logo

Ousaban Banking Trojan Targets Iberian Bank Users with Fake PDF Lures

ID: fee01e9e-554d-5c83-b0cb-c67c9cd0c81c

STIX ID: report--fee01e9e-554d-5c83-b0cb-c67c9cd0c81c

Feed Name: The Hacker News

Threat Score
75/100

Date Published: 2026-07-01

Date Updated: 2026-07-01

Author: [email protected] (The Hacker News)

...
...

Fortinet reports an active 2026 campaign distributing the Brazilian banking trojan Ousaban (Javali) against Windows users in Spain and Portugal. The attack begins with a phishing PDF that either prompts users to press an "Atualizar" button or runs hidden JavaScript to open a malicious page; server-side geofencing screens for Iberian victims, a script downloads an image containing a ZIP via steganography, unpacks and runs Ousaban, which persists via a registry Run key named "Financeiro" and can capture keystrokes, screenshots, tamper the clipboard, display fake messages, and enable remote control to hijack banking sessions. Fortinet provides domains, IPs, file hashes, a dropped file path (C:\SysMain_5874288), and recommends treating suspicious invoice/tax PDFs as hostile and enhancing detection beyond simple gateway detonation.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.