Fortinet FortiGuard Labs is tracking a fresh Ousaban banking trojan campaign aimed at Windows users in Spain and Portugal. The campaign is not just another fake-document phish. It combines phishing PDFs, geofencing, server-side victim screening, steganographic payload delivery, daily-changing command infrastructure, and banking-session surveillance.
That matters beyond Iberian retail banking. The tradecraft shows how mature credential-theft crews are building delivery chains that only expose malware to the right geography, language, device profile, and victim behavior. For defenders, that means a sandbox that simply opens the link from the wrong location may see only an access-denied page while real users receive the payload.
What Fortinet Reported
The campaign starts with a PDF that pretends to be corrupted and prompts the user to click an “Update” button. That click leads to a malicious web page. Earlier versions performed browser-side checks for IP location, language, time zone, VPN indicators, screen resolution, rendering behavior, and fonts. In the newer version, the screening has moved server-side, making the criteria harder for analysts to inspect.
If the visitor appears to match the intended victim profile, the site downloads a VBS file. That script retrieves an image that looks like a PDF icon but has a ZIP archive appended to it. The script extracts the Ousaban payload, drops it under C:\SysMain_5874288, runs it, and then deletes the staging files to reduce evidence.
Once active, Ousaban establishes persistence with a Financeiro Run-key entry, watches for targeted banking sessions, and can collect screenshots, keylogging data, clipboard content, and remote-control input. Fortinet also notes that the malware uses a decoy Pastebin configuration and resolves its real command-and-control through date-derived, daily-changing DDNS hostnames.
Why This Matters to SMBs and Government Contractors
Ousaban is focused on banking users, but the defensive lesson is broader: modern malware delivery is increasingly conditional. It may only activate for the right geography, browser profile, and user workflow. That is a problem for organizations relying too heavily on email detonation, link rewriting, or one-shot sandbox analysis.
Small businesses, subcontractors, and government-adjacent firms often have finance staff, executives, and overseas partners who handle invoices, taxes, vendor payments, and banking portals from ordinary Windows workstations. Those workflows are high-value because attackers do not always need domain-wide compromise to create serious financial impact. A single live banking session can be enough.
Defensive Takeaways
- Treat “corrupted PDF” update prompts as malicious. PDFs should not ask users to update the document through a random web page.
- Do not rely on sandbox verdicts alone. Geo-fenced malware may serve benign or blocked content to security tools while delivering payloads to real users.
- Monitor script abuse. Alert on VBS, MSI, and suspicious child processes launched from downloaded documents or browser cache paths.
- Hunt for Ousaban artifacts. Fortinet called out the
FinanceiroRun-key persistence value and files underC:\SysMain_5874288. - Restrict unmanaged browser banking workflows. Finance users should use hardened browsers, MFA, transaction verification, and out-of-band approval for payment changes.
- Watch DDNS and newly observed domains. Daily-changing C2 hostnames make static blocklists brittle; DNS telemetry and egress anomaly detection matter.
- Train against ClickFix-style behavior. The broader Ousaban activity has used lures that convince users to paste or run commands themselves.
Bulwark Black Assessment
Ousaban is a good example of why “commodity malware” should not be treated as low sophistication. The payload family is old, but the delivery wrapper keeps improving. Geofencing, anti-analysis checks, steganographic packaging, and rotating infrastructure are exactly the kinds of controls that help attackers survive automated defenses.
For defenders, the practical answer is layered visibility: email controls, browser isolation for finance workflows, endpoint behavior monitoring, DNS analytics, script restrictions, and a payment process that assumes endpoint compromise is possible. If your organization handles money, contracts, payroll, travel, or vendor payments from standard workstations, banking trojans belong in the threat model.
Sources: Fortinet FortiGuard Labs; The Hacker News; SC Media brief surfaced in Feedly.
