Ousaban widens banking threat across Iberia

A Brazil-linked banking trojan has shifted its focus to Spain and Portugal, using fake PDF files, hidden code and location checks to reach banking customers while keeping analysts and automated security tools away from its payload.

The malware, known as Ousaban or Javali, has long been associated with attacks on financial users in Brazil. Its latest campaign shows a more selective and evasive operation aimed at Windows users in the Iberian Peninsula, where the attackers use phishing documents that pretend to be corrupted files and direct victims towards a malicious web page. The campaign was identified in May 2026 and has since drawn attention because of the layered delivery method and the attempt to restrict access to people in the target countries.

The attack begins with a PDF that displays a deceptive error-style message and urges the user to press an “Update” button. The file also contains hidden JavaScript that can open the same malicious page without relying only on the visible button. The use of hex-escaped code makes the PDF harder to assess through simple inspection and allows the phishing lure to perform as both a social-engineering document and a technical trigger.

ADVERTISEMENT

Once the victim reaches the web page, the operation becomes more selective. The site checks language, time zone and IP-related information to determine whether the visitor appears to be in Spain or Portugal. Earlier versions of the campaign also looked for signs of automated analysis, including screen resolution, browser rendering details and installed fonts. Traffic associated with VPNs was blocked by checking organisation details for terms linked to anonymisation services.

The newer version moves much of that screening to the server side. Visitors who fail the check receive a Spanish-language access-denied PDF stating that the service is not available from their country. This tactic reduces the number of visible indicators available to researchers, because security sandboxes and crawlers may receive only a harmless-looking denial message instead of the malware chain.

Victims who pass the check receive a VBS file that begins the next stage. The script contains numerous benign calls to make the file appear less suspicious, while the active code downloads an image resembling a PDF icon. The attackers use steganography by appending a ZIP archive to that image. The script extracts the archive, retrieves the Ousaban payload and drops it onto the machine, before deleting the temporary files used during the installation.

The payload is placed under a system-style folder path and establishes persistence through a registry value named “Financeiro”, Portuguese for finance, under the Windows Run key. It also creates an empty file used as an installation timestamp. Once active, Ousaban decrypts bank-related strings and watches for access to banking services. The targeted institutions include major lenders and financial brands in Spain and Portugal, covering names such as Santander, BBVA, CaixaBank, Bankinter and Caixa Geral de Depósitos.

Ousaban’s capabilities are typical of credential-focused banking malware but remain dangerous because they are deployed only when the victim is likely to be useful. The trojan can collect system information, capture screenshots, log keystrokes, alter clipboard contents, display fake messages and give attackers remote control over the machine. These functions are designed to support account takeover, payment manipulation and further fraud once the user interacts with online banking services.

ADVERTISEMENT

The command-and-control system has also been designed to frustrate tracking. The malware carries a Pastebin link that points to configuration data containing a private IP address, but that appears to be a decoy. The active command server is reached through a hostname that changes daily. The hostname is generated using a hard-coded string and the current date, with the malware obtaining date information by accessing a Google automated-queries page. If the hostname resolves, the malware connects to the server and waits for commands.

Most traffic between Ousaban and its controller is encrypted through a custom algorithm used by Latin American banking trojans. The method introduces random values so that the same plaintext can produce different encrypted strings, complicating static analysis and signature-based detection. Similar encryption has been observed in families such as Casbaneiro, underscoring the shared techniques among malware groups that grew out of Latin America’s banking-fraud ecosystem.

The campaign reflects a wider trend in which mature regional banking trojans are being adapted for European markets. Spain has been a frequent test ground for this expansion because of language overlap, large retail banking networks and digital-banking adoption. Portugal offers a similar opportunity for Portuguese-language lures and Brazil-linked social-engineering themes.



Notice an issue?

Arabian Post strives to deliver the most accurate and reliable information to its readers. If you believe you have identified an error or inconsistency in this article, please don't hesitate to contact our editorial team at editor[at]thearabianpost[dot]com. We are committed to promptly addressing any concerns and ensuring the highest level of journalistic integrity.


ADVERTISEMENT
Social Media Auto Publish Powered By : XYZScripts.com