TL;DR
Fortinet found Ousaban targeting Spanish and Portuguese bank users with geofenced PDFs that hide malware inside images and rotate servers daily.
A Brazilian banking trojan called Ousaban is going after Windows users who bank in Spain and Portugal, using fake PDFs, geofencing, and a payload hidden inside an image to steal credentials without triggering security tools. Fortinet’s FortiGuard Labs identified the campaign in May and published its analysis this week.
The attack starts with a phishing PDF disguised as a corrupted file. The document tells the victim to press an “Atualizar” (Update) button, which opens a malicious webpage posing as a tax-document portal. Hidden JavaScript inside the PDF can open the same page automatically, so the victim does not even need to click.
Before delivering the payload, the campaign screens every visitor. An earlier version checked the browser for IP address, language, time zone, screen size, and installed fonts, blocking anyone using a VPN or an automated sandbox. The current version runs those checks on the server side, so the exact filtering rules are hidden, but visitors outside Spain and Portugal still see only a Spanish “access denied” notice.
Anyone who passes the filter downloads an image that looks like a PDF icon but contains a ZIP file, a technique called steganography. A script unpacks the malware from the ZIP, runs it, then deletes the image, the ZIP, and itself. Once installed, Ousaban adds a Windows registry entry named “Financeiro” so it starts up automatically.
The trojan sits quietly until the user opens a banking site, then captures screenshots and keystrokes, tampers with the clipboard, shows fake messages, and gives the attacker remote control. Fortinet says Ousaban watches for more than two dozen banks across Spain and Portugal, among them Santander, BBVA, CaixaBank, Bankinter, and Caixa Geral de Depositos.
Its command server is deliberately hard to pin down. The malware reads the current date from a Google page, combines it with a fixed secret to build a web address, and resolves a new server every day, making traditional blocklists nearly useless. Hiding infrastructure behind web services is an old Ousaban habit: earlier campaigns stashed configuration data in Google Docs.
Ousaban, also tracked as Javali, belongs to a group of Brazilian banking trojans that Kaspersky labelled years ago as the “Tetrade,” alongside Grandoreiro, Guildma, and Melcoz. All four started in Brazil and expanded into the Iberian Peninsula, sharing code along the way. Grandoreiro, the best known of the group, survived an Interpol-coordinated takedown in January 2024 and was back within months, and it is still active against European targets this year.
Fortinet says its antivirus products flag the samples and its FortiMail service catches the phishing emails. For everyone else, the first line of defence is the lure itself: any PDF or email that claims a file is corrupted and tells you to press “Update” should be treated as hostile. The same applies to prompts asking users to paste a command to fix an error, a technique known as ClickFix that Fortinet links to related Ousaban activity from late 2025.


