{"id":240139,"date":"2026-07-02T02:34:26","date_gmt":"2026-07-02T07:34:26","guid":{"rendered":"https:\/\/lifeboat.com\/blog\/2026\/07\/ousaban-banking-trojan-targets-iberian-bank-users-with-fake-pdf-lures"},"modified":"2026-07-02T02:34:26","modified_gmt":"2026-07-02T07:34:26","slug":"ousaban-banking-trojan-targets-iberian-bank-users-with-fake-pdf-lures","status":"publish","type":"post","link":"https:\/\/lifeboat.com\/blog\/2026\/07\/ousaban-banking-trojan-targets-iberian-bank-users-with-fake-pdf-lures","title":{"rendered":"Ousaban Banking Trojan Targets Iberian Bank Users with Fake PDF Lures"},"content":{"rendered":"<p><a class=\"aligncenter blog-photo\" href=\"https:\/\/lifeboat.com\/blog.images\/ousaban-banking-trojan-targets-iberian-bank-users-with-fake-pdf-lures.jpg\"><\/a><\/p>\n<p>The current version moves that screening to the operator\u2019s server, so the exact rules are hidden. Either way, visitors outside Spain or Portugal get a Spanish \u201caccess denied\u201d notice instead of malware.<\/p>\n<p>Clear the check, and the download starts. A script downloads an image that looks like a PDF icon but hides a ZIP file inside, a trick called steganography. The script unpacks Ousaban from that ZIP, runs it, then deletes the image, the ZIP, and itself to leave less behind. Once running, Ousaban adds a registry entry named Financeiro (Portuguese for \u201cfinance\u201d) so it starts up with Windows.<\/p>\n<p>Ousaban\u2019s command server, the machine that controls it, is deliberately hard to find. It carries a Pastebin link that points to one server address, but Fortinet says that address is a decoy.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The current version moves that screening to the operator\u2019s server, so the exact rules are hidden. Either way, visitors outside Spain or Portugal get a Spanish \u201caccess denied\u201d notice instead of malware. Clear the check, and the download starts. A script downloads an image that looks like a PDF icon but hides a ZIP file [\u2026]<\/p>\n","protected":false},"author":427,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[34,45],"tags":[],"class_list":["post-240139","post","type-post","status-publish","format-standard","hentry","category-cybercrime-malcode","category-finance"],"_links":{"self":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/240139","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/users\/427"}],"replies":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/comments?post=240139"}],"version-history":[{"count":0,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/240139\/revisions"}],"wp:attachment":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/media?parent=240139"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/categories?post=240139"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/tags?post=240139"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}