Ousaban Malware Uses Phishing PDFs and VBS Downloader to Target Iberian Banking Users

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

A newly documented campaign is quietly hijacking online banking sessions across Spain and Portugal, and it starts with something as ordinary as a broken PDF file.

The malware behind it, known as Ousaban, has resurfaced with a fresh set of tricks aimed squarely at Iberian bank customers running Windows machines.

The infection begins when a victim opens a phishing PDF that claims to be corrupted. It urges the reader to click an “Atualizar” or Update button, which quietly opens a malicious webpage disguised as a government tax portal.

From there, the page checks whether the visitor is really located in Spain or Portugal before continuing the attack.

Researchers at Fortinet’s FortiGuard Labs first spotted this wave of Ousaban activity in May 2026 and published a detailed breakdown of how it operates.

Fortinet said in a report shared with Cyber Security News (CSN) that the campaign relies on geofencing, hidden payloads, and constantly shifting infrastructure to stay ahead of security tools.

Once a target passes the location check, the page delivers a script that downloads an image file made to look like a harmless PDF icon. Inside that image is a hidden ZIP archive containing the actual Ousaban payload, a technique called steganography.

Attack flow (Source – Fortinet)

The malware then deletes the traces of its own installation to make detection harder for anyone reviewing the machine later.

Ousaban is not new, it belongs to a well known family of Brazilian banking trojans, sometimes grouped with Grandoreiro, Guildma, and Melcoz under the nickname “Tetrade”.

What has changed is the wrapper around it, built specifically to reach real victims in two countries while staying invisible to researchers and automated scanners elsewhere.

Ousaban Malware Uses Phishing PDFs and VBS Downloader

The attack chain leans heavily on a fake PDF and a VBS style downloader working together rather than a single malicious file.

Hidden JavaScript inside the phishing PDF can open the malicious webpage automatically, so even a cautious click is not always required.

Phishing PDF (Source – Fortinet)

This page performs checks on IP address, browser language, and time zone, and blocks anyone connecting through a VPN.

Fortinet noted that an earlier version of this screening ran directly in the browser, but the operators later moved it to their own server so the exact rules stay hidden from analysts.

Visitors who fail the check simply see a Spanish language “access denied” message instead of anything harmful.

Those who pass receive the steganographic image and, ultimately, the Ousaban payload itself, which installs quietly and sets up persistence through a registry entry named Financeiro, the Portuguese word for finance.

Credential Theft And Command Infrastructure

Once installed, Ousaban stays dormant until the victim opens one of more than two dozen targeted banking sites, including Santander, BBVA, CaixaBank, Bankinter, and Caixa Geral de Depósitos.

At that point it can capture screenshots, log keystrokes, tamper with the clipboard, and display fake bank screens to trick users into handing over login details.

Its command and control setup is designed to dodge takedown efforts. A Pastebin link embedded in the malware points to what looks like a server address, but Fortinet confirmed this is a decoy leading nowhere useful.

A ZIP file is appended to the image file (Source – Fortinet)

The real address changes every day, generated from a hash of the current date pulled off a Google error page, which makes blocking yesterday’s domain pointless.

Fortinet’s guidance centers on treating suspicious lures with immediate suspicion rather than relying only on automated scanning.

Any PDF or email claiming a file is corrupted and asking the reader to click Update should be treated as hostile, along with prompts asking users to paste a command to fix an error, a tactic known as ClickFix.

Unexpected invoice, factura, or tax document attachments deserve extra scrutiny, especially for organizations with staff or customers in Spain and Portugal.

Security teams are also advised to correlate endpoint, mail, DNS, and proxy logs instead of trusting sandbox results alone, since server side screening means an automated scanner may only ever see the harmless error page.

Fortinet said its own antivirus engine and email security product already flag samples and phishing messages tied to this campaign.

Type Indicator Description
Registry Key Financeiro (Run key) Persistence mechanism created by Ousaban to launch with Windows startup 
File Path C:SysMain_5874288 Directory used to drop malicious files during the infection process 
Infrastructure Pastebin decoy link Points to a dead end private IP address to mislead analysts investigating the malware 
Infrastructure Daily rotating C2 domain Generated from a hash of the current date pulled from a Google error page, changed every 24 hours 
Lure Phishing PDF (“Atualizar” prompt) Disguised as a corrupted file, prompts victims to click Update to trigger infection 

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

 Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.