Veridact
TechSportsFinanceGaming🎯 Predictions⭐ OpportunitiesAbout
Sign InSign Up
Veridact

Analysis before the headline. Veridact examines technology, finance, sports, and gaming events before they unfold through forecasting, probability modeling, historical precedent, and public prediction tracking.

Stay ahead of what's next

Forecasts, analysis, and prediction updates delivered to your inbox.

Coverage

  • Tech
  • Sports
  • Finance
  • Gaming

Company

  • About Us
  • Privacy Policy

© 2026 Veridact. Forecasting & analysis platform.

Content may include AI-assisted research and analysis. Predictions and opinions should not be considered financial, legal, medical, or investment advice.

tech
A Brazilian banking trojan is targeting Santander and BBVA customers with fake PDF lures

Image: courtesy of Thenextweb

techJuly 2, 2026By Veridact EditorialUpdated Jul 2

Ousaban: How a Brazilian Banking Trojan Keeps Adapting to Target European Bank Customers

A Brazilian banking trojan known as Ousaban, or Javali, is actively targeting customers of Santander and BBVA in Spain and Portugal. The malware uses fake PDF documents as lures, employing sophisticated techniques like geofencing and steganography to evade detection and steal sensitive financial information. This latest campaign highlights the persistent and evolving threat posed by a group of Brazilian banking trojans that have historically targeted the Iberian Peninsula.

Outlook

The current Ousaban campaign targeting Santander and BBVA customers is likely to continue as long as it remains effective. Users in Spain and Portugal, particularly those with accounts at the targeted banks, should expect continued phishing attempts using deceptive PDF lures. Cybersecurity firms and financial institutions will intensify their efforts to detect and mitigate this specific variant, but the historical resilience of these trojan groups suggests a continuous cycle of adaptation and re-emergence.

Background

Ousaban operates by tricking users into clicking on malicious links embedded within seemingly legitimate PDF documents. These PDFs often pretend to be contracts or invoices, written in Portuguese to target the specific regional demographic. Once a user clicks, a malicious downloader is activated, installing the trojan on their system.

CONFIRMED: Fortinet has confirmed Ousaban's active presence since May 2026. The trojan is capable of capturing screenshots, logging keystrokes, and stealing data from the clipboard, allowing it to harvest sensitive financial credentials and personal information. To avoid detection and analysis, Ousaban uses geofencing, meaning it only activates its full malicious payload when it detects that the infected machine is located within its target regions. It also employs steganography, a technique where malicious code is hidden within seemingly harmless image files, further complicating detection by standard antivirus software.

INFERRED: This combination of social engineering, geographic targeting, and technical evasion makes Ousaban a particularly challenging threat for both users and cybersecurity defenders. The use of a 2008-era encryption scheme and its development in Delphi, as noted by Black Duck consultant Li Zhao, suggests that while the delivery methods are refined, the core components leverage older, stable, and perhaps less scrutinized, codebases.

Precedents

Ousaban is not an isolated threat; it belongs to a notorious group of Brazilian banking trojans that Kaspersky years ago labeled the 'Tetrade.' This group includes Grandoreiro, Guildma, and Melcoz, all of which originated in Brazil and subsequently expanded their operations into the Iberian Peninsula, sharing code and tactics along the way.

CONFIRMED: Grandoreiro, perhaps the most well-known of the Tetrade, demonstrated remarkable resilience after an Interpol-coordinated takedown operation in January 2024. Despite significant law enforcement action, Grandoreiro was observed to be back in operation within months, illustrating the adaptive nature and operational persistence of these criminal networks.

INFERRED: This history of quick recovery and adaptation suggests that the groups behind these trojans are highly organized and resourceful, capable of rebuilding infrastructure and refining their attack methods even after major disruptions. Their expansion from Brazil to Spain and Portugal is likely driven by linguistic and cultural similarities, as well as the economic opportunities presented by targeting customers of major European banks.

The persistent threat from Ousaban and its counterparts matters because it represents a continuous financial risk to individuals and a significant operational challenge for banks. For customers, a successful Ousaban infection can lead to direct financial losses, identity theft, and the psychological burden of compromised security. The targeting of major banks like Santander and BBVA, which serve millions of customers, amplifies the potential impact.

For financial institutions, these attacks demand constant investment in cybersecurity defenses, customer education, and incident response. The use of traditional tactics like fake PDFs, combined with advanced evasion techniques, means that banks cannot rely solely on technical solutions; robust user awareness campaigns are equally critical. The ability of these trojans to quickly re-emerge after takedowns also raises questions about the long-term effectiveness of law enforcement operations against such agile cybercriminal groups, implying that a more holistic, international approach is needed to disrupt their underlying infrastructure and funding.

Scenarios

Analysis

One possible outcome is that financial institutions will further enhance their multi-factor authentication protocols and implement more sophisticated email and document scanning technologies to identify and block Ousaban's lures. This could involve real-time analysis of attachments and links, moving beyond traditional signature-based detection. However, this also implies a constant arms race, as the trojan developers will likely seek new ways to bypass these defenses.

Another scenario suggests increased cross-border collaboration between cybersecurity firms, law enforcement agencies, and financial regulators in Brazil, Spain, and Portugal. While past takedowns have shown limited long-term impact on the overall activity of these groups, a more coordinated effort to dismantle their command-and-control infrastructure and target their financial facilitators might reduce their operational capacity more effectively. This would require sustained international cooperation and intelligence sharing.

A third outcome could see a shift in the primary targets or methods. If Santander and BBVA implement highly effective countermeasures, Ousaban and similar trojans may redirect their efforts towards other financial institutions or even expand into new geographies, seeking less protected environments. They might also evolve their social engineering tactics beyond PDF lures to maintain their infection rates.

Timeline

2021-09-30
Related Campaign Detected
Symantec’s Threat Hunter Team detected suspicious activity related to a campaign attempting to download malicious files onto customer environments, highlighting the longevity of similar threats.
2024-01
Grandoreiro Takedown
Interpol coordinated a major takedown operation against Grandoreiro, a prominent Brazilian banking trojan and peer to Ousaban within the 'Tetrade' group.
2024 (Months after Jan)
Grandoreiro Re-Emerges
Despite the Interpol operation, Grandoreiro was observed to be back in active circulation within months, demonstrating the resilience of these cybercriminal groups.
2026-05
Ousaban's Active Presence Confirmed
Fortinet confirmed that the Ousaban banking trojan has been actively targeting users, marking its sustained operation in the current threat landscape.
2026-07-01
Ousaban Targets Santander and BBVA
The Ousaban banking trojan was actively reported to be targeting customers of Santander and BBVA in Spain and Portugal using fake PDF lures.

Frequently Asked Questions

Ousaban, also tracked as Javali, is a type of malicious software known as a banking trojan. It is designed to steal sensitive financial information, such as login credentials, from bank customers.

Discussion

0/100
0/1000

Be the first to share your thoughts.

Related Coverage

tech

Honda's EV Retreat: From Electric Cars to Data Center Batteries in Ohio

Jul 2
tech

Hyundai and Kia's In-Car UV System: Can 'Safe for Humans' Far-UVC Reshape Cabin Health?

Jul 2
tech

Ashton Kutcher and Morgan Beller Launch New VC Firm, Signaling a Deeper Bet on AI's Foundational Layers

Jul 2
tech

Elon Musk Denies SpaceX AI Device Report, But The Questions Remain For Consumer Tech

Jul 2

Stay ahead of the story

AI analysis delivered before events unfold. No spam.

ⓘ

Methodology: Veridact combines public data, historical precedent, and analytical models to evaluate the likelihood of future outcomes.