Ousaban Resurfaces in Iberia, Hiding Bank-Stealer Payloads Inside Images

A Brazilian trojan pivots to Spanish and Portuguese banking customers, using geofenced PDF lures and steganography to bury its real payload.

ThreatVectr Newsdesk· 3 min read
Ousaban Resurfaces in Iberia, Hiding Bank-Stealer Payloads Inside Images
Share

Ousaban is back, and it has learned some new tricks.

Fortinet's FortiGuard Labs flagged a fresh campaign in May 2026 aimed squarely at Windows users banking in Spain and Portugal. The malware family is not new. The delivery chain, and the care taken to filter out anyone who isn't Iberian, is what makes this run worth watching.

The lure is a phishing email carrying a PDF that presents itself as corrupted. Curious users click through to "fix" the document and end up fetching a downloader from an attacker-controlled host. Before anything else fires, the loader checks the victim's geolocation. If the IP resolves outside Spain or Portugal, execution stops. That geofence keeps sandboxes in the US and elsewhere from ever seeing the real second stage — a common but effective way to slow reverse engineering.

For victims inside the target region, the loader pulls what looks like an ordinary image file. The actual payload is hidden inside it using steganography, then decoded in memory. Once resident, Ousaban does what it has always done: sit quietly, watch for browser sessions against Iberian banks, and overlay fake login windows on top of the real ones to harvest credentials. Some variants also pull off screen captures and keylogging.

This is credential theft, full stop. It is not a session-hijack story, not a token-replay story, not an OAuth misconfiguration. Ousaban wants your password and, where the bank still relies on static second factors, your OTP too.

Which brings up the honest MFA question. Would MFA help? Partly. SMS OTPs and TOTP codes typed into an overlay window are trivially relayed by the operator in real time. Phishing-resistant factors — WebAuthn per FIDO2/CTAP2 or platform passkeys — would defeat the overlay entirely, because the browser will not release an assertion to a process sitting on top of the page. European banks are moving that way under PSD2's strong customer authentication rules, but overlay-friendly OTP flows remain widespread.

A few defensive notes for the SOC crowd.

Block execution of unsigned binaries dropped by PDF readers. Alert on processes that fetch image files and immediately allocate large executable memory regions — classic stego-decode behavior. Egress filtering to known Ousaban C2 ranges helps, though the operators rotate infrastructure aggressively. Endpoint telemetry that surfaces browser process injection is worth more here than any single IOC list.

For end users, the advice is duller than the malware deserves. Don't open PDFs that claim to be broken. If your bank offers a passkey or a hardware security key, enroll it. If it only offers SMS, that is a product decision worth complaining about.

Ousaban has been kicking around since roughly 2018. The fact that it's still profitable in 2026 says more about banking auth than about the malware.

© 2026 Threat Vectr