Ousaban Banking Trojan Targets Iberian Bank Users With Fake PDF Lures
What happened
A Brazilian banking trojan called Ousaban is targeting Windows users who bank in Spain and Portugal. Fortinet’s FortiGuard Labs identified the campaign in May 2026. The attack begins with a phishing PDF disguised as a corrupted file. The PDF tells the victim to press an “Update” button, which opens a malicious webpage.
Hidden JavaScript inside the PDF can also open the malicious page automatically. The page presents itself as a tax-document and installer portal while screening visitors to determine whether they are likely real targets.
Earlier versions of the campaign checked visitor details such as IP address, language, time zone, screen size, installed fonts, and VPN use in the browser. The current version moves those checks to the attacker’s server, making the filtering rules harder for defenders to see.
Visitors outside Spain or Portugal receive a Spanish “access denied” notice instead of the malware. If the visitor passes the checks, the download begins.
The payload is hidden inside an image that looks like a PDF icon but contains a ZIP file. The attack script extracts Ousaban from the hidden ZIP, runs it, and then deletes the image, ZIP file, and script to reduce evidence left behind.
Once installed, Ousaban creates a Windows registry Run key named Financeiro so it starts automatically with Windows.
The trojan waits for the victim to open a targeted banking website. When a monitored bank loads, Ousaban can capture screenshots and keystrokes, manipulate the clipboard, display fake messages, and give the attacker remote control of the machine.
The malware watches for more than two dozen banks in Spain and Portugal, including Banco Santander, BBVA, CaixaBank, Bankinter, and Caixa Geral de Depósitos.
Ousaban also uses a moving command-and-control method. It contains a Pastebin link pointing to a decoy server, while the real server changes daily. The malware reads the current date from a Google page, combines it with a fixed secret, and uses that value to find the active command server.
Who is affected
Windows users in Spain and Portugal are directly affected, especially those who receive phishing PDFs posing as corrupted tax documents, invoices, or banking-related files. Customers of targeted Iberian banks may be exposed if they open the lure, pass the campaign’s geofencing checks, and later log in to online banking from an infected device.
Organizations with employees in Spain or Portugal may also be affected if users open malicious PDF lures on work devices. Even though the campaign is banking-focused, an infected endpoint with remote-control capability can create broader credential, device, and network exposure.
Why CISOs should care
This campaign shows how regional banking trojans continue to evolve their delivery methods while relying on familiar social engineering. A fake corrupted PDF and an “Update” prompt may look simple, but the campaign adds geofencing, server-side screening, steganography, cleanup steps, and rotating command infrastructure.
For CISOs, the sandbox evasion angle is important. Automated analysis tools may only see an access-denied page if they fetch the lure from outside Spain or Portugal or from infrastructure that looks like a security tool. That means gateway detonation alone may miss the real payload.
The banking-session hijacking capability also matters. Ousaban is built to wait until the user opens a real banking site, then capture keystrokes, screenshots, and session activity while allowing remote attacker control. This can support account takeover even when users believe they are interacting with a legitimate bank portal.
The campaign also reinforces the risk of ClickFix-style lures and corrupted-file prompts. Users are increasingly being trained by attackers to click update buttons, install “fixes,” or paste commands to solve fake errors.
3 practical actions
Treat corrupted-file and update prompts as hostile: The campaign starts with a PDF that claims the file is corrupted and asks the user to press an update button. Security awareness should specifically cover fake PDF errors, tax-document lures, invoice lures, and prompts that ask users to paste commands or install fixes.
Monitor for Ousaban persistence and dropped files: Fortinet highlighted the Financeiro registry Run key and files dropped under a SysMain-themed folder path. Security teams should hunt for unusual Run key entries, suspicious script cleanup behavior, steganography-based payload extraction, and unexpected banking-trojan activity on Windows endpoints.
Do not rely only on sandbox detonation: The campaign uses geofencing and server-side visitor screening to avoid showing malware to non-targets or automated tools. Defenders should combine sandboxing with endpoint telemetry, email controls, DNS monitoring, behavioral detection, and regional threat intelligence for Spain and Portugal.
Read more about how threat actors are using different attack methods to deliver malware, steal credentials, and compromise victims across multiple environments:


