Ousaban Banking Trojan Targets Iberian Bank Users with Fake PDF Lures
Ousaban Banking Trojan Targets Iberian Bank Users with Fake PDF Lures
https://thehackernews.com/2026/07/ousaban-banking-trojan-targets-iberian.html
Publish Date: 2026-07-01 11:26:00
Source Domain: thehackernews.com
A Brazilian banking trojan called Ousaban is going after Windows users who bank in Spain and Portugal. Fortinet’s FortiGuard Labs identified the campaign in May 2026.
It opens with a phishing PDF disguised as a corrupted file, checks that the visitor is really in Spain or Portugal, and hides its real payload inside an image.
The goal is the usual one: steal banking logins and take over accounts.
Ousaban sits quietly on a Windows PC and waits for the user to open a banking site. When a target bank loads, it can capture screenshots and keystrokes, tamper with the clipboard, show fake messages, and give the attacker remote control.
Together, those are the tools for hijacking a live banking session and taking over an account. Ousaban watches for more than two dozen banks across the two countries, among them Banco Santander, BBVA, CaixaBank, Bankinter, and Caixa Geral de Depósitos.
How the attack works
It starts with a phishing PDF disguised as a corrupted file. The PDF shows a prompt telling the victim to press an “Atualizar” (Update) button, which opens a malicious webpage.
Hidden JavaScript in the PDF can open the same page on its own. The page poses as a tax-document and installer portal while screening visitors. Fortinet says an earlier version ran these checks in the browser: it looked at the visitor’s IP address, language, and time zone, blocked anyone coming through a VPN, and filtered out automated security tools by checking details like screen size and installed fonts.
The current version moves that screening to the operator’s server, so the exact rules are hidden. Either way, visitors outside Spain or Portugal get a Spanish “access denied” notice instead of malware.
Clear the check, and the download starts. A script downloads an image that looks like a PDF icon but hides a ZIP file inside, a trick called steganography. The script unpacks Ousaban from that ZIP, runs it, then deletes the image, the ZIP, and itself to leave less behind. Once…