Ousaban Banking Trojan Targets Users in Spain and Portugal

Ousaban Banking Trojan Targets Users in Spain and Portugal

First seen 1 Jul 2026, 14:32 UTC Infosecurity-Magazinewww.fortinet.com 83% similarity 69.5
Share:

Article Content

Browse articles
ThreatCluster

The Ousaban banking Trojan, previously active in Brazil, has been repurposed to target banking customers in Spain and Portugal since May 2026. The attack begins with a phishing PDF that prompts users to click an Update button, leading to a malicious webpage that performs geofencing checks. Only users appearing to be from Spain or Portugal can proceed with the attack, which employs techniques like steganography to hide the malware payload. The malware is designed to capture sensitive banking information through methods such as keylogging and clipboard injection. Ousaban's command server uses a dynamic domain that changes daily, complicating detection efforts. The campaign remains active, with a focus on credential theft aimed at bank fraud. Fortinet's FortiGuard Labs has provided detailed insights into the attack methodology and its implications for users in the targeted regions.

Key Points: • Ousaban targets banking customers in Spain and Portugal using phishing techniques. • The malware employs geofencing to evade detection and restrict access to intended victims. • Current attacks utilize steganography and dynamic domains for command and control.

ThreatCluster AI

Timeline

2026-05-01
Ousaban campaign begins targeting Spain and Portugal
FortiGuard Labs identifies Ousaban's new campaign aimed at banking users in these countries.
Infosecurity-Magazine
2026-07-01
Fortinet publishes analysis of Ousaban attacks
Fortinet details the attack methods and geofencing techniques used by Ousaban to target users.
Fortinet

Community

Browse all →