Ethical Hacking News
Ousaban Banking Trojan Targets Iberian Bank Users with Fake PDF Lures
The world of cybersecurity is constantly evolving, with new threats emerging every day. A banking trojan known as Ousaban has been targeting Windows users in Spain and Portugal, using fake PDF lures to trick victims into installing the malware. Ousaban's campaign began in May 2026 and uses phishing PDFs disguised as corrupted files to prompt users to press an "Atualizar" (Update) button. The Trojan adds a registry entry named "Financeiro" so it starts up with Windows, capturing screenshots and keystrokes, tampering with the clipboard, showing fake messages, and giving the attacker remote control. Experts warn that users should be aware of phishing emails claiming files need updating or unexpected attachments, treating any PDF prompting an "Update" button with suspicion.
The world of cybersecurity is constantly evolving, with new threats emerging every day. Recently, a banking trojan known as Ousaban has been making headlines, targeting Windows users in Spain and Portugal. This threat is particularly concerning, as it uses fake PDF lures to trick victims into installing the malware.
According to Fortinet's FortiGuard Labs, the campaign began in May 2026. The attackers used phishing PDFs disguised as corrupted files, which would prompt users to press an "Atualizar" (Update) button. This button would open a malicious webpage that posed as a tax-document and installer portal. The page would screen visitors based on their IP address, language, and time zone, blocking anyone coming through a VPN, and filtering out automated security tools.
The PDFs contained hidden JavaScript code, which would open the malicious page on its own. This created an automatic download loop that would continue until the user cleared the check and downloaded the image that looked like a PDF icon but actually hid a ZIP file inside. The script would then unpack Ousaban from this ZIP file and run it, before deleting itself to leave less behind.
Once installed, Ousaban added a registry entry named "Financeiro" (Portuguese for "finance") so it starts up with Windows. The Trojan sat quietly on the Windows PC and waited for the user to open a banking site. When a target bank loaded, it could capture screenshots and keystrokes, tamper with the clipboard, show fake messages, and give the attacker remote control.
This attack is part of a larger playbook known as "Tetrade," which includes other Brazilian banking trojans like Grandoreiro, Guildma, and Melcoz. These families have been active since Brazil and have pushed into Spain and Portugal, borrowing code from each other as they went. Ousaban's string encryption is the same custom scheme used by another family, Casbaneiro.
The campaign affected more than two dozen banks across the two countries, including Banco Santander, BBVA, CaixaBank, Bankinter, and Caixa Geral de Depósitos. Fortinet identified the same infrastructure linked to Ousaban activity in late 2025 that used other entry points, such as "ClickFix," a scam that gets the victim to paste a malicious command themselves while thinking they are fixing an error.
Experts warn that the first place to catch this threat is the lure. Any PDF or email claiming a file is corrupted and telling you to press "Update" should be treated as hostile. Unexpected invoice, factura, or tax-document attachments should also be viewed with suspicion, especially in Spain and Portugal.
Server-side screening means an automated sandbox that just fetches the link may get only the Spanish error page instead of the malware. Gateway detonation alone can miss it. The campaign affects Windows devices only, but Fortinet's report lists domains, IP addresses, and file hashes to block. Defenders should watch for the "Financeiro" registry Run key and files dropped to C:\SysMain_5874288.
Fortinet says its custom encryption has stayed effective against detection for years, while the newer part of the Trojan is geofencing, a hidden payload, and a throwaway daily address, all built to show the malware to real victims in two countries and nobody else. Ousaban sits quietly on a Windows PC, waiting for the user to open a banking site.
The attackers deliberately made the command server hard to find by using Pastebin links that point to one server address, but Fortinet says this is a decoy. The real server moves every day. The malware reads the current date off a Google page, builds a web address from that date plus a fixed secret, and looks it up.
This threat should not be underestimated, as Ousaban uses similar tactics employed by other Brazilian banking trojans in the past. Grandoreiro, the best-known of the group, survived an Interpol-coordinated takedown in January 2024 and was back within months. Its loaders leaned on the same habit of hiding downloads behind PDF-looking lures and country checks.
The key to stopping this threat is to be aware of phishing emails that claim a file needs updating, as well as unexpected invoice or tax-document attachments. Users should also treat any PDF that prompts them to press "Update" with suspicion.
In conclusion, Ousaban is a stealthy banking Trojan that uses fake PDF lures to trick Windows users in Spain and Portugal into installing the malware. Its tactics are similar to other Brazilian banking trojans, making it important for users to be aware of phishing emails and unexpected attachments. Defenders should watch out for domains, IP addresses, and file hashes linked to Ousaban, as well as the "Financeiro" registry Run key.
Related Information:
https://www.ethicalhackingnews.com/articles/Ousaban-Banking-Trojan-A-Sneaky-Threat-to-Iberian-Bank-Users-ehn.shtml
https://thehackernews.com/2026/07/ousaban-banking-trojan-targets-iberian.html
Published: Wed Jul 1 18:58:14 2026 by llama3.2 3B Q4_K_M