Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

Ousaban Banking Trojan Targets Iberian Bank Users with Fake PDF Lures

The Hacker News by The Hacker News
July 1, 2026
Home Cybersecurity
Share on FacebookShare on Twitter


A Brazilian banking trojan called Ousaban is going after Windows users who bank in Spain and Portugal. Fortinet’s FortiGuard Labs identified the campaign in May 2026.

It opens with a phishing PDF disguised as a corrupted file, checks that the visitor is really in Spain or Portugal, and hides its real payload inside an image.

The goal is the usual one: steal banking logins and take over accounts.

Ousaban sits quietly on a Windows PC and waits for the user to open a banking site. When a target bank loads, it can capture screenshots and keystrokes, tamper with the clipboard, show fake messages, and give the attacker remote control.

Together, those are the tools for hijacking a live banking session and taking over an account. Ousaban watches for more than two dozen banks across the two countries, among them Banco Santander, BBVA, CaixaBank, Bankinter, and Caixa Geral de Depósitos.

How the attack works

It starts with a phishing PDF disguised as a corrupted file. The PDF shows a prompt telling the victim to press an “Atualizar” (Update) button, which opens a malicious webpage.

Hidden JavaScript in the PDF can open the same page on its own. The page poses as a tax-document and installer portal while screening visitors. Fortinet says an earlier version ran these checks in the browser: it looked at the visitor’s IP address, language, and time zone, blocked anyone coming through a VPN, and filtered out automated security tools by checking details like screen size and installed fonts.

The current version moves that screening to the operator’s server, so the exact rules are hidden. Either way, visitors outside Spain or Portugal get a Spanish “access denied” notice instead of malware.

Clear the check, and the download starts. A script downloads an image that looks like a PDF icon but hides a ZIP file inside, a trick called steganography. The script unpacks Ousaban from that ZIP, runs it, then deletes the image, the ZIP, and itself to leave less behind. Once running, Ousaban adds a registry entry named Financeiro (Portuguese for “finance”) so it starts up with Windows.

Ousaban’s command server, the machine that controls it, is deliberately hard to find. It carries a Pastebin link that points to one server address, but Fortinet says that address is a decoy.

Hiding these details in web services is an old Ousaban habit: earlier campaigns stashed the configuration in Google Docs. This time, the real server moves every day. The malware reads the current date off a Google page, builds a web address from that date plus a fixed secret, and looks it up. Blocking yesterday’s address does little good.

A familiar Brazilian playbook

None of this is new. Ousaban, also tracked as Javali, is one of a group of Brazilian banking trojans that Kaspersky labeled years ago as the “Tetrade,” alongside Grandoreiro, Guildma, and Melcoz.

These families started in Brazil and pushed into Spain and Portugal, borrowing code from each other as they went; Ousaban’s string encryption is the same custom scheme used by another family, Casbaneiro.

Grandoreiro, the best known of the group, shows how durable the playbook is. It survived an Interpol-coordinated takedown in January 2024 and was back within months, and its loaders leaned on the same habit of hiding downloads behind PDF-looking lures and country checks.

It is still active against Iberian targets, with a campaign reported this year that kept hitting Portuguese banks. Fortinet links the same infrastructure to Ousaban activity in late 2025 that used other entry points, including “ClickFix,” a scam that gets the victim to paste a malicious command themselves while thinking they are fixing an error.

What to do

The first place to catch it is the lure. Treat any PDF or email that claims a file is corrupted and tells you to press “Update” as hostile. The same goes for prompts that tell users to paste a command to fix an “error.” The PDF can even open the malicious page on its own.

Treat unexpected invoice, factura, or tax-document attachments as suspect, especially in Spain and Portugal.

Server-side screening means that an automated sandbox that just fetches the link may get only the Spanish error page instead of the malware. Gateway detonation alone can miss it. The campaign only affects Windows.

Fortinet’s report lists domains, IP addresses, and file hashes to block. Defenders should watch for the Financeiro registry Run key and files dropped to C:SysMain_5874288. Fortinet says its FortiGuard antivirus flags the samples, and its FortiMail product flags the phishing email.

The Trojan itself is old, and Fortinet says its custom encryption has stayed effective against detection for years. The newer part is the wrapper: geofencing, a hidden payload, and a throwaway daily address, all built to show the malware to real victims in two countries and nobody else.



Source link

The Hacker News

The Hacker News

Next Post
Accenture, ServiceNow Take On Legacy Applications, Security With Agentic AI Push

Accenture, ServiceNow Take On Legacy Applications, Security With Agentic AI Push

Recommended.

OPSEC Failure Exposes Coquettte’s Malware Campaigns on Bulletproof Hosting Servers

OPSEC Failure Exposes Coquettte’s Malware Campaigns on Bulletproof Hosting Servers

April 4, 2025
Nasuni Hires Veracode Veteran Sam King As CEO

Nasuni Hires Veracode Veteran Sam King As CEO

April 1, 2025

Trending.

CELLCOM ISRAEL LTD. Announcement of A Special General Meeting of The Shareholders of The Company

CELLCOM ISRAEL LTD. Announcement of A Special General Meeting of The Shareholders of The Company

May 21, 2025
Veeam Debuts Data Resiliency Maturity Model To Assess, Improve Customers’ Cyber Resiliency

Veeam Debuts Data Resiliency Maturity Model To Assess, Improve Customers’ Cyber Resiliency

April 23, 2025
MocPOGO Easter Special Deals: The Pokémon GO Spoofer You Need for Might and Mastery 2025!

MocPOGO Easter Special Deals: The Pokémon GO Spoofer You Need for Might and Mastery 2025!

April 7, 2025
VNET Wins 40MW Wholesale Order from Leading Internet Company for Its New Strategic IDC Campus

VNET Wins 40MW Wholesale Order from Leading Internet Company for Its New Strategic IDC Campus

September 11, 2025
Insurance Modernization at Risk as Workforce Strategies Fall Behind, Says Info-Tech Research Group

Insurance Modernization at Risk as Workforce Strategies Fall Behind, Says Info-Tech Research Group

May 8, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio