Attack flow | Image: FortiGuard Labs
At a glance:
- Malware Family: Ousaban
- Threat Actor: Unknown (Suspected Latin American origin)
- Targets/Victims: Banking customers in Spain and Portugal
- Delivery Vector: Phishing PDFs and fake tax document portals
- Key Capabilities: Keylogging, screen capture, credential theft
- Source: FortiGuard Labs
TL;DR
A May 2026 campaign targets users in Spain and Portugal with the Ousaban banking trojan. Attackers use geo-fenced phishing PDFs to deliver the payload. Once installed, the malware steals credentials from various European banks.
Delivery
FortiGuard Labs recently discovered a new campaign distributing the Ousaban banking trojan. The suspected threat actors focus exclusively on Iberian users. Attackers send phishing PDFs disguised as corrupted tax documents. These documents display an error message and a fake update button. Clicking the button directs victims to a malicious portal. Next, the webpage uses strict geo-restriction techniques to filter victims. The server verifies the language, time zone, and IP address. If the target lives outside the region, the site blocks access. It even blocks IP addresses linked to VPN services. Additionally, the server checks user behavior and screen resolution. This step helps the attackers block automated analysis tools.
Infection Chain
When a valid target visits the page, the malware delivery methods begin. The site downloads a VBS script directly to the computer. This script runs hidden commands to retrieve a steganographic PNG image. Attackers hide a ZIP file inside this fake PDF icon. Subsequently, the script extracts the ZIP file to reveal the payload. Ousaban drops an EXE file onto the victim’s machine. Following execution, the malware establishes persistence via the Windows Registry. It creates a specific value named “Financeiro” in the Run key. Then, it targets major financial institutions like Banco Santander, BBVA, and CaixaBank.
Command-and-Control and Exfiltration
The Ousaban banking trojan uses clever tricks to find its command server. First, the malware resolves an IP address by looking up dynamic hostnames. It intentionally scrapes the Google Automated Queries page to grab the date. This date helps generate the correct daily hash. Furthermore, the malware uses a custom algorithm to encrypt traffic. FortiGuard Labs notes, “Most of the traffic between the server and Ousaban is encrypted using the previously described algorithm.”
The server issues a heartbeat command to check client status. Another command starts a keylogger and initializes clipboard injection. The attackers can also deploy fake overlay screens to steal credentials. “The threat actor constantly advances and refines their malware delivery methods,” researchers explained.
Defense and Detection Guidance
Security teams must monitor for unusual VBS script executions. Users should avoid clicking links within unexpected PDF documents. Organizations must train employees to recognize fake software update messages. Restrict the execution of unknown files dropped into the Temp directory.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.