Return to Threats

Ousaban Banking Trojan Targets Iberian Bank Users with Fake PDF Lures

thehackernews.com 2026-07-01 fintech AI risk High

What Happened

A Brazilian banking trojan called Ousaban is going after Windows users who bank in Spain and Portugal. Fortinet's FortiGuard Labs identified the campaign in May 2026. It opens with a phishing PDF disguised as a corrupted file, checks that the visitor is really in Spain or Portugal, and hides its real payload inside an image. The goal is the usual one: steal banking logins and take

Why It Matters

Fortinet reports that the Brazilian Ousaban banking trojan is running a May 2026 campaign against Windows users of banks in Spain and Portugal, using phishing PDFs that pose as corrupted files, geofenced tax-document lures, and steganography to deliver its payload.[1][9] Once installed, Ousaban quietly monitors the system and, when a targeted banking site is opened, can capture screenshots and keystrokes, tamper with the clipboard, display fake messages, and grant remote control, enabling takeover of live banking sessions across more than two dozen Iberian banks.[1] From a CyberSE.AI perspective, this illustrates a high‑risk pattern for fintech ecosystems where malware abuses sophisticated social engineering and evasion techniques that traditional email or sandbox controls may miss, requiring banks and financial platforms to continuously red‑team their user journeys, remote access workflows, and fraud detection controls against such session‑hijacking tools. Continuous AI Red Teaming can systematically simulate Ousaban‑style phishing flows and live-banking hijack scenarios to test, tune, and harden authentication, transaction verification, and anomaly‑detection mechanisms before rea

Healthcare Fintech SaaS SMB AI startups

CyberSE Analysis

This signal maps to fintech AI risk. Organizations using AI agents, LLM APIs, SaaS integrations, or sensitive data workflows should review whether this class of issue could create unauthorized tool execution, data leakage, weak approval gates, or unmanaged supply-chain exposure.

Recommended Actions

  • Restrict AI agent tool permissions and production write paths.
  • Review sensitive data access across prompts, logs, embeddings, memory, and SaaS integrations.
  • Add human approval workflows for high-impact or state-changing actions.
  • Run prompt injection and indirect prompt injection tests against affected workflows.
  • Document the owner, control gap, and remediation deadline for this risk class.

Source

https://thehackernews.com/2026/07/ousaban-banking-trojan-targets-iberian.html

Talk to AI CISO