Close Menu
    What's Hot

    ‘It’s not very often that you get, like, really great news from Bosnia’ – Live Updates

    Russia Strikes Ukraine as Explosions Rock Capital of Kyiv

    The Best July 4 Grill and Griddle Deals: Weber, Traeger, Recteq

    Facebook X (Twitter) Instagram
    Trending
    • ‘It’s not very often that you get, like, really great news from Bosnia’ – Live Updates
    • Russia Strikes Ukraine as Explosions Rock Capital of Kyiv
    • The Best July 4 Grill and Griddle Deals: Weber, Traeger, Recteq
    • The Greenbrier Companies, Inc. (GBX) Q3 2026 Earnings Call Transcript
    • The Dress Code for Taylor Swift and Travis Kelce’s Wedding? Expect a Black-Tie Event.
    • There’s a new rotisserie chicken champion. Here’s who dethroned Costco
    • Trump Administration Delivers Lucrative Win for Its Kratom Allies
    • Trump on the Range: A Presidential Visit to the Roosevelt Library in North Dakota
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    Ousaban Banking Trojan Targets Iberian Bank Users with Fake PDF Lures

    adminBy adminJuly 1, 2026No Comments4 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    Ousaban Banking Trojan Targets Iberian Bank Users with Fake PDF Lures
    Share
    Facebook Twitter LinkedIn Pinterest Email

    Ousaban Banking Trojan Targets Iberian Bank Users with Fake PDF Lures

    A Brazilian banking trojan called Ousaban is going after Windows users who bank in Spain and Portugal. Fortinet’s FortiGuard Labs identified the campaign in May 2026.

    It opens with a phishing PDF disguised as a corrupted file, checks that the visitor is really in Spain or Portugal, and hides its real payload inside an image.

    The goal is the usual one: steal banking logins and take over accounts.

    Ousaban sits quietly on a Windows PC and waits for the user to open a banking site. When a target bank loads, it can capture screenshots and keystrokes, tamper with the clipboard, show fake messages, and give the attacker remote control.

    Together, those are the tools for hijacking a live banking session and taking over an account. Ousaban watches for more than two dozen banks across the two countries, among them Banco Santander, BBVA, CaixaBank, Bankinter, and Caixa Geral de Depósitos.

    How the attack works

    It starts with a phishing PDF disguised as a corrupted file. The PDF shows a prompt telling the victim to press an “Atualizar” (Update) button, which opens a malicious webpage.

    Hidden JavaScript in the PDF can open the same page on its own. The page poses as a tax-document and installer portal while screening visitors. Fortinet says an earlier version ran these checks in the browser: it looked at the visitor’s IP address, language, and time zone, blocked anyone coming through a VPN, and filtered out automated security tools by checking details like screen size and installed fonts.

    Cybersecurity

    The current version moves that screening to the operator’s server, so the exact rules are hidden. Either way, visitors outside Spain or Portugal get a Spanish “access denied” notice instead of malware.

    Clear the check, and the download starts. A script downloads an image that looks like a PDF icon but hides a ZIP file inside, a trick called steganography. The script unpacks Ousaban from that ZIP, runs it, then deletes the image, the ZIP, and itself to leave less behind. Once running, Ousaban adds a registry entry named Financeiro (Portuguese for “finance”) so it starts up with Windows.

    Ousaban’s command server, the machine that controls it, is deliberately hard to find. It carries a Pastebin link that points to one server address, but Fortinet says that address is a decoy.

    Hiding these details in web services is an old Ousaban habit: earlier campaigns stashed the configuration in Google Docs. This time, the real server moves every day. The malware reads the current date off a Google page, builds a web address from that date plus a fixed secret, and looks it up. Blocking yesterday’s address does little good.

    A familiar Brazilian playbook

    None of this is new. Ousaban, also tracked as Javali, is one of a group of Brazilian banking trojans that Kaspersky labeled years ago as the “Tetrade,” alongside Grandoreiro, Guildma, and Melcoz.

    These families started in Brazil and pushed into Spain and Portugal, borrowing code from each other as they went; Ousaban’s string encryption is the same custom scheme used by another family, Casbaneiro.

    Grandoreiro, the best known of the group, shows how durable the playbook is. It survived an Interpol-coordinated takedown in January 2024 and was back within months, and its loaders leaned on the same habit of hiding downloads behind PDF-looking lures and country checks.

    Cybersecurity

    It is still active against Iberian targets, with a campaign reported this year that kept hitting Portuguese banks. Fortinet links the same infrastructure to Ousaban activity in late 2025 that used other entry points, including “ClickFix,” a scam that gets the victim to paste a malicious command themselves while thinking they are fixing an error.

    What to do

    The first place to catch it is the lure. Treat any PDF or email that claims a file is corrupted and tells you to press “Update” as hostile. The same goes for prompts that tell users to paste a command to fix an “error.” The PDF can even open the malicious page on its own.

    Treat unexpected invoice, factura, or tax-document attachments as suspect, especially in Spain and Portugal.

    Server-side screening means that an automated sandbox that just fetches the link may get only the Spanish error page instead of the malware. Gateway detonation alone can miss it. The campaign only affects Windows.

    Fortinet’s report lists domains, IP addresses, and file hashes to block. Defenders should watch for the Financeiro registry Run key and files dropped to C:\SysMain_5874288. Fortinet says its FortiGuard antivirus flags the samples, and its FortiMail product flags the phishing email.

    The Trojan itself is old, and Fortinet says its custom encryption has stayed effective against detection for years. The newer part is the wrapper: geofencing, a hidden payload, and a throwaway daily address, all built to show the malware to real victims in two countries and nobody else.

    Bank banking fake Iberian Lures Ousaban PDF targets Trojan users
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleOpinion | Which Is More Powerful, the MAGA Right, or ‘Woke’ Left?
    Next Article Anthropic Added a New Security Measure to Get Back Into the Trump Administration’s Good Graces
    admin
    • Website

    Related Posts

    Ruby White poised for Commonwealth Games breakthrough as 19-year-old targets boxing gold | Boxing News

    July 1, 2026

    19-Year-Old Scattered Spider Suspect Extradited to Face U.S. Hacking Charges

    July 1, 2026

    Unpatched Argo CD Repo-Server Flaw Could Let Attackers Take Over Kubernetes Clusters

    July 1, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    ‘It’s not very often that you get, like, really great news from Bosnia’ – Live Updates

    Russia Strikes Ukraine as Explosions Rock Capital of Kyiv

    The Best July 4 Grill and Griddle Deals: Weber, Traeger, Recteq

    The Greenbrier Companies, Inc. (GBX) Q3 2026 Earnings Call Transcript

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by