Ousaban Banking Trojan Targets Iberian Bank Users with Fake PDF Lures Malware
This malware employs sophisticated techniques to evade detection and steal banking credentials, The Hacker News reports.The Ousaban campaign begins with a phishing PDF disguised as a corrupted file, prompting users to click an “Update” button. This campaign is part of a broader trend of Brazilian banking trojans, such as Grandoreiro and Guildma, that have evolved to target Iberian markets with advanced evasion tactics.The Hacker News Source:
The Campaign
Fortinet links the same infrastructure to Ousaban activity in late 2025 that used other entry points, including “ClickFix,” a scam that gets the victim to paste a malicious command themselves while thinking they are fixing an error.
Further details indicate that treat any PDF or email that claims a file is corrupted and tells you to press “Update” as hostile.
The PDF shows a prompt telling the victim to press an “Atualizar” (Update) button, which opens a malicious webpage.
The same goes for prompts that tell users to paste a command to fix an “error.” The PDF can even open the malicious page on its own.
” a scam that gets the victim to paste a malicious command themselves while thinking they are fixing an error. What to do The first place to catch it is the lure. Treat any PDF or email that claims a file is corrupted and tells you to press ”, Spokesperson
Impact
& Targeting
A Brazilian banking trojan called Ousaban is going after Windows users who bank in Spain and Portugal. Once running, Ousaban adds a registry entry named Financeiro (Portuguese for “finance”) so it starts up with Windows. It is still active against Iberian targets, with a campaign reported this year that kept hitting Portuguese banks.
A Brazilian banking trojan known as Ousaban is actively targeting Windows users in Spain and Portugal, according to a report by Fortinet’s FortiGuard Labs.
Detection & Response
-
The PDF shows a prompt telling the victim to press an “Atualizar” (Update) button, which opens a malicious webpage.
-
The malware reads the current date off a Google page, builds a web address from that date plus a fixed secret, and looks it up.
-
Blocking yesterday’s address does little good.
-
Fortinet links the same infrastructure to Ousaban activity in late 2025 that used other entry points, including “ClickFix,” a scam that gets the victim to paste a malicious command themselves while thinking they are fixing an error.
-
Treat any PDF or email that claims a file is corrupted and tells you to press “Update” as hostile.
-
The same goes for prompts that tell users to paste a command to fix an “error.” The PDF can even open the malicious page on its own.
Analysis
Organizations should review their exposure and apply available mitigations promptly.
Defenders should immediately review endpoint detection and response telemetry for any signs of the described malware family or associated behaviors. Network traffic analysis can reveal command-and-control communications, data exfiltration patterns, or lateral movement that might otherwise go unnoticed. Organizations are advised to update their threat intelligence feeds and ensure that endpoint protection platforms, email gateways, and intrusion prevention systems have the latest detection signatures. Incident response playbooks should be reviewed to confirm they cover malware of this type, including isolation procedures, forensic collection steps, and communication protocols. Security awareness training may also need refreshes if the malware leverages social engineering as an initial access vector.
Sources
Automated and analyst-reviewed threat intelligence briefings tracking active exploitation campaigns, CVE disclosures, and extortion group activity.
Security Digest
Get the latest cybersecurity news, vulnerability alerts, and threat intelligence delivered to your inbox.
Related Articles
Secure Amazon container workloads using container attribute-based rules in AWS Network Firewall
If you run AI and machine learning (ML) workloads on Amazon EKS, such as model inference, RAG pipelines, or JupyterHub, your containerized workloads require the same firewall protections you enforce f...
TechnologyICANN Sets October 2026 DNS Trust Anchor Rollover
The Domain Name System, or DNS, is getting a major update to its security protocol. This update, scheduled for October 2026, affects the DNS Security Extensions root zone Key Signing Key, a crucial co...
TechnologyOld Oracle WebLogic Flaw Now Under Active Exploit
This was patched by Oracle in July 2024. The vulnerability allows an unauthenticated attacker with network access to take control of susceptible Oracle WebLogic Server instances.
TechnologyGoogle fixes one actively exploited Android zero-day, 124 flaws
Google's June 2026 Android update patches 124 vulnerabilities, including an actively exploited zero-day in the Android Framework tracked as CVE-2025-48595.