A Brazilian banking trojan called Ousaban is going after Windows users who bank in Spain and Portugal. Fortinet’s FortiGuard Labs identified the campaign in May 2026.
It opens with a phishing PDF disguised as a corrupted file, checks that the visitor is really in Spain or Portugal, and hides its real payload inside an image.
The goal is the usual one: steal banking logins and take over accounts.
Ousaban sits quietly on a Windows PC and waits for the user to open a banking site. When a target bank loads, it can capture screenshots and keystrokes, tamper with the clipboard, show fake messages, and give the attacker remote control.
Together, those are the tools for hijacking a live banking session and taking over an account. Ousaban watches for more than two dozen banks across the two countries, among them Banco Santander, BBVA, CaixaBank, Bankinter, and Caixa Geral de Depósitos.
How the attack works
It starts with a phishing PDF disguised as a corrupted file. The PDF shows a prompt telling the victim to press an “Atualizar” (Update) button, which opens a malicious webpage.
Hidden JavaScript in the PDF can open the same page on its own. The page poses as a tax-document and installer portal while screening visitors. Fortinet says an earlier version ran these checks in the browser: it looked at the visitor’s IP address, language, and time zone, blocked anyone coming through a VPN, and filtered out automated security tools by checking details like screen size and installed fonts.
The current version moves that screening to the operator’s server, so the exact rules are hidden. Either way, visitors outside Spain or Portugal get a Spanish “access denied” notice instead of malware.
Clear the check, and the download starts. A script downloads an image that looks like a PDF icon but hides a ZIP file inside, a trick called steganography. The script unpacks Ousaban from that ZIP, runs it, then deletes the image, the ZIP, and itself to leave less behind. Once running, Ousaban adds a registry entry named Financeiro (Portuguese for “finance”) so it starts up with Windows.
Ousaban’s command server, the machine that controls it, is deliberately hard to find. It carries a Pastebin link that points to one server address, but Fortinet says that address is a decoy.
Hiding these details in web services is an old Ousaban habit: earlier campaigns stashed the configuration in Google Docs. This time, the real server moves every day. The malware reads the current date off a Google page, builds a web address from that date plus a fixed secret, and looks it up. Blocking yesterday’s address does little good.
A familiar Brazilian playbook
None of this is new. Ousaban, also tracked as Javali, is one of a group of Brazilian banking trojans that Kaspersky labeled years ago as the “Tetrade,” alongside Grandoreiro, Guildma, and Melcoz.
These families started in Brazil and pushed into Spain and Portugal, borrowing code from each other as they went; Ousaban’s string encryption is the same custom scheme used by another family, Casbaneiro.
Grandoreiro, the best known of the group, shows how durable the playbook is. It survived an Interpol-coordinated takedown in January 2024 and was back within months, and its loaders leaned on the same habit of hiding downloads behind PDF-looking lures and country checks.
It is still active against Iberian targets, with a campaign reported this year that kept hitting Portuguese banks. Fortinet links the same infrastructure to Ousaban activity in late 2025 that used other entry points, including “ClickFix,” a scam that gets the victim to paste a malicious command themselves while thinking they are fixing an error.
What to do
The first place to catch it is the lure. Treat any PDF or email that claims a file is corrupted and tells you to press “Update” as hostile. The same goes for prompts that tell users to paste a command to fix an “error.” The PDF can even open the malicious page on its own.
Treat unexpected invoice, factura, or tax-document attachments as suspect, especially in Spain and Portugal.
Server-side screening means that an automated sandbox that just fetches the link may get only the Spanish error page instead of the malware. Gateway detonation alone can miss it. The campaign only affects Windows.
Fortinet’s report lists domains, IP addresses, and file hashes to block. Defenders should watch for the Financeiro registry Run key and files dropped to C:\SysMain_5874288. Fortinet says its FortiGuard antivirus flags the samples, and its FortiMail product flags the phishing email.
The Trojan itself is old, and Fortinet says its custom encryption has stayed effective against detection for years. The newer part is the wrapper: geofencing, a hidden payload, and a throwaway daily address, all built to show the malware to real victims in two countries and nobody else.





