Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Ousaban Malware Targets Iberian Banks with Phishing PDFs

Ousaban Malware Targets Iberian Banks with Phishing PDFs

Posted on July 2, 2026 By CWS

A sophisticated cyber campaign is targeting online banking users in Spain and Portugal, initiated by seemingly innocuous PDFs. The malware, named Ousaban, is specifically crafted to compromise customers of Iberian financial institutions using Windows systems.

Phishing PDFs Conceal Malicious Intent

The attack commences when potential victims interact with a phishing PDF that appears corrupted. Encouraged to click an ‘Atualizar’ or Update button, users unknowingly access a malicious website disguised as a government tax portal. This site subsequently verifies whether the user’s location is within Spain or Portugal before proceeding with the attack.

Fortinet’s FortiGuard Labs identified this wave of Ousaban activity in May 2026, publishing a comprehensive analysis of its mechanisms. Their report, shared with Cyber Security News, highlights the campaign’s use of geofencing, obfuscated payloads, and dynamic infrastructure to evade detection.

Steganography and Evasion Tactics

Once a target’s location is confirmed, a script downloads an image file masquerading as a PDF icon. Within this image lies a ZIP archive containing the Ousaban payload, a method known as steganography. The malware then erases its installation traces to hinder detection efforts.

Ousaban is part of a notorious group of Brazilian banking trojans, often associated with Grandoreiro, Guildma, and Melcoz under the ‘Tetrade’ moniker. Recent developments in its deployment strategy, including a specialized delivery mechanism, aim to remain undetected by researchers and automated scanning systems outside Spain and Portugal.

Credential Theft and Defense Strategies

Upon installation, Ousaban remains inactive until the victim accesses one of over two dozen targeted banking sites, such as Santander and BBVA. It can then capture screenshots, log keystrokes, and create counterfeit banking screens to extract login credentials.

The malware’s command infrastructure employs a deceptive Pastebin link that misleads analysts. The actual command and control domain changes daily, using a hash derived from Google’s error page, complicating efforts to block access.

Fortinet advises vigilance against suspicious file prompts, particularly those claiming corruption and urging updates. Security teams should scrutinize unexpected document attachments, especially within organizations connected to Spain and Portugal.

The Fortinet antivirus and email security solutions already identify and flag threats linked to this campaign, emphasizing the importance of correlating various logs instead of relying solely on automated sandbox results.

By understanding Ousaban’s tactics, security professionals can better protect their organizations and users from this persistent threat.

Cyber Security News Tags:banking trojans, credential theft, cyber attack, Cybersecurity, Fortinet, geofencing, Iberian banks, Malware, Ousaban, PDF, Phishing, Security, Steganography, VBS downloader

Post navigation

Previous Post: Ransomware Groups Exploit Citrix Vulnerability
Next Post: Critical Vulnerability in Claude Cowork Sandbox Exposed

Related Posts

Google’s Gemini Deep Research Tool Gains Access to Gmail, Chat, and Drive Data Google’s Gemini Deep Research Tool Gains Access to Gmail, Chat, and Drive Data Cyber Security News
Sweet Security Named Cloud Security Leader and CADR Leader in Latio Cloud Security Report Sweet Security Named Cloud Security Leader and CADR Leader in Latio Cloud Security Report Cyber Security News
Pack2TheRoot Vulnerability Exposes Linux Systems to Threats Pack2TheRoot Vulnerability Exposes Linux Systems to Threats Cyber Security News
Agentless Access, Sensitive Data Masking, and Smooth Session Playback Agentless Access, Sensitive Data Masking, and Smooth Session Playback Cyber Security News
3,280,081 Fortinet Devices Online With Exposed Web Properties Under Risk 3,280,081 Fortinet Devices Online With Exposed Web Properties Under Risk Cyber Security News
New TamperedChef Malware Leverages Productivity Tools to Gain Access and Exfiltrate Sensitive Data New TamperedChef Malware Leverages Productivity Tools to Gain Access and Exfiltrate Sensitive Data Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Critical Vulnerability in Claude Cowork Sandbox Exposed
  • Ousaban Malware Targets Iberian Banks with Phishing PDFs
  • Ransomware Groups Exploit Citrix Vulnerability
  • New Malware Campaign Exploits TryCloudflare and Python
  • Google Disrupts Massive NetNut Proxy Network

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Critical Vulnerability in Claude Cowork Sandbox Exposed
  • Ousaban Malware Targets Iberian Banks with Phishing PDFs
  • Ransomware Groups Exploit Citrix Vulnerability
  • New Malware Campaign Exploits TryCloudflare and Python
  • Google Disrupts Massive NetNut Proxy Network

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark