Brazilian Banking Trojan Ousaban Expands to Spain and Portugal with Advanced Evasion Tactics
The Ousaban banking trojan, previously targeting Brazil, has been updated to target Spain and Portugal using sophisticated phishing, steganography, and geofencing techniques.

The Ousaban banking trojan, a threat long active against victims in Brazil, has been significantly retooled and expanded to target banking customers in Spain and Portugal. Security researchers at Fortinet's FortiGuard Labs have observed this new campaign actively targeting these European nations since May 2026, employing advanced evasion tactics to remain undetected by both users and security analysts.
Ousaban, which belongs to the same family of malware as the Casbaneiro banking trojan, now features enhanced layers of obfuscation. These improvements are designed to ensure the malware reaches its intended victims while simultaneously hindering the efforts of researchers attempting to analyze its behavior and infrastructure. This evolution highlights a trend of established malware families adapting to new geographical targets and employing more sophisticated delivery and operational security measures.
The attack chain commences with a deceptive phishing PDF file. This PDF is designed to appear as a corrupted document, prompting the unsuspecting user to click an "Update" button. This action redirects the victim to a malicious webpage that masquerades as an official government tax portal. This initial interaction is crucial for the threat actors, as the portal then profiles each visitor.
Crucially, the attack only proceeds for users who appear to be located in Spain or Portugal. This geofencing mechanism is implemented through server-side checks that inspect various data points, including the visitor's language settings, time zone, and IP address. Furthermore, the system actively blocks VPN connections and screens out sandboxed environments, effectively hiding the detection criteria from security researchers and making automated analysis significantly more challenging.
Victims who successfully pass these initial profiling and geofencing checks are then presented with a script. This script is designed to download an image file that visually resembles a PDF icon. However, this image file utilizes steganography to conceal an appended archive. This archive contains the core Ousaban payload, ready to be extracted and executed on the compromised system.
Once the Ousaban malware is active on a victim's machine, it begins to monitor for the user attempting to access one of dozens of targeted banking services. These include prominent financial institutions such as Santander, BBVA, CaixaBank, Revolut, and Caixa Geral de Depósitos. The malware is equipped with a comprehensive toolkit to facilitate credential theft and fraudulent transactions.
Upon detecting an attempt to log into a targeted bank, Ousaban employs techniques such as taking screenshots, logging keystrokes, injecting malicious content into the clipboard, and establishing remote control over the infected system. It also displays convincing fake bank login screens to trick users into divulging their sensitive financial information. The malware's command and control infrastructure is also designed for evasion, utilizing a domain that changes daily, derived from a hash of the current date fetched from a Google error page, and a decoy Pastebin link that redirects analysts to a dead-end private IP address.
Fortinet's telemetry indicates that this campaign remains active, with the primary objective being bank fraud through the theft of user credentials. The sophisticated combination of social engineering, advanced evasion techniques like steganography and geofencing, and robust command-and-control obfuscation makes Ousaban a significant threat to banking customers in the targeted regions.
The Ousaban campaign has evolved its evasion tactics, now employing a more sophisticated server-side screening process for its geofencing checks, moving the filtering logic from the browser to the operator's server. This makes it harder for automated security tools to detect the malware, as sandboxes may only receive a Spanish 'access denied' page instead of the malicious payload. Additionally, the malware's command and control infrastructure is now dynamically updated daily via a Google page lookup, making it significantly more challenging to block.