Mispadu

Inside Mispadu: How This Evolving Trojan Drains Bank Accounts and Businesses

Key Takeaways

• Mispadu is a Windows banking trojan primarily targeting online banking, cryptocurrency, and sensitive credentials.

• Although initially focused on Latin America, its techniques can threaten organizations operating globally.

• The malware relies heavily on phishing emails, malicious installers, and social engineering rather than software exploits.

• Mispadu combines credential theft, browser manipulation, persistence mechanisms, and anti-analysis techniques to remain active on infected systems.

• Organizations in finance, retail, government, healthcare, manufacturing, and enterprises with employees conducting online banking face elevated exposure.

• Effective defense requires combining endpoint security, email protection, user awareness, and continuous threat intelligence.

• Proactively defend with ANY.RUN’s Threat Intelligence Lookup for instant IOC context and Threat Intelligence Feeds for real-time blocking in your security stack — combined with phishing training and endpoint controls.

Mispadu sample analyses in ANY.RUN Sandbox found via TI Lookup by an IOC

What is Mispadu Malware?

Mispadu represents a persistent and technically sophisticated threat within the Latin American cybercrime ecosystem. The trojan combines credential-harvesting capabilities with post-compromise command execution, allowing threat actors to monetize compromised banking relationships at scale. The Malteiro group — known under various names including SAMBA SPIDER — has transformed Mispadu from a rudimentary malware into a modular, evasion-hardened information stealer distributed through a thriving MaaS marketplace.

Operators are frequently using Mispadu to execute keylogging, browser overlay attacks, and socket-based remote control in order to steal financial data including cryptocurrency wallet information. The malware primarily infects Windows systems through phishing campaigns delivering malicious ZIP archives, MSI installers, or executable files disguised as invoices, tax documents, shipping notifications, or government communications. Once executed, it establishes persistence, gathers system information, communicates with command-and-control (C2) servers, and begins monitoring user activity.

The malware's infrastructure relies on compromised WordPress installations as command-and-control pivots, geographic filtering logic to avoid deploying in non-target regions, and multi-stage obfuscation chains designed to subvert endpoint detection and response (EDR) and secure email gateway (SEG) protections.

Mispadu's resilience stems not from zero-day exploits but from iterative refinement of social engineering payloads, polymorphic encoding, and abuse of legitimate system utilities, particularly Windows certutil.exe, for decoding embedded binaries, and WebDAV for executing payloads via network shares. This pragmatic approach to offensive tooling has allowed the malware to maintain operational effectiveness despite widespread signature-based detection and public reporting.

Modern variants also include anti-analysis capabilities, encrypted configuration files, virtual machine detection, and obfuscation techniques designed to complicate malware analysis and evade traditional security controls.

Despite Mispadu's anti-analysis and evasion capabilities, ANY.RUN Interactive Sandbox lets analysts detect the trojan’s activity and view detonation sessions to explore the malicious behavior.

View analysis

Mispadu's behavior explored in Interactive Sandbox

How Mispadu Threatens Businesses and Organizations

The financial impact of Mispadu extends beyond direct account compromise to include reputation damage, regulatory penalties, and operational disruption. When a business falls victim to Mispadu infection, the trojan immediately begins enumerating installed antivirus solutions and exfiltrating Windows Vault credentials — the gateway to downstream lateral movement and credential recycling across corporate systems. For financial institutions, the threat is existential: Mispadu has harvested more than 90,000 bank account credentials from 17,500 websites in 2023.

Beyond credential theft, Mispadu's technical capabilities create multiple vectors for financial fraud. Once on a victim's system, Mispadu employs techniques such as screen capturing, keylogging, and creating fake browser overlays to capture sensitive information. Browser overlay attacks rendering spoofed login prompts over legitimate banking portals circumvent traditional two-factor authentication by capturing the complete authentication sequence in real time. Man-in-the-browser positioning allows Mispadu to intercept and modify requests destined for banking APIs, effectively hijacking session tokens and OTP flows.

For enterprises, Mispadu poses a supply-chain aggregation risk. The trojan's self-propagation via Outlook contact enumeration means a single compromised employee mailbox can weaponize corporate address books, enabling lateral spread across geographically dispersed subsidiaries. Once established within an organization's infrastructure, Mispadu acts as a persistence backdoor, enabling follow-on payload delivery: observed chains include .NET remote administration tools, additional information stealers, and ransomware droppers. The malware's modular architecture means defenders face not a static threat but a dynamic payload delivery framework, with operators updating capabilities based on victim profiling and defensive posture analysis.

Victimology: Who Is Most at Risk?

While Mispadu targets individual users indiscriminately, certain sectors face elevated risks:

• Financial Institutions — banks, credit unions, and fintech companies are primary targets due to their direct access to financial assets. Employees with access to banking systems are particularly valuable to attackers.
• Retail and E-commerce — online retailers and payment processors are vulnerable due to their handling of customer payment information and the volume of financial transactions they process.
• Healthcare — medical organizations in Latin America that process patient payments and insurance claims are at risk, compounded by the sensitive nature of healthcare data.
• Government and Public Sector — government agencies dealing with tax collection, social security, and public services are frequently impersonated in phishing campaigns. In fact, attackers often use pretexts related to tax matters to trick victims, such as impersonating Argentina's national tax agency.
• Energy and Utilities — companies in the utility sector, which handle large financial transactions and maintain critical infrastructure, are attractive targets.

Within each sector, Mispadu's profiling logic prioritizes victims with active browser sessions to financial platforms, installed payment software, and language/locale matches to LATAM regions — suggesting attackers maintain real-time telemetry on victim behavior post-infection.

The Evolution of Mispadu and Notable Activity

Since its discovery in 2019, Mispadu has undergone significant evolution:

• 2019 (Initial Discovery): ESET first reported Mispadu as a banking Trojan targeting Brazil and Mexico with basic capabilities including screenshots, keylogging, and clipboard manipulation

• 2020-2022: The malware's operators, identified as the Malteiro cybercriminal group, expanded their infrastructure and refined the infection chain. During this period, Mispadu began using WordPress sites as command-and-control servers, compromising legitimate websites to distribute malware.

• 2023: The malware demonstrated significant expansion, with campaigns targeting Bolivia, Chile, Mexico, Peru, and Portugal. The discovery of over 90,000 stolen credentials highlighted the scale of the threat. Researchers also identified overlaps with other threats like Porongona, Botnet Fenix, and Manipulated Caiman, suggesting a consolidation of cybercriminal operations

• 2024: Mispadu adopted new techniques including the increased use of dynamic scripts (HTA – JS – VBS), browser history targeting, and exploitation of CVE-2023-36025, a Windows SmartScreen bypass vulnerability. This variant specifically targeted Mexican users and introduced refined evasion techniques. Operation Saci, observed in November 2024, demonstrated coordination with the Grandoreiro banking Trojan.

• 2025: The malware evolved further with more sophisticated infection chains and improved obfuscation. Self-propagation capabilities were enhanced, and targets expanded to include cryptocurrency exchanges and banks outside Latin America.

How Mispadu Gets Into Systems and Spreads

Mispadu's ingress mechanisms have evolved from crude malvertising to sophisticated multi-stage chains combining social engineering, LOLBin abuse, and legitimate application masquerading.

1. Primary delivery mechanisms:

Spear-phishing with obfuscated attachments: The dominant delivery vector leverages targeted emails spoofing financial institutions, government agencies, or service providers. Attachment variants include password-protected PDFs, HTML attachments triggering script execution, and compressed archives containing multi-stage loaders.

Malvertising on compromised ad networks: Though less prominent than in 2019, malvertising campaigns resurface during period escalations. Compromised ad networks serve pixel-perfect replicas of legitimate download pages (banking software, browser updates, productivity applications) that deliver Mispadu droppers.

Direct payload hosting on compromised websites: One of the main strategies is to compromise legitimate websites, searching for vulnerable versions of WordPress, to turn them into command-and-control server dropping different type of malware based on the country being infected. This approach provides high availability and defenders' challenges in distinguishing legitimate site traffic from malware delivery.

2. Lateral propagation mechanisms:

Once resident on a system, Mispadu engages multiple persistence and propagation strategies. Mispadu has self-propagation capabilities via Outlook contacts, which allows compromised hosts to spread further Mispadu campaign emails without the threat actor specifically targeting further recipients. This autonomous propagation leverages compromised email accounts as vectors for organizational spread, often timing message delivery to avoid sandbox detection by scheduling operations to LocalTime == 9am-5pm.

Secondary payloads extend the infection chain: after establishing initial persistence, Mispadu staggers follow-on downloads of information stealers (.NET-based RATs), remote access trojans, and loader malware capable of decrypting and executing additional families. The modularity allows operators to tailor payloads based on infected system profiling — business users receive different payload chains than consumer victims.

How Mispadu Malware Functions

Mispadu's functional architecture comprises three primary layers: reconnaissance and evasion, credential harvesting, and command execution.

Phase 1: Evasion and reconnaissance

Upon execution, Mispadu immediately performs environmental profiling. The malware enumerates installed antivirus solutions via Windows Management Instrumentation (WMI) queries and registry scanning, compiling an allowlist of security products to suppress alerts. System locale detection filters execution based on keyboard layout and language settings — samples only activate when detecting Portuguese, Spanish, or regional IP geolocation matching target countries.

Virtual machine detection queries BIOS version strings, system model manufacturer strings, and processor model numbers against known hypervisor signatures (VirtualBox, VMware, Hyper-V, QEMU). This behavioral gating prevents sandbox analysis while ensuring operational focus on legitimate endpoints.

Phase 2: Credential harvesting

Mispadu's core functionality concentrates on data exfiltration from multiple sources:

• Browser credential storage: Mispadu can steal credentials from Google Chrome. The trojan queries Chrome's SQLite credential database, extracting encrypted username/password pairs, and decrypts using DPAPI keys stored in the user's profile. Firefox credential stores (key4.db, logins.json) are similarly enumerated and extracted.

• Form grabbing and keystroke logging: Mispadu employs techniques such as screen capturing, keylogging, and creating fake browser overlays to capture sensitive information. Keyboard hooks intercept credentials as users type, while clipboard monitoring captures copy-pasted banking data and one-time passwords.

• Man-in-the-browser attacks: When specific banking domains load in the browser, Mispadu injects JavaScript overlays rendering fake login forms or account verification screens. These overlays capture credentials with pixel-perfect fidelity matching the legitimate site's visual language, error messaging, and flow logic before exfiltrating captured data directly to attacker infrastructure.

• Session cookie and OTP interception: Mispadu's WebDriver-based hooking captures session cookies and OAuth tokens from browser memory, as well as SMS OTP messages received during authentication flows, enabling account takeover without requiring user credentials.

Phase 3: Command execution and payload delivery

Mispadu, once launched, proceeds to establish contact with a command-and-control (C2) server for follow-on data exfiltration. Initial C2 communication transmits the victim profile (OS version, antivirus software, system architecture, language) to attacker-controlled servers running custom PHP handlers. The C2 responds with follow-on command parameters: additional payload URLs, registry persistence keys to modify, process names to monitor, or banking sites to target with injections.

Updates to the malware binary itself are delivered via encrypted streams from C2, allowing operators to add new banking targets, modify obfuscation routines, or add new credential harvesting techniques without redeploying samples. This modularity explains Mispadu's persistence despite years of public analysis and detection signatures.

View the attack chain in ANY.RUN Interactive Sandbox:

Mispadu's sample detonated in Interactive Sandbox

ANY.RUN’s analysts observe two types of initial lures: 1) a phishing email or a link with a fake document ( view sandbox analysis ), and 2) a fake browser extension ( view sandbox analysis ). In both cases, the initial vector is an HTA file, which may run on its own or be launched via a shortcut (LNK file) that imitates a PDF document.

A phishing page example

After launching the HTA file, it contacts the C2 server to download a VBA script. This script then connects to the C2 server to retrieve an AutoIT module and a compiled AutoIT script. The AutoIT script contains the main payload — an encrypted (XOR) DLL library with shellcode, which is used to establish a connection to the command center.

The attack chain looks like this: RAR > HTA-file > VBA-script > AutoIT > DLL with shellcode > C2

Mispadu attack process chain

Track this campaign via ANY.RUN Threat Intelligence Lookup:

url:"/gerar/gerar.php" or url:"/registrar.php?dominio=" or url:"/h/modulo.php?f=" or url:"/h/estagio?1.php" or url:"/api/source-file.php?f=" OR url:"/api/upload-source.php?"

Mispadu ongoing attack samples analyzed by ANY.RUN community

How Businesses Can Use ANY.RUN’s Threat Intelligence Solutions Against Mispadu

Mispadu's sophistication — particularly its evasion capabilities, multi-stage infection chains, and behavioral polymorphism — requires a proactive threat intelligence strategy grounded in dynamic malware analysis and indicator-driven detection engineering.

Businesses can leverage ANY.RUN’s Threat Intelligence Feeds for real-time, high-fidelity IOCs (IPs, domains, URLs) integrated into SIEM/EDR/SOAR systems. These feeds, enriched with sandbox context and updated frequently, enable proactive blocking of Mispadu-related infrastructure.

Analysts can reference ANY.RUN-derived indicators to build rules matching:

• Executable delivery from Malteiro-operated compromise sites
• Registry persistence patterns consistent with Mispadu's launcher logic
• WebDAV client abuse chains observed in recent variants
• Process spawning correlations (e.g., certutil.exe → rundll32.exe → explorer.exe) that characterize multi-stage infection chains

This empirical grounding in observed Mispadu behavior accelerates SIEM tuning and reduces false positives from signature-based approaches.

Threat Intelligence Lookup allows rapid searching of IOCs across millions of sandbox sessions for contextual threat hunting, triage, and attribution — ideal for investigating suspicious emails or files linked to Mispadu campaigns. Analysts can pivot from a single phishing artifact to related infrastructure, behavioral evidence, and historical context.

threatName:"mispadu".

Mispadu sandbox analyses found in TI Lookup

Additional defensive measures:

Organizations should also:

• deploy advanced email filtering
• enable MFA for banking and cloud services
• restrict execution from user download directories
• monitor PowerShell and MSI execution
• educate employees on phishing
• maintain EDR coverage
• regularly patch Windows systems
• monitor outbound connections
• implement least-privilege access
• conduct proactive threat hunting

Conclusion

Mispadu demonstrates that banking malware continues to evolve beyond individual consumers into a broader business threat. By combining convincing phishing campaigns, credential theft, browser monitoring, persistence, and anti-analysis capabilities, it enables financially motivated attackers to compromise corporate accounts and disrupt business operations without deploying ransomware.

Organizations can reduce their exposure by combining layered security controls with proactive threat intelligence. Leveraging fresh behavioral indicators through ANY.RUN Threat Intelligence Lookup and automated Threat Intelligence Feeds allows security teams to detect emerging Mispadu campaigns, enrich investigations, and block malicious infrastructure before attackers achieve their objectives.

Trial TI Lookup to start gathering actionable threat intelligence on the malware that threatens your business sector and region: just sign up to ANY.RUN.