A Brazilian banking trojan called Ousaban is targeting Windows users in Spain and Portugal, using phishing PDFs disguised as corrupted files. Discovered by Fortinet’s FortiGuard Labs in May 2026, the campaign employs geofencing to ensure only victims in the target countries receive the malware. The payload is hidden inside an image using steganography, and the command server changes daily by deriving its address from a Google page date. Ousaban steals banking logins, captures screenshots and keystrokes, tampers with the clipboard, and allows remote control, targeting over two dozen banks including Banco Santander, BBVA, CaixaBank, Bankinter, and Caixa Geral de Depósitos. The malware is part of the Brazilian ‘Tetrade’ group, alongside Grandoreiro, Guildma, and Melcoz, and shares code with Casbaneiro. Defenders should block indicators from Fortinet’s report, watch for the ‘Financeiro’ registry Run key, and treat unexpected PDFs or ‘Update’ prompts as hostile.
CVEs: CVE-2026-20245
Attack groups: Brazilian Tetrade
Malware: Ousaban, Javali, Grandoreiro, Guildma, Melcoz, Casbaneiro
Companies: Fortinet, Kaspersky
Products: FortiGuard, FortiMail
Original source: thehackernews.com