The current Ousaban campaign targeting Santander and BBVA customers is likely to continue as long as it remains effective. Users in Spain and Portugal, particularly those with accounts at the targeted banks, should expect continued phishing attempts using deceptive PDF lures. Cybersecurity firms and financial institutions will intensify their efforts to detect and mitigate this specific variant, but the historical resilience of these trojan groups suggests a continuous cycle of adaptation and re-emergence.

Image: courtesy of Thenextweb
Ousaban: How a Brazilian Banking Trojan Keeps Adapting to Target European Bank Customers
A Brazilian banking trojan known as Ousaban, or Javali, is actively targeting customers of Santander and BBVA in Spain and Portugal. The malware uses fake PDF documents as lures, employing sophisticated techniques like geofencing and steganography to evade detection and steal sensitive financial information. This latest campaign highlights the persistent and evolving threat posed by a group of Brazilian banking trojans that have historically targeted the Iberian Peninsula.
Outlook
Background
Ousaban operates by tricking users into clicking on malicious links embedded within seemingly legitimate PDF documents. These PDFs often pretend to be contracts or invoices, written in Portuguese to target the specific regional demographic. Once a user clicks, a malicious downloader is activated, installing the trojan on their system.
CONFIRMED: Fortinet has confirmed Ousaban's active presence since May 2026. The trojan is capable of capturing screenshots, logging keystrokes, and stealing data from the clipboard, allowing it to harvest sensitive financial credentials and personal information. To avoid detection and analysis, Ousaban uses geofencing, meaning it only activates its full malicious payload when it detects that the infected machine is located within its target regions. It also employs steganography, a technique where malicious code is hidden within seemingly harmless image files, further complicating detection by standard antivirus software.
INFERRED: This combination of social engineering, geographic targeting, and technical evasion makes Ousaban a particularly challenging threat for both users and cybersecurity defenders. The use of a 2008-era encryption scheme and its development in Delphi, as noted by Black Duck consultant Li Zhao, suggests that while the delivery methods are refined, the core components leverage older, stable, and perhaps less scrutinized, codebases.
Precedents
Ousaban is not an isolated threat; it belongs to a notorious group of Brazilian banking trojans that Kaspersky years ago labeled the 'Tetrade.' This group includes Grandoreiro, Guildma, and Melcoz, all of which originated in Brazil and subsequently expanded their operations into the Iberian Peninsula, sharing code and tactics along the way.
CONFIRMED: Grandoreiro, perhaps the most well-known of the Tetrade, demonstrated remarkable resilience after an Interpol-coordinated takedown operation in January 2024. Despite significant law enforcement action, Grandoreiro was observed to be back in operation within months, illustrating the adaptive nature and operational persistence of these criminal networks.
INFERRED: This history of quick recovery and adaptation suggests that the groups behind these trojans are highly organized and resourceful, capable of rebuilding infrastructure and refining their attack methods even after major disruptions. Their expansion from Brazil to Spain and Portugal is likely driven by linguistic and cultural similarities, as well as the economic opportunities presented by targeting customers of major European banks.
The persistent threat from Ousaban and its counterparts matters because it represents a continuous financial risk to individuals and a significant operational challenge for banks. For customers, a successful Ousaban infection can lead to direct financial losses, identity theft, and the psychological burden of compromised security. The targeting of major banks like Santander and BBVA, which serve millions of customers, amplifies the potential impact.
For financial institutions, these attacks demand constant investment in cybersecurity defenses, customer education, and incident response. The use of traditional tactics like fake PDFs, combined with advanced evasion techniques, means that banks cannot rely solely on technical solutions; robust user awareness campaigns are equally critical. The ability of these trojans to quickly re-emerge after takedowns also raises questions about the long-term effectiveness of law enforcement operations against such agile cybercriminal groups, implying that a more holistic, international approach is needed to disrupt their underlying infrastructure and funding.
Scenarios
AnalysisOne possible outcome is that financial institutions will further enhance their multi-factor authentication protocols and implement more sophisticated email and document scanning technologies to identify and block Ousaban's lures. This could involve real-time analysis of attachments and links, moving beyond traditional signature-based detection. However, this also implies a constant arms race, as the trojan developers will likely seek new ways to bypass these defenses.
Another scenario suggests increased cross-border collaboration between cybersecurity firms, law enforcement agencies, and financial regulators in Brazil, Spain, and Portugal. While past takedowns have shown limited long-term impact on the overall activity of these groups, a more coordinated effort to dismantle their command-and-control infrastructure and target their financial facilitators might reduce their operational capacity more effectively. This would require sustained international cooperation and intelligence sharing.
A third outcome could see a shift in the primary targets or methods. If Santander and BBVA implement highly effective countermeasures, Ousaban and similar trojans may redirect their efforts towards other financial institutions or even expand into new geographies, seeking less protected environments. They might also evolve their social engineering tactics beyond PDF lures to maintain their infection rates.
Timeline
Frequently Asked Questions
Discussion
Be the first to share your thoughts.