Banks in Spain and Portugal face a fresh wave of account takeovers. A banking trojan born in Brazil now hunts their customers with clever lures that look harmless at first glance. The malware, known as Ousaban, also called Javali, slipped into the Iberian Peninsula around May 2026. It relies on phishing emails that deliver what seems like a corrupted PDF file.
Victims open the attachment. They see a message urging them to press an “Atualizar” button to fix the document. That click opens a webpage pretending to be a government tax portal. But the site does more than display forms. It runs checks on the visitor’s IP address, preferred language, time zone and other signals. Only those in Spain or Portugal proceed. Everyone else gets blocked. Sandboxes and VPNs trigger the same denial. The operators clearly want real targets. Nothing else.
The Next Web first highlighted the campaign’s focus on Santander, BBVA and other regional lenders. Days later, fresh coverage poured in. The Hacker News reported on July 1 that the trojan watches more than two dozen banks once installed. The list includes CaixaBank, Bankinter, Revolut and Caixa Geral de Depósitos. And Infosecurity Magazine on the same day quoted experts who see this as an optimized version of decade-old Latin American tactics.
The attack chain grows sophisticated from there. After the geofence clears a visitor, the malicious page serves a script. That script downloads an image that looks like a PDF icon. Hidden inside that image sits a ZIP archive. Steganography makes the concealment possible. The ZIP contains the final Ousaban payload. It unpacks quietly, runs, then deletes the traces. No obvious files left behind. Clean.
Once on the system the malware adds a registry entry named “Financeiro” so it starts automatically. It sits and waits. When the victim visits one of the watched banking sites, Ousaban springs into action. It grabs screenshots. It logs keystrokes. It tampers with the clipboard to swap wallet addresses or account numbers. Remote control features let operators step in directly. Fake banking overlays can trick users into entering credentials. The result? Straightforward fraud.
Command and control stays equally slippery. The trojan pulls configuration from servers that change every day. The domain comes from a hash based on the current date. Operators fetch that hash from a Google error page to avoid direct hosting. A decoy Pastebin link points researchers toward a dead-end private IP address. Analysts chasing the infrastructure hit walls. The setup frustrates static analysis and quick takedowns.
Ousaban itself isn’t brand new. Security firms tracked it for years inside Brazil. It belongs to a loose collective known as the Tetrade group. That crew also fields Grandoreiro, Guildma and Melcoz. Code sharing among these families happens often. A 2024 disruption slowed some of them. Yet Ousaban adapted and expanded. Its Delphi roots and an encryption scheme dating back to 2008 give away the heritage. Nothing fundamentally novel in the core, but the delivery and evasion show clear refinement.
Li Zhao, a consultant at application security firm Black Duck, told Infosecurity Magazine that Ousaban represents “a highly optimized evolution of traditional, decade-old Latin American banking trojan strategies.” The geofencing stands out. It keeps the malware invisible to outsiders. Jason Soroko, senior fellow at certificate-management firm Sectigo, added a warning. “Geofenced malware can look absent from outside the target region.” He urged security teams to correlate endpoint, mail, DNS and proxy logs instead of relying solely on sandbox results.
Fortinet’s FortiGuard Labs spotted the campaign in May. Their analysis, referenced across multiple outlets this week, confirmed the operation remains active. Telemetry shows ongoing credential theft aimed at bank fraud. The timing coincides with rising interest in similar Iberian attacks. Earlier Grandoreiro variants had already tested the waters in Spain. Ousaban builds on that momentum.
Financial institutions now scramble to update defenses. Email filters must catch the initial PDF lures. Endpoint tools need to watch for unusual registry changes and image-based payloads. User education matters. Warnings about unexpected “corrupted” documents from tax authorities or banks can reduce clicks. Yet the geofencing and steganography raise the bar. Traditional sandboxing alone falls short.
So the threat spreads. Brazilian operators eye richer European targets. Spain and Portugal offer attractive banking customers with less localized malware competition than Brazil. The campaign’s success could inspire copycats. Other Latin American trojans may follow the same path. Daily rotating infrastructure and image-hidden payloads lower the risk for attackers. Higher rewards wait across the ocean.
Researchers continue to monitor. New samples surface. Infrastructure shifts. The daily hash trick keeps C2 locations fluid. Pastebin decoys multiply. Banks and security vendors share indicators to stay ahead. But the core lesson holds. Even old malware families refuse to fade. They adapt, cross borders and hide in plain sight. One click on a fake update button. That’s all it takes.
The July 2026 reports mark only the latest chapter. Ousaban’s Iberian push demonstrates how quickly regional banking malware can globalize when the incentives align. Financial crime groups treat national borders as suggestions. Their code does the same.


WebProNews is an iEntry Publication