Security researchers at Fortinet’s FortiGuard Labs report that a Brazilian banking trojan, Ousaban, is targeting Windows users who bank in Spain and Portugal. The activity is linked to customers of major banks, including Santander and BBVA. FortiGuard Labs identified the campaign in May 2026 and published its analysis this week.

According to the reports, the attack begins with phishing that delivers a lure presented as a PDF document. The file is disguised as a corrupted document to increase the chance users will open it. After execution, the malware performs geofencing to check whether the victim is located in Spain or Portugal before continuing.

The trojan then proceeds to deliver its intended payload. Rather than relying on a straightforward download, the reports describe the malicious code as being hidden inside an image contained within the malicious content, a technique intended to avoid triggering common security defenses.

The campaign’s objective is to steal banking credentials or session information and enable fraudulent access to users’ accounts. The reporting across outlets describes these steps in consistent terms, focusing on the lure, targeting approach, and credential-theft purpose.