Brazilian banking trojan targets Santander and BBVA customers with fake PDF attachments

The TL;DR
Fortinet discovered that Ousaban targeted Spanish and Portuguese bank users with geofenced PDFs that hid malware within images and rotated servers daily.
A Brazilian banking trojan called Ousaban is targeting Windows users who bank in Spain and Portugal, using fake PDFs, geofencing, and payloads hidden within an image to steal information without triggering security tools. Fortinet’s FortiGuard Labs identified the campaign in May and published its analysis this week.
The attack starts with a phishing PDF disguised as a corrupted file. The script tells the victim to press “Atualizar” (Update) button, which opens a malicious web page masquerading as a tax documents portal. JavaScript hidden inside the PDF can open the same page automatically, so the victim doesn’t even need to click.
Before delivering the payload, the campaign checks all visitors. The previous version checked the browser for IP address, language, time zone, screen size, and installed fonts, preventing anyone using a VPN or default sandbox. The current version uses those checks on the server side, so the exact filter rules are hidden, but visitors outside of Spain and Portugal still see only Spanish”access denied” notice.
Anyone who passes the filter downloads an image that looks like a PDF icon but contains a ZIP file, a process called steganography. The script extracts the malware from the ZIP, runs it, and deletes the image, the ZIP, and itself. Once installed, Ousaban adds a Windows registry called “Finance” so it starts automatically.
TNW City Coworking Space – Where your best work happens
A workplace designed for growth, collaboration, and endless networking opportunities at the heart of technology.
The trojan remains silent until the user opens a banking site, then captures screenshots and keystrokes, disrupts the clipboard, displays fake messages, and gives the attacker remote control. Fortinet says Ousaban is monitoring more than a dozen banks in Spain and Portugal, among them Santander, BBVA, CaixaBank, Bankinter, and Caixa Geral de Depositos.
Its command server is deliberately difficult to compress. The malware reads the current date on a Google page, combines it with a fixed secret to create a web address, and resolves to a new server every day, rendering the standard block list almost useless. Hiding infrastructure behind web services is an old Ousaban practice: previous campaigns hid configuration data in Google Docs.
Ousaban, also tracked as Javali, belongs to a group of Brazilian banking trojans that Kaspersky labeled years ago as “Tetrade,” and Grandoreiro, Guildma, and Melcoz. The four started in Brazil and expanded to the Iberian Peninsula, sharing a code along the way. Grandoreiro, the most well-known of the group, survived an Interpol raid in January 2024 and returned within a few months, and is still active against European targets this year.
Fortinet says its antivirus products flag samples and its FortiMail service intercepts phishing emails. For everyone, the first line of defense is the lure itself: any PDF or email that says the file is corrupted and tells you to press “Update” should be considered hostile. The same applies to the notification that asks users to paste a command to fix the error, a process known as ClickFix Fortinet links to Ousaban’s related work since late 2025.



