Ousaban Trojan Targets Iberian Banks With Fake PDF Lures
The Brazilian banking trojan Ousaban—also tracked as Javali—has resurfaced in a new campaign aimed at Windows users banking in Spain and Portugal. Researchers at Fortinet's FortiGuard Labs documented the operation in May 2026, identifying a phishing-led infection chain that ultimately targets more than two dozen financial institutions across the Iberian Peninsula, including Banco Santander, BBVA, CaixaBank, Bankinter, and Caixa Geral de Depósitos. Once installed, the trojan monitors browser activity for targeted banking sessions, captures keystrokes and screenshots, manipulates clipboard content, and can hand attackers remote control over the compromised machine.
The attack begins with a phishing PDF presented as a corrupted document. Victims see a prompt instructing them to press an "Atualizar" (Update) button, which redirects to a malicious landing page; embedded JavaScript in the PDF can trigger the same redirect automatically. Earlier versions of the campaign performed visitor screening in the browser—checking IP address, language, and time zone, blocking VPN traffic, and filtering out security sandboxes via screen-size and font enumeration. The current variant has moved that fingerprinting logic to the operator's server, making the rules opaque to analysts. Non-qualifying visitors receive a Spanish "access denied" notice, while approved targets download a payload disguised as a PDF icon that actually contains a ZIP archive hidden via steganography. Because the loader relies on traffic profiling and geofencing, users concerned about their own exposure can validate their setup with a VPN/proxy detector and a DNS leak test.
Persistence is established through a Windows registry key named "Financeiro," and the command-and-control infrastructure is deliberately obfuscated. A Pastebin link embedded in the malware points to a decoy server address; the real C2 is computed daily by reading the current date from a public Google page and combining it with a hardcoded secret. Fortinet notes that earlier Ousaban variants stored similar configuration data in Google Docs, and the rotating-address technique renders static blocklists largely useless. Analysts tracking the campaign can pivot on the decoy infrastructure using a WHOIS lookup to follow related registrations.
Ousaban belongs to the "Tetrade" cluster of Brazilian banking trojans identified by Kaspersky, alongside Grandoreiro, Guildma, and Melcoz—families that originated in Brazil before expanding into Spanish- and Portuguese-speaking markets and sharing code across development teams. Defenders should treat unsolicited PDFs requesting "Atualizar" actions as hostile, monitor endpoints for unauthorized Financeiro registry entries, and enforce hardware-backed multi-factor authentication on all banking sessions. Users who suspect exposure can verify whether their credentials have appeared in known collections with a email breach checker and rotate any reused passwords immediately.