A sophisticated banking trojan known as Ousaban has been identified targeting Windows users in Spain and Portugal. This malware campaign, active since May 2026, employs deceptive tactics to infiltrate systems and steal sensitive banking information.
The attack initiates with a phishing email containing a PDF file that appears to be corrupted. Upon opening, the PDF prompts the user to click an “Atualizar” (Update) button, leading them to a malicious website. This site conducts checks to confirm the user’s location within Spain or Portugal, ensuring the target is within the intended region. If the user passes these checks, the site delivers the malware payload concealed within an image file—a technique known as steganography.
Once installed, Ousaban operates stealthily, monitoring user activity for interactions with banking websites. It is capable of capturing screenshots, logging keystrokes, manipulating clipboard data, displaying fraudulent messages, and granting remote control to attackers. These functionalities enable cybercriminals to hijack active banking sessions and gain unauthorized access to accounts. The malware specifically targets over two dozen financial institutions in the region, including prominent banks such as Banco Santander, BBVA, CaixaBank, Bankinter, and Caixa Geral de Depósitos.
Technical Breakdown of the Attack
The infection chain begins with the deceptive PDF, which, upon user interaction, redirects to a malicious webpage. This page performs geolocation checks to verify the user’s presence in Spain or Portugal. Previous versions of this campaign conducted these checks client-side, analyzing IP addresses, language settings, and time zones, while also blocking access from VPNs and automated security tools. The current iteration shifts these checks to the server side, obscuring the exact criteria used and displaying an “access denied” message to users outside the targeted regions.
For users within the targeted regions, the malicious site initiates the download of an image file that appears innocuous but contains a hidden ZIP archive. This archive houses the Ousaban trojan, which, once extracted and executed, deletes the initial files to minimize traces of the infection. The malware establishes persistence by creating a registry entry named “Financeiro” (Portuguese for “finance”), ensuring it runs upon system startup.
Ousaban’s command and control (C2) infrastructure is designed for evasion and resilience. It utilizes a Pastebin link pointing to a decoy server address, while the actual C2 server changes daily. The malware determines the current server address by retrieving the date from a Google page and combining it with a secret value, making it challenging for defenders to block or track the C2 communications effectively.
Context and Implications
Ousaban is part of a group of Brazilian banking trojans, collectively referred to as the “Tetrade,” which includes Grandoreiro, Guildma, and Melcoz. These malware families have evolved from targeting Brazilian users to expanding their reach into Spain and Portugal, often sharing code and techniques. Notably, Ousaban employs the same custom string encryption method as another trojan, Casbaneiro.
The resilience of these malware families is evident in Grandoreiro’s case, which, despite an Interpol-coordinated takedown in January 2024, resumed operations within months. Its loaders have continued to use deceptive PDF lures and geofencing to target Iberian users, demonstrating the persistent threat posed by these trojans.
To mitigate the risk of infection, users should exercise caution with unsolicited emails containing attachments, especially those claiming to be invoices or tax documents. Any prompt to update or fix a corrupted file should be treated with suspicion. Organizations are advised to implement robust email filtering, monitor for unusual registry entries like “Financeiro,” and stay informed about evolving malware tactics to enhance their cybersecurity posture.
The resurgence and adaptation of banking trojans like Ousaban underscore the need for continuous vigilance and proactive defense strategies. As cybercriminals refine their methods to bypass traditional security measures, both individuals and organizations must prioritize cybersecurity awareness and adopt comprehensive protective measures to safeguard sensitive financial information.