Close Menu
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice

Subscribe to Updates

Get the latest creative news from FooBar about art, design and business.

What's Hot

Anthropic’s Fable 5 and Mythos 5 Are Back with New Security Guardrails

July 1, 2026

Miasma Malware Targets npm Packages and GitHub Actions in Supply Chain Attack

July 1, 2026

Veil#Drop Uses Google Blogspot to Deploy PureLog Stealer

July 1, 2026
Facebook X (Twitter) Instagram
Wednesday, July 1
Facebook X (Twitter) Instagram Pinterest Vimeo
Cyberwire Daily
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice
Cyberwire Daily
Home»News»Brazilian Banking Trojan Ousaban Targets Spain and Portugal
News

Brazilian Banking Trojan Ousaban Targets Spain and Portugal

Team-CWDBy Team-CWDJuly 1, 2026No Comments3 Mins Read
Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
Share
Facebook Twitter LinkedIn Pinterest Email


A banking trojan long used against victims in Brazil has been retooled to target banking customers in Spain and Portugal, using phishing PDFs, steganography and geofencing to stay hidden.

In a new analysis, Fortinet’s FortiGuard Labs said the malware, known as Ousaban, has been active against the two countries since May 2026.

A banking trojan from the same Latin American family as Casbaneiro, it now comes wrapped in extra layers of evasion designed to keep it in front of intended victims and away from researchers.

A Phishing Chain Built to Screen Victims

The attack starts with a phishing PDF disguised as a broken file, which nudges the victim to click an Update button that opens a malicious webpage.

Posing as a government tax portal, the page profiles each visitor and only continues the attack for users who appear to be in Spain or Portugal.

That server-side check inspects language, time zone and IP data, blocks VPN connections and screens out sandboxes, hiding the criteria from analysts.

Visitors who pass receive a script that pulls down an image resembling a PDF icon, using steganography to conceal an appended archive holding the Ousaban payload.

“Ousaban is not a fundamentally new type of attack, but rather a highly optimized evolution of traditional, decade-old Latin American banking trojan strategies,” said Li Zhao, a consultant at application security firm Black Duck, noting it is written in Delphi and reuses a 2008-era encryption scheme.

Read more on Latin American banking trojans in Spain: New Grandoreiro Malware Variant Targets Spain

Watching for Bank Logins

Once running, Ousaban watches for the victim to open one of dozens of targeted banking services, including Santander, BBVA, CaixaBank, Revolut and Caixa Geral de Depósitos.

When it spots one, its toolkit includes screenshots, keylogging, clipboard injection and remote control, and it displays fake bank screens to trick users into handing over their details.

For its command server, Ousaban leans on evasion rather than a fixed address. FortiGuard said it resolves a domain that changes daily, derived from a hash of the current date pulled from a Google error page, while a decoy Pastebin link points analysts to a dead-end private IP.

“Geofenced malware can look absent from outside the target region,” said Jason Soroko, a senior fellow at certificate-management firm Sectigo, urging teams to correlate endpoint, mail, DNS and proxy logs rather than trust sandbox results.

Fortinet, drawing on its own telemetry, said the campaign remains live, with the credential theft aimed squarely at bank fraud.



Source

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleCisco Catalyst SD-WAN Zero-Day CVE-2026-20245 Exploited to Gain Root Access
Next Article Chrome Ad Blocker with 10M+ Installs Found with Dormant Script Injection Capability
Team-CWD
  • Website

Related Posts

News

Anthropic’s Fable 5 and Mythos 5 Are Back with New Security Guardrails

July 1, 2026
News

Miasma Malware Targets npm Packages and GitHub Actions in Supply Chain Attack

July 1, 2026
News

Veil#Drop Uses Google Blogspot to Deploy PureLog Stealer

July 1, 2026
Add A Comment
Leave A Reply Cancel Reply

Latest News

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202522 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views

Why SOC Burnout Can Be Avoided: Practical Steps

November 14, 20259 Views

Cyber M&A Roundup: Cyber Giants Strengthen AI Security Offerings

December 1, 20258 Views
Stay In Touch
  • Facebook
  • YouTube
  • TikTok
  • WhatsApp
  • Twitter
  • Instagram
Most Popular

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202522 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views
Our Picks

How to tell if a voice call is AI or not

February 23, 2026

What are brushing scams and how do I stay safe?

December 24, 2025

Find your weak spots before attackers do

November 21, 2025

Subscribe to Updates

Get the latest news from cyberwiredaily.com

Facebook X (Twitter) Instagram Pinterest
  • Home
  • Contact
  • Privacy Policy
  • Terms of Use
  • California Consumer Privacy Act (CCPA)
© 2026 All rights reserved.

Type above and press Enter to search. Press Esc to cancel.