Ousaban Banking Trojan Targets Users in Spain and Portugal with Advanced Techniques

Ousaban Banking Trojan Targets Users in Spain and Portugal with Advanced Techniques

First seen 1 Jul 2026, 14:32 UTC Infosecurity-Magazinewww.fortinet.comThenextwebFeeds.Feedburner 85% similarity 67.5
Share:

Article Content

Browse articles
ThreatCluster

The Ousaban banking trojan has been identified targeting Windows users in Spain and Portugal since May 2026. This malware employs phishing PDFs disguised as corrupted files to lure victims into clicking an 'Atualizar' button, leading to a malicious webpage. The campaign uses geofencing to restrict access to users in the targeted countries, blocking those using VPNs or automated tools. Once the victim's environment is verified, the trojan delivers its payload hidden within an image file using steganography. Ousaban monitors over two dozen banks, including Santander and BBVA, capturing screenshots and keystrokes to steal credentials. The command and control infrastructure changes daily, making detection and blocking difficult. Fortinet has flagged the malware and its phishing emails, but the campaign remains active.

Key Points: • Ousaban targets banking users in Spain and Portugal using sophisticated evasion techniques. • The malware employs phishing PDFs and steganography to deliver its payload while avoiding detection. • It monitors multiple banking institutions and has a dynamic command and control infrastructure.

ThreatCluster AI

Timeline

2026-05-01
Ousaban campaign identified
Fortinet's FortiGuard Labs reported the Ousaban trojan targeting users in Spain and Portugal.
Fortinet
2026-07-01
Fortinet publishes analysis of Ousaban
Fortinet released a detailed analysis of the Ousaban attacks, highlighting its methods and targets.
Fortinet
2026-07-01
Ousaban uses steganography for payload delivery
The trojan utilizes steganography to conceal its payload within an image file, complicating detection.
Thenextweb
2026-07-01
Ousaban's command server changes daily
The trojan's command server infrastructure is designed to be elusive, changing addresses daily.
Infosecurity-Magazine

Community

Browse all →