Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Ousaban Trojan Targets Iberian Banks with PDF Traps

Ousaban Trojan Targets Iberian Banks with PDF Traps

Posted on July 1, 2026 By CWS

A sophisticated banking trojan named Ousaban is currently targeting Windows users in Spain and Portugal, aiming to compromise their online banking credentials. This campaign, identified by Fortinet’s FortiGuard Labs in May 2026, employs deceptive tactics to lure victims into its trap.

Phishing Tactics and Initial Intrusion

The attack begins with a seemingly corrupted PDF file, which acts as a phishing lure. It specifically checks if the recipient is located in Spain or Portugal before executing its malicious payload hidden within an image. The primary objective is to steal banking details and gain unauthorized access to accounts.

Once installed on a Windows PC, Ousaban remains dormant until the user accesses a banking website. At this point, it can capture screenshots, record keystrokes, manipulate the clipboard, and even display fake messages. These tools enable attackers to hijack live banking sessions, targeting over two dozen banks in the region, including prominent names like Banco Santander, BBVA, and CaixaBank.

Technical Details of the Ousaban Attack

The attack is initiated through a phishing PDF, which prompts users to click an ‘Atualizar’ (Update) button, redirecting them to a malicious site. Hidden JavaScript can also trigger this redirect automatically. The site masquerades as a tax-document portal, screening visitors based on their location and other criteria. Previous versions conducted these checks client-side, but the latest iteration moves this process to the server, obscuring the exact parameters used.

If a visitor passes the checks, a download begins, employing steganography to conceal a ZIP file within an image. The script extracts and executes Ousaban, then cleans up traces by deleting the image, ZIP, and itself. The trojan ensures persistence by adding a registry entry named ‘Financeiro,’ allowing it to launch with Windows startup.

Challenges and Countermeasures

Ousaban’s command server is elusive, using a decoy address and frequently changing its actual location. The malware constructs a server address daily, based on a Google page date and a fixed secret, rendering previous day’s blocks ineffective.

Historically, Ousaban, also known as Javali, is part of a group of Brazilian banking trojans labeled the ‘Tetrade’ by Kaspersky. These trojans have expanded from Brazil to Iberia, sharing code and tactics. Despite law enforcement actions, such as an Interpol takedown in 2024, these threats persist, leveraging familiar methods like PDF lures and geofencing.

Protective Measures and Recommendations

To mitigate the risk, users should be cautious of any PDF or email indicating a file corruption and prompting an ‘Update.’ Such communications are likely hostile. Additionally, unexpected invoices or tax-document attachments should be treated with suspicion, particularly in Spain and Portugal.

Automated sandboxing may not detect the threat due to server-side screening, which could result in a benign Spanish error page instead of the malware. Fortinet advises blocking specific domains, IPs, and file hashes associated with the trojan and monitoring for the ‘Financeiro’ registry key and specific files. Their FortiGuard antivirus and FortiMail products can flag these threats effectively.

In summary, while the Ousaban trojan employs long-known strategies, its recent adaptations pose significant challenges. Continuous vigilance and updated cybersecurity measures are essential to protect against such sophisticated threats targeting Iberian banks.

The Hacker News Tags:bank account takeover, banking trojan, cyber threat, Cybersecurity, fake PDFs, financial security, Fortinet, geofencing, Iberian banks, Ousaban, phishing attacks, Portugal, Spain, trojan detection, Windows malware

Post navigation

Previous Post: Link11 Unveils Advanced DDoS Protection for Modern Networks
Next Post: Critical RCE Vulnerabilities Found in Cursor IDE

Related Posts

Android Trojan Crocodilus Now Active in 8 Countries, Targeting Banks and Crypto Wallets Android Trojan Crocodilus Now Active in 8 Countries, Targeting Banks and Crypto Wallets The Hacker News
Critical Flaw in Splunk Enterprise Enables Unauthorized Code Execution Critical Flaw in Splunk Enterprise Enables Unauthorized Code Execution The Hacker News
Entra ID Data Protection: Essential or Overkill? Entra ID Data Protection: Essential or Overkill? The Hacker News
U.S. Secret Service Seizes 300 SIM Servers, 100K Cards Threatening U.S. Officials Near UN U.S. Secret Service Seizes 300 SIM Servers, 100K Cards Threatening U.S. Officials Near UN The Hacker News
Critical nginx-ui Flaw Allows Full Server Control Critical nginx-ui Flaw Allows Full Server Control The Hacker News
The Secret Defense Strategy of Four Critical Industries Combating Advanced Cyber Threats The Secret Defense Strategy of Four Critical Industries Combating Advanced Cyber Threats The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Adobe Tackles Major Security Flaws in ColdFusion and Campaign
  • Critical RCE Vulnerabilities Found in Cursor IDE
  • Ousaban Trojan Targets Iberian Banks with PDF Traps
  • Link11 Unveils Advanced DDoS Protection for Modern Networks
  • Urgent Exploitation of Progress Kemp LoadMaster Vulnerability

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Adobe Tackles Major Security Flaws in ColdFusion and Campaign
  • Critical RCE Vulnerabilities Found in Cursor IDE
  • Ousaban Trojan Targets Iberian Banks with PDF Traps
  • Link11 Unveils Advanced DDoS Protection for Modern Networks
  • Urgent Exploitation of Progress Kemp LoadMaster Vulnerability

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark