller address and decoy links — which complicates takedown and cross-jurisdictional response efforts. The persistence of shared code and tactics across multiple Brazilian families suggests coordination of techniques that regulators and cooperation channels may need to track.
  • End users and retail banks: Treat any PDF or email that claims a file is corrupted and instructs you to press "Update" as hostile, and avoid prompts that tell you to paste commands to fix an "error." Be suspicious of unexpected invoice, factura, or tax-document attachments, especially in Spain and Portugal. The campaign affects Windows only.

Fortinet summarizes the technical arc succinctly: the trojan itself is old and its custom encryption has remained effective against detection for years; the novel element in this campaign is the wrapper — geofencing, a hidden (steganographic) payload and a throwaway daily address — engineered to show the malware only to real victims in Spain and Portugal and to evade automated analysis and blocking.

The persistent thread is clear: well-known code and long-standing goals, wrapped in new delivery and concealment tactics that make a familiar threat harder to catch. For defenders the immediate tasks are concrete — block Fortinet-listed artifacts, look for the Financeiro key and the C:\SysMain_5874288 footprint, and treat the lures described above as hostile — while the larger challenge is whether detection and response can keep pace with infrastructure that shifts every day.

Original Fortinet report as summarized by The Hacker News