- A Brazilian banking trojan named Ousaban is actively targeting Windows users in Spain and Portugal.
- The attack uses a phishing PDF disguised as a corrupted file, advanced geofencing to screen victims, and steganography to hide malware.
- The malware can hijack live banking sessions, capturing keystrokes, screenshots, and even granting attackers remote control.
- The campaign demonstrates a sophisticated, evasive playbook used by Brazilian cybercrime groups for years.
Researchers from Fortinet’s FortiGuard Labs identified in May 2026 that a Brazilian banking trojan called Ousaban is attacking Windows users in Spain and Portugal. This sophisticated campaign cleverly screens its victims before deploying a dangerous payload.
The attack begins with a phishing PDF pretending to be a corrupted document, which tricks users into clicking an “Atualizar” button. This action opens a malicious website that poses as a tax portal.
This webpage runs an initial check to ensure the visitor is geographically located in Spain or Portugal. Consequently, automated security tools or users from other regions only see an error message.
Once cleared, a script downloads a ZIP file hidden inside an image using steganography. This script unpacks and runs the Ousaban malware, then deletes all traces of the delivery mechanism.
The malware installs itself persistently and waits for the user to visit one of more than two dozen target banks like Banco Santander or BBVA. It can then capture screenshots, log keystrokes, and manipulate the clipboard.
This provides attackers with all the tools needed for session hijacking and account takeover. Meanwhile, the malware’s command server changes its address daily using the current date, making it hard to block.
This playbook is not new, as Ousaban is part of a group of Brazilian banking trojans tracked for years. Similarly, the related Grandoreiro malware survived an Interpol-coordinated takedown in 2024 and resumed operations shortly after.
Defenders should treat unsolicited PDFs or emails claiming file corruption as hostile. They should also monitor for suspicious registry keys and file drops as indicators of this infection.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
