G1026: Malteiro
Malteiro is a financially motivated criminal group that is likely based in Brazil and has been active since at least November 2019. The group operates and distributes the Mispadu banking trojan via a Malware-as-a-Service (MaaS) business model. Malteiro mainly targets victims throughout Latin America (particularly Mexico) and Europe (particularly Spain and Portugal).[1]
Analyst context for executives and security teams
Malteiro matters because ATT&CK describes it as a financially motivated criminal group operating and distributing the Mispadu banking trojan through a Malware-as-a-Service model, with reported targeting in Latin America and Europe. For leaders, the practical issue is not just malware detection; it is whether email security, endpoint visibility, credential protection, fraud response, and regional business operations are ready for a banking-trojan-style intrusion that may begin with a malicious attachment and progress toward credential theft and financial theft.
Executive priority
Prioritize this as a financial-risk and resilience scenario where identity, endpoint, email, and fraud-response teams need shared playbooks. Executives should ask whether the organization can prove coverage for phishing attachments, Windows malware execution related to Mispadu, browser/password-store credential access, and financial-theft response. This is especially relevant for organizations with operations, users, customers, or payment workflows connected to Latin America, Spain, or Portugal, while still requiring local threat intelligence before assuming direct exposure.
Technical view
ATT&CK provides no detection text for Malteiro itself, so defenders should validate coverage through the related software and techniques: Mispadu, spearphishing attachments, malicious file execution, Visual Basic execution, encrypted or encoded files, deobfuscation, DLL injection, system and language discovery, security software discovery, credential access from password stores and web browsers, and financial theft. SOC teams should test whether email, endpoint, identity, and fraud telemetry can be correlated from initial attachment delivery through execution, discovery, credential collection, and suspicious financial activity. Because the group object has no specified platforms, platform assumptions should be driven by the related Mispadu Windows relationship and the platforms listed on each related ATT&CK technique, not by the group record alone.
Likely telemetry
- Email security logs for attachments, sender metadata, delivery, user interaction, and attachment detonation results
- Endpoint process, file, command/script, DLL load, and process injection telemetry, especially on Windows where Mispadu is documented
- Script and Visual Basic execution telemetry where collected
- File inspection or sandbox evidence for encoded, encrypted, or deobfuscated content
- Host discovery activity, including operating system, patch, language, and security software enumeration
Detection direction
- Build detections around behavior chains rather than the Malteiro name: phishing attachment delivery, user-opened malicious file, script execution, obfuscated payload handling, discovery, credential-store access, and financial-theft indicators.
- Validate endpoint visibility for DLL injection and credential access from browsers/password stores; these are common blind spots when EDR is absent, not deployed to all endpoints, or lacks detailed process/file telemetry.
- Tune phishing and malicious-file alerts with business context to reduce false positives from legitimate attachments and administrative scripts, while preserving high-priority escalation when attachment execution is followed by discovery or credential access.
- Use the Mispadu relationship to guide malware-focused hunting, but avoid assuming all Malteiro activity will present identically unless local telemetry or threat intelligence supports it.
- Confirm that SOC playbooks can connect technical alerts to fraud, banking, and payment operations, because ATT&CK relates this activity to Financial Theft.
Mitigation priorities
- Harden email and attachment handling first: attachment filtering, sandboxing where available, user reporting, and rapid mailbox remediation workflows.
- Strengthen endpoint controls and logging for script execution, suspicious file decoding, DLL injection-like behavior, and unauthorized access to browser or password-store data.
- Reduce credential impact by enforcing strong identity controls, minimizing saved credentials where practical, monitoring abnormal authentication, and preparing credential reset procedures for suspected theft.
- Coordinate security operations with finance and fraud teams so suspected credential theft can trigger payment review, account protection, and incident-response decisions quickly.
- Use regional exposure and business process analysis to decide prioritization; the ATT&CK description notes Latin America and Europe targeting, but local telemetry and intelligence should determine urgency.
Analyst notes and limits
The most decision-useful relationships are Mispadu and the mapped techniques for phishing attachment, malicious file execution, obfuscation/deobfuscation, DLL injection, discovery, credential access, and financial theft. Treat Malteiro as a scenario for validating end-to-end readiness across email, endpoint, identity, and financial operations rather than as a single indicator-based detection problem.
The official Malteiro object does not provide detection guidance, tactics, or platforms, and the relationship descriptions are partly technique-level generalizations rather than Malteiro-specific observations. This take does not assert current activity, customer exposure, or guaranteed detection. Local environment evidence, regional exposure, and current threat intelligence are required for prioritization.
Malteiro
Malteiro is a financially motivated criminal group that is likely based in Brazil and has been active since at least November 2019. The group operates and distributes the Mispadu banking trojan via a Malware-as-a-Service (MaaS) business model. Malteiro mainly targets victims throughout Latin America (particularly Mexico) and Europe (particularly Spain and Portugal).[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1204.002 | Malicious File Sub-technique | Malteiro has relied on users to execute .zip file attachments containing malicious URLs.CitationSCILabs Malteiro 2021 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | Malteiro has stolen credentials stored in the victim’s browsers via software tool NirSoft WebBrowserPassView.CitationSCILabs Malteiro 2021 |
| Enterprise | T1055.001 | Dynamic-link Library Injection Sub-technique | |
| Enterprise | T1657 | Financial Theft | |
| Enterprise | T1082 | System Information Discovery | Malteiro collects the machine information, system architecture, the OS version, computer name, and Windows product name.CitationSCILabs Malteiro 2021 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | Malteiro has utilized a dropper containing malicious VBS scripts.CitationSCILabs Malteiro 2021 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Malteiro has used scripts encoded in Base64 certificates to distribute malware to victims.CitationSCILabs Malteiro Threat Overlap 2023 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | Malteiro collects the installed antivirus on the victim machine.CitationSCILabs Malteiro 2021 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Malteiro has sent spearphishing emails containing malicious .zip files.CitationSCILabs Malteiro 2021 |
| Enterprise | T1555 | Credentials from Password Stores | Malteiro has obtained credentials from mail clients via NirSoft MailPassView.CitationSCILabs Malteiro 2021 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Malteiro has the ability to deobfuscate downloaded files prior to execution.CitationSCILabs Malteiro 2021 |
| Enterprise | T1614.001 | System Language Discovery Sub-technique |
Groups, software, and campaigns
S1122: Mispadu
Mispadu is a banking trojan written in Delphi that was first observed in 2019 and uses a Malware-as-a-Service (MaaS) business model.[1][2] This malware is operated, managed, and sold by the Malteiro cybercriminal group.[2] Mispadu has mainly been used to target victims in Brazil and Mexico, and has also had confirmed operations throughout Latin America and Europe.[2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | af61f07ea3e0… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
SCILabs Malteiro 2021
SCILabs. (2021, December 23). Cyber Threat Profile Malteiro. Retrieved March 13, 2024.
Open source URL -
[2]
mitre-attack G1026Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.