• Home
  • Blog
  • Android
  • Cars
  • Gadgets
  • Gaming
  • Internet
  • Mobile
  • Sci-Fi
Tech News, Magazine & Review WordPress Theme 2017
  • Home
  • Blog
  • Android
  • Cars
  • Gadgets
  • Gaming
  • Internet
  • Mobile
  • Sci-Fi
No Result
View All Result
  • Home
  • Blog
  • Android
  • Cars
  • Gadgets
  • Gaming
  • Internet
  • Mobile
  • Sci-Fi
No Result
View All Result
Blog - Creative Collaboration
No Result
View All Result
Home Sci-Fi

A Brazilian banking trojan is targeting Santander and BBVA customers with fake PDF lures

July 1, 2026
Share on FacebookShare on Twitter

TL;DR

Fortinet found Ousaban targeting Spanish and Portuguese bank users with geofenced PDFs that hide malware inside images and rotate servers daily.

A Brazilian banking trojan called Ousaban is going after Windows users who bank in Spain and Portugal, using fake PDFs, geofencing, and a payload hidden inside an image to steal credentials without triggering security tools. Fortinet’s FortiGuard Labs identified the campaign in May and published its analysis this week.

The attack starts with a phishing PDF disguised as a corrupted file. The document tells the victim to press an “Atualizar” (Update) button, which opens a malicious webpage posing as a tax-document portal. Hidden JavaScript inside the PDF can open the same page automatically, so the victim does not even need to click.

Before delivering the payload, the campaign screens every visitor. An earlier version checked the browser for IP address, language, time zone, screen size, and installed fonts, blocking anyone using a VPN or an automated sandbox. The current version runs those checks on the server side, so the exact filtering rules are hidden, but visitors outside Spain and Portugal still see only a Spanish “access denied” notice.

Anyone who passes the filter downloads an image that looks like a PDF icon but contains a ZIP file, a technique called steganography. A script unpacks the malware from the ZIP, runs it, then deletes the image, the ZIP, and itself. Once installed, Ousaban adds a Windows registry entry named “Financeiro” so it starts up automatically.

TNW City Coworking space – Where your best work happens

A workspace designed for growth, collaboration, and endless networking opportunities in the heart of tech.

The trojan sits quietly until the user opens a banking site, then captures screenshots and keystrokes, tampers with the clipboard, shows fake messages, and gives the attacker remote control. Fortinet says Ousaban watches for more than two dozen banks across Spain and Portugal, among them Santander, BBVA, CaixaBank, Bankinter, and Caixa Geral de Depositos.

Its command server is deliberately hard to pin down. The malware reads the current date from a Google page, combines it with a fixed secret to build a web address, and resolves a new server every day, making traditional blocklists nearly useless. Hiding infrastructure behind web services is an old Ousaban habit: earlier campaigns stashed configuration data in Google Docs.

Ousaban, also tracked as Javali, belongs to a group of Brazilian banking trojans that Kaspersky labelled years ago as the “Tetrade,” alongside Grandoreiro, Guildma, and Melcoz. All four started in Brazil and expanded into the Iberian Peninsula, sharing code along the way. Grandoreiro, the best known of the group, survived an Interpol-coordinated takedown in January 2024 and was back within months, and it is still active against European targets this year.

Fortinet says its antivirus products flag the samples and its FortiMail service catches the phishing emails. For everyone else, the first line of defence is the lure itself: any PDF or email that claims a file is corrupted and tells you to press “Update” should be treated as hostile. The same applies to prompts asking users to paste a command to fix an error, a technique known as ClickFix that Fortinet links to related Ousaban activity from late 2025.

Next Post

Mint Mobile is looking to eat T-Mobile's lunch with its $15/month unlimited plan

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

No Result
View All Result

Recent Posts

  • Krafton agrees to pay Subnautica 2 bonuses after CEO who used ChatGPT to dodge them steps down
  • Goodbye Discs: Digital Game Sales Continue To Grow At PlayStation, As Well As Many Other Big Players
  • Multiplier employer of record: hire in 150+ countries
  • Mint Mobile is looking to eat T-Mobile’s lunch with its $15/month unlimited plan
  • A Brazilian banking trojan is targeting Santander and BBVA customers with fake PDF lures

Recent Comments

    No Result
    View All Result

    Categories

    • Android
    • Cars
    • Gadgets
    • Gaming
    • Internet
    • Mobile
    • Sci-Fi
    • Home
    • Shop
    • Privacy Policy
    • Terms and Conditions

    © CC Startup, Powered by Creative Collaboration. © 2020 Creative Collaboration, LLC. All Rights Reserved.

    No Result
    View All Result
    • Home
    • Blog
    • Android
    • Cars
    • Gadgets
    • Gaming
    • Internet
    • Mobile
    • Sci-Fi

    © CC Startup, Powered by Creative Collaboration. © 2020 Creative Collaboration, LLC. All Rights Reserved.

    Get more stuff like this
    in your inbox

    Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

    Thank you for subscribing.

    Something went wrong.

    We respect your privacy and take protecting it seriously