A Brazilian banking trojan is aiming at customers of Santander and BBVA by using deceptive PDF bait.
TL;DR: Fortinet has reported that the Brazilian Trojan Ousaban is targeting bank users in Spain and Portugal using geofenced PDFs that conceal malware within images and rotate servers daily.
Ousaban is focusing on Windows users who bank in Spain and Portugal, employing fake PDFs, geofencing, and a payload disguised in an image to steal credentials without triggering security measures. Fortinet's FortiGuard Labs discovered this campaign in May and released their analysis recently.
The attack begins with a phishing PDF that appears to be a corrupted file. It instructs victims to click an "Atualizar" (Update) button, which redirects to a malicious webpage that masquerades as a tax-document portal. The PDF contains hidden JavaScript that can also automatically open this webpage, eliminating the need for user interaction.
Before the payload is delivered, the campaign screens every visitor. An earlier version checked the user’s IP address, language, time zone, screen resolution, and installed fonts, blocking access for those using VPNs or automated sandboxes. The latest version conducts these checks server-side, keeping specific filtering rules concealed, but those outside of Spain and Portugal only see a Spanish "access denied" message.
A user who passes the initial screening downloads an image resembling a PDF icon, which is actually a ZIP file—a technique known as steganography. A script then unpacks the malware from the ZIP file, executes it, and deletes the image, the ZIP, and itself. Once installed, Ousaban creates a Windows registry entry named “Financeiro” to ensure it runs automatically.
The trojan remains inactive until the user accesses a banking website, at which point it captures screenshots and keystrokes, modifies the clipboard, displays deceptive messages, and grants the attacker remote access. Fortinet indicates that Ousaban targets over two dozen banks in Spain and Portugal, including Santander, BBVA, CaixaBank, Bankinter, and Caixa Geral de Depósitos.
The command server is intentionally hard to trace. The malware retrieves the current date from a Google page, combines it with a set secret to generate a web address, and resolves a new server each day, rendering traditional blocklists ineffective. Ousaban has a history of camouflaging its infrastructure; previous campaigns have stored configuration information in Google Docs.
Identified as Javali, Ousaban is part of a group of Brazilian banking trojans called the “Tetrade” by Kaspersky, which also includes Grandoreiro, Guildma, and Melcoz. Originating in Brazil, these trojans have spread to the Iberian Peninsula and share code. Grandoreiro, the most well-known, survived a coordinated takedown by Interpol in January 2024 and resumed operations within months, remaining active against European targets this year.
Fortinet states that its antivirus solutions detect these samples and its FortiMail service intercepts the phishing emails. For general users, the primary defense lies in recognizing the initial lure: any PDF or email claiming a file is corrupted and prompting an "Update" should be viewed as suspicious. The same caution applies to requests for users to enter a command to resolve an error, known as ClickFix, which Fortinet relates to Ousaban's activities from late 2025.
Other articles
A Brazilian banking trojan is aiming at customers of Santander and BBVA by using deceptive PDF bait.
Fortinet reports that the Ousaban trojan employs geofenced phishing PDFs and steganography to capture banking credentials from individuals in Spain and Portugal.
