Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
AsyncRAT Campaign Leverages ScreenConnect to Evade Detection
July 2, 2026
AsyncRAT Campaign Exploits Cloudflare Tunnels and Python for Malware Delivery
July 2, 2026
New Microsoft 365 Phishing Uses OAuth Device Code Flow to Steal Tokens
July 2, 2026
Home/Threats/Ousaban Malware Targets Iberian Banks with Phishing PDFs and VBS Downloader
Threats

Ousaban Malware Targets Iberian Banks with Phishing PDFs and VBS Downloader

Key Takeaways The Ousaban banking trojan has launched a new campaign primarily targeting Windows users in Spain and Portugal. Attackers are using sophisticated phishing PDFs and a multi-stage...

David kimber
David kimber
July 2, 2026 4 Min Read
3 0

Key Takeaways

  • The Ousaban banking trojan has launched a new campaign primarily targeting Windows users in Spain and Portugal.
  • Attackers are using sophisticated phishing PDFs and a multi-stage infection process involving steganography and dynamic command and control infrastructure.
  • The malware employs strict geofencing and anti-analysis techniques to evade detection by security researchers and automated systems.
  • Ousaban aims to steal banking credentials and financial information by displaying fake login screens and logging user input.

A sophisticated new cyber campaign is actively compromising online banking sessions for users across Spain and Portugal. The attack chain leverages seemingly innocuous, corrupted PDF files to initiate a complex infection process.

Table Of Content

  • Key Takeaways
  • Ousaban Malware Uses Phishing PDFs and VBS Downloader
  • Credential Theft And Command Infrastructure
  • What You Should Do

This resurgence of the Ousaban banking trojan features updated tactics specifically designed to target Windows operating systems within the Iberian Peninsula. The campaign was first identified in May 2026 by researchers at Fortinet’s FortiGuard Labs, who subsequently published a detailed analysis of its operations.

The attack begins with a phishing PDF that appears to be damaged, prompting the victim to click an “Atualizar” (Update) button. This action secretly redirects the user to a malicious webpage masquerading as a government tax portal. This initial redirection is critical, as it allows the attackers to perform preliminary checks.

Before proceeding with the attack, the malicious webpage verifies the visitor’s geographical location, ensuring they are indeed in Spain or Portugal. This geofencing mechanism is a key component of the campaign’s stealth, as Fortinet said in a report that the attackers use it, along with hidden payloads and constantly changing infrastructure, to bypass security defenses.

Should a user pass the location verification, the website delivers a script that downloads an image file. This image file, appearing as a standard PDF icon, contains a hidden ZIP archive embedded using steganography. This ZIP archive holds the actual Ousaban payload. Once installed, the malware takes steps to erase its own installation traces, complicating forensic analysis and detection.

Ousaban is part of a broader family of Brazilian banking trojans, often grouped with others like Grandoreiro, Guildma, and Melcoz under the collective moniker “Tetrade.” While the core malware may not be entirely new, this campaign distinguishes itself through its highly customized delivery mechanism, engineered to target specific regions while remaining largely invisible to global security scanning efforts.

Ousaban Malware Uses Phishing PDFs and VBS Downloader

The current Ousaban attack chain relies heavily on the coordinated action of a deceptive PDF and a VBS-style downloader, rather than a single malicious executable. The phishing PDF itself can contain embedded JavaScript capable of automatically opening the malicious webpage, meaning a deliberate click may not always be required to initiate the infection.

Upon reaching the malicious webpage, several checks are performed on the visitor’s system, including IP address, browser language, and time zone. Connections originating from VPNs are actively blocked. Fortinet observed that early iterations of this screening process ran client-side in the browser, but the attackers later moved these checks to their server, effectively concealing the precise rules from security analysts. Visitors who fail these checks are simply presented with a Spanish-language “access denied” message, preventing the malicious payload from being delivered.

Successful targets, however, receive the steganographic image, which ultimately leads to the deployment of the Ousaban payload. This payload installs silently and establishes persistence on the system by creating a registry entry named “Financeiro” (Portuguese for finance), ensuring it launches with Windows startup.

Credential Theft And Command Infrastructure

Once Ousaban is installed, it lies dormant, activating only when the victim navigates to one of over two dozen specific banking websites. These include major institutions such as Santander, BBVA, CaixaBank, Bankinter, and Caixa Geral de Depósitos. Upon activation, the trojan gains capabilities to capture screenshots, log keystrokes, manipulate the clipboard, and display fabricated bank screens to dupe users into divulging their login credentials and other sensitive financial information.

The command and control (C2) infrastructure supporting Ousaban is designed to resist takedown attempts. The malware contains a Pastebin link that appears to point to a server address, but Fortinet confirmed this to be a decoy, leading to a non-functional private IP address. The true C2 address changes daily, generated from a hash of the current date obtained from a Google error page. This dynamic C2 mechanism renders static blocking of domains largely ineffective.

What You Should Do

  • Treat all suspicious emails and PDFs with extreme caution, particularly those claiming a file is corrupted and prompting you to “Atualizar” or “Update.”
  • Be wary of unexpected attachments, especially invoices, “facturas,” or tax documents, even if they appear to be from known senders.
  • Never paste commands into your system to “fix” an error, a tactic known as “ClickFix.”
  • For organizations, enhance security awareness training for employees, especially those interacting with customers or partners in Spain and Portugal.
  • Security teams should correlate logs from endpoint detection, email security, DNS, and proxy services. Do not solely rely on sandbox analysis, as the server-side geofencing may only present benign error pages to automated scanners.
  • Ensure your antivirus and email security solutions are up-to-date, as Fortinet said its own products already identify samples and phishing messages associated with this campaign.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwarephishingSecurityThreat

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

Citrix Bleed (CVE-2023-4966) Critical Vulnerability Actively Exploited

Next Post

Critical Claude Cowork Sandbox Vulnerability Lets Attackers Run Commands as Root

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Citrix Bleed (CVE-2023-4966) Critical Vulnerability Actively Exploited
July 2, 2026
DHS Confirms Breach of HSIN Information Sharing Network
July 2, 2026
ChatGPT Flaw Exposes User Files, Poses System Access Risk
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us