Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Ousaban Trojan Targets Iberian Banks with PDF Traps

Ousaban Trojan Targets Iberian Banks with PDF Traps

Posted on July 1, 2026 By CWS

A sophisticated banking trojan named Ousaban is currently targeting Windows users in Spain and Portugal, aiming to compromise their online banking credentials. This campaign, identified by Fortinet’s FortiGuard Labs in May 2026, employs deceptive tactics to lure victims into its trap.

Phishing Tactics and Initial Intrusion

The attack begins with a seemingly corrupted PDF file, which acts as a phishing lure. It specifically checks if the recipient is located in Spain or Portugal before executing its malicious payload hidden within an image. The primary objective is to steal banking details and gain unauthorized access to accounts.

Once installed on a Windows PC, Ousaban remains dormant until the user accesses a banking website. At this point, it can capture screenshots, record keystrokes, manipulate the clipboard, and even display fake messages. These tools enable attackers to hijack live banking sessions, targeting over two dozen banks in the region, including prominent names like Banco Santander, BBVA, and CaixaBank.

Technical Details of the Ousaban Attack

The attack is initiated through a phishing PDF, which prompts users to click an ‘Atualizar’ (Update) button, redirecting them to a malicious site. Hidden JavaScript can also trigger this redirect automatically. The site masquerades as a tax-document portal, screening visitors based on their location and other criteria. Previous versions conducted these checks client-side, but the latest iteration moves this process to the server, obscuring the exact parameters used.

If a visitor passes the checks, a download begins, employing steganography to conceal a ZIP file within an image. The script extracts and executes Ousaban, then cleans up traces by deleting the image, ZIP, and itself. The trojan ensures persistence by adding a registry entry named ‘Financeiro,’ allowing it to launch with Windows startup.

Challenges and Countermeasures

Ousaban’s command server is elusive, using a decoy address and frequently changing its actual location. The malware constructs a server address daily, based on a Google page date and a fixed secret, rendering previous day’s blocks ineffective.

Historically, Ousaban, also known as Javali, is part of a group of Brazilian banking trojans labeled the ‘Tetrade’ by Kaspersky. These trojans have expanded from Brazil to Iberia, sharing code and tactics. Despite law enforcement actions, such as an Interpol takedown in 2024, these threats persist, leveraging familiar methods like PDF lures and geofencing.

Protective Measures and Recommendations

To mitigate the risk, users should be cautious of any PDF or email indicating a file corruption and prompting an ‘Update.’ Such communications are likely hostile. Additionally, unexpected invoices or tax-document attachments should be treated with suspicion, particularly in Spain and Portugal.

Automated sandboxing may not detect the threat due to server-side screening, which could result in a benign Spanish error page instead of the malware. Fortinet advises blocking specific domains, IPs, and file hashes associated with the trojan and monitoring for the ‘Financeiro’ registry key and specific files. Their FortiGuard antivirus and FortiMail products can flag these threats effectively.

In summary, while the Ousaban trojan employs long-known strategies, its recent adaptations pose significant challenges. Continuous vigilance and updated cybersecurity measures are essential to protect against such sophisticated threats targeting Iberian banks.

The Hacker News Tags:bank account takeover, banking trojan, cyber threat, Cybersecurity, fake PDFs, financial security, Fortinet, geofencing, Iberian banks, Ousaban, phishing attacks, Portugal, Spain, trojan detection, Windows malware

Post navigation

Previous Post: Link11 Unveils Advanced DDoS Protection for Modern Networks
Next Post: Critical RCE Vulnerabilities Found in Cursor IDE

Related Posts

Linux PamDOORa Backdoor Exploits PAM to Steal SSH Credentials Linux PamDOORa Backdoor Exploits PAM to Steal SSH Credentials The Hacker News
Rare Werewolf APT Uses Legitimate Software in Attacks on Hundreds of Russian Enterprises Rare Werewolf APT Uses Legitimate Software in Attacks on Hundreds of Russian Enterprises The Hacker News
Why Your AI Security Tools Are Only as Strong as the Data You Feed Them Why Your AI Security Tools Are Only as Strong as the Data You Feed Them The Hacker News
6M Crypto Fine, Hacking Formula 1, Chromium Vulns, AI Hijack & More $176M Crypto Fine, Hacking Formula 1, Chromium Vulns, AI Hijack & More The Hacker News
New Malware Strikes npm with IronWorm and Miasma Variants New Malware Strikes npm with IronWorm and Miasma Variants The Hacker News
New macOS XCSSET Variant Targets Firefox with Clipper and Persistence Module New macOS XCSSET Variant Targets Firefox with Clipper and Persistence Module The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Severe Bugs in AI Code Editor Risk System Intrusion
  • India Suspends WhatsApp Usernames Over Security Issues
  • Adobe Tackles Major Security Flaws in ColdFusion and Campaign
  • Critical RCE Vulnerabilities Found in Cursor IDE
  • Ousaban Trojan Targets Iberian Banks with PDF Traps

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Severe Bugs in AI Code Editor Risk System Intrusion
  • India Suspends WhatsApp Usernames Over Security Issues
  • Adobe Tackles Major Security Flaws in ColdFusion and Campaign
  • Critical RCE Vulnerabilities Found in Cursor IDE
  • Ousaban Trojan Targets Iberian Banks with PDF Traps

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark