FortiGuard Labs researchers at Fortinet identified an active campaign in May 2026 distributing Ousaban, a Brazilian banking trojan, against Windows users whose banks operate in Spain and Portugal. The operation combines social engineering, geographic filtering, and image-based payload concealment to reach its targets while evading broad detection.

How the Attack Unfolds

The infection chain begins with a phishing lure delivered as a PDF that is presented to recipients as a corrupted or unreadable file. This framing is designed to encourage the target to take additional steps, lowering suspicion while advancing the attack. Before proceeding further, the campaign performs a geolocation check to confirm the visitor is actually located in Spain or Portugal, a technique that limits exposure to researchers and automated scanners operating outside those regions.

The actual malicious payload is concealed inside an image file, a technique commonly referred to as steganography. Embedding code within image data allows the trojan to bypass security tools that focus on more conventional executable formats or document-based delivery mechanisms.

Objectives and Background

Ousaban’s primary objective is credential theft targeting online banking sessions. The trojan is part of a broader family of Latin American banking malware that has increasingly expanded its targeting beyond Brazil to Western Europe, particularly targeting Spanish and Portuguese financial institution customers.

Defensive Considerations

  • Treat unsolicited PDF attachments with caution, especially those claiming to be unreadable or corrupted.
  • Ensure endpoint security solutions are capable of inspecting content embedded within image files.
  • Monitor outbound connections for geolocation-probing requests that may indicate staged malware delivery infrastructure.
  • Apply user awareness training around phishing lures that rely on urgency or file-error pretexts.

The campaign underscores a continued trend of South American banking trojans broadening their reach into European markets, adapting delivery mechanisms to improve evasion and targeting precision.