
OUSABAN, a banking trojan that previously focused on Brazil, has turned its attention to customers in Spain and Portugal through a phishing campaign that uses fake tax documents as bait. The activity was first detected on 1 July 2026 and continued until at least 6 July 2026, with victims lured by emails that appear to come from a tax authority. According to analysis from Fortinet research, the scheme relies on geo‑restriction techniques to ensure only users within the Iberian Peninsula are targeted.
The infection chain begins with a phishing email that contains a PDF attachment masquerading as a tax notice. When the victim opens the file and clicks the embedded link, they are redirected to a counterfeit webpage that mimics a government tax portal. This page runs a hidden VBScript that downloads the main payload and establishes persistence by creating a registry run key. SecurityOnline.info details the technique in its report here.
Once the trojan is active, it can harvest banking credentials through keylogging, screen capturing and the injection of false bank login forms. The malware also checks the victim’s location before activating, aborting if the IP address originates outside Spain or Portugal. Infosecurity Magazine notes that Ousaban regularly rotates its command‑and‑control domains to evade blocklists here.
Researchers have not identified a specific threat actor behind the campaign, but the tactics show a clear evolution from the trojan’s earlier Brazilian focus. The use of geofencing allows the attackers to reduce noise and avoid detection by security sandboxes that often run from virtual environments located elsewhere. The campaign remained active for over a week, indicating a degree of operational discipline.
The shift toward seemingly legitimate documents such as tax forms reflects a broader trend among financial malware operators to exploit trusted communication channels. By coupling social engineering with technical evasion like steganography and domain flux, the actors increase the likelihood of success while lowering the chance of early detection. This development serves as a reminder that even well‑known trojans can be repurposed for new regions with relatively modest changes.
Defenders should monitor endpoints for unexpected executions of VBScript or PowerShell, especially those spawned from PDF readers or web browsers. Blocking outbound connections to newly observed domains associated with the campaign can limit data exfiltration. Applying the principle of least privilege and disabling macro execution in Office applications reduces the chance that a malicious script gains a foothold.
Keeping anti‑malware signatures up to date and enabling behaviour‑based detection helps catch the trojan’s registry modifications and credential‑stealing modules. Organisations should also run regular phishing simulation exercises to train staff to recognise suspicious tax‑themed messages. Finally, reviewing autorun locations in the Windows Registry on a weekly basis can reveal persistent implants before they are used to harvest sensitive data.