Skip to main content
SecurityXP
TechnologyNO IMAGE

Ousaban Banking Trojan Targets Iberian Bank Users with Fake PDF Lures Malware

· 3 min read · SecurityXP Editorial Desk

This malware employs sophisticated techniques to evade detection and steal banking credentials, The Hacker News reports.The Ousaban campaign begins with a phishing PDF disguised as a corrupted file, prompting users to click an “Update” button. This campaign is part of a broader trend of Brazilian banking trojans, such as Grandoreiro and Guildma, that have evolved to target Iberian markets with advanced evasion tactics.The Hacker News Source:

The Campaign

Fortinet links the same infrastructure to Ousaban activity in late 2025 that used other entry points, including “ClickFix,” a scam that gets the victim to paste a malicious command themselves while thinking they are fixing an error.

Further details indicate that treat any PDF or email that claims a file is corrupted and tells you to press “Update” as hostile.

The PDF shows a prompt telling the victim to press an “Atualizar” (Update) button, which opens a malicious webpage.

The same goes for prompts that tell users to paste a command to fix an “error.” The PDF can even open the malicious page on its own.

” a scam that gets the victim to paste a malicious command themselves while thinking they are fixing an error. What to do The first place to catch it is the lure. Treat any PDF or email that claims a file is corrupted and tells you to press ”, Spokesperson

Impact

& Targeting

A Brazilian banking trojan called Ousaban is going after Windows users who bank in Spain and Portugal. Once running, Ousaban adds a registry entry named Financeiro (Portuguese for “finance”) so it starts up with Windows. It is still active against Iberian targets, with a campaign reported this year that kept hitting Portuguese banks.

A Brazilian banking trojan known as Ousaban is actively targeting Windows users in Spain and Portugal, according to a report by Fortinet’s FortiGuard Labs.

Detection & Response

  1. The PDF shows a prompt telling the victim to press an “Atualizar” (Update) button, which opens a malicious webpage.

  2. The malware reads the current date off a Google page, builds a web address from that date plus a fixed secret, and looks it up.

  3. Blocking yesterday’s address does little good.

  4. Fortinet links the same infrastructure to Ousaban activity in late 2025 that used other entry points, including “ClickFix,” a scam that gets the victim to paste a malicious command themselves while thinking they are fixing an error.

  5. Treat any PDF or email that claims a file is corrupted and tells you to press “Update” as hostile.

  6. The same goes for prompts that tell users to paste a command to fix an “error.” The PDF can even open the malicious page on its own.

Analysis

Organizations should review their exposure and apply available mitigations promptly.

Defenders should immediately review endpoint detection and response telemetry for any signs of the described malware family or associated behaviors. Network traffic analysis can reveal command-and-control communications, data exfiltration patterns, or lateral movement that might otherwise go unnoticed. Organizations are advised to update their threat intelligence feeds and ensure that endpoint protection platforms, email gateways, and intrusion prevention systems have the latest detection signatures. Incident response playbooks should be reviewed to confirm they cover malware of this type, including isolation procedures, forensic collection steps, and communication protocols. Security awareness training may also need refreshes if the malware leverages social engineering as an initial access vector.

Sources

  1. https://www.scworld.com/brief/ousaban-banking-trojan-targets-spain-and-portugal-with-new-stealth-techniques
SE SecurityXP Editorial Desk
SecurityXP Editorial Desk Vulnerability Research & News Board

Automated and analyst-reviewed threat intelligence briefings tracking active exploitation campaigns, CVE disclosures, and extortion group activity.

Security Digest

Get the latest cybersecurity news, vulnerability alerts, and threat intelligence delivered to your inbox.

Related Articles