S1122: Mispadu
Mispadu is a banking trojan written in Delphi that was first observed in 2019 and uses a Malware-as-a-Service (MaaS) business model.[1][2] This malware is operated, managed, and sold by the Malteiro cybercriminal group.[2] Mispadu has mainly been used to target victims in Brazil and Mexico, and has also had confirmed operations throughout Latin America and Europe.[2][3][4]
Analyst context for executives and security teams
Mispadu matters because it is a Windows banking trojan associated with credential and user-data theft behaviors, not just commodity malware. ATT&CK ties it to Malteiro and a MaaS model, which makes the business concern repeatability: defenders should assume variants or operators may change delivery details while keeping recognizable behaviors such as malicious-file execution, browser/credential collection, persistence, obfuscation, and C2-based exfiltration.
Executive priority
Prioritize this as an identity, fraud, and endpoint-resilience risk where Windows users handle banking, payment, customer, or privileged web sessions—especially if the organization has exposure in Latin America or Europe as noted by ATT&CK sources. Leadership should ask whether SOC and IR teams can prove visibility into browser credential access, keylogging/screen/clipboard collection, persistence via Run keys or startup folders, and suspicious use of trusted Windows binaries such as msiexec.exe and rundll32.exe.
Technical view
ATT&CK does not provide a Mispadu-specific detection section, so coverage should be validated through the linked behaviors. On Windows, test whether endpoint telemetry captures malicious-file execution, Visual Basic execution, proxy execution through Msiexec and Rundll32, process injection, encoded/encrypted artifacts and subsequent decoding, discovery of processes/system/security tools/browser data, browser extension persistence, Registry Run key/startup folder persistence, collection from keystrokes/GUI prompts/screens/clipboard, credential access from password stores and browsers, and exfiltration over an existing C2 channel.
Likely telemetry
- Windows process creation, parent/child process lineage, command-line arguments, and signed binary execution context
- Endpoint file events for newly created, encoded, decoded, or suspicious executable/script artifacts
- Registry Run key and Startup folder modification events
- Browser extension inventory and browser profile/configuration change events
- File access to browser data, password stores, and local credential-related locations
Detection direction
- Do not rely on single indicators; MaaS and obfuscation relationships mean filenames, encodings, and infrastructure may change.
- Correlate user-opened file execution with VB, msiexec.exe, rundll32.exe, decode/deobfuscation activity, or unexpected network connections.
- Tune Msiexec and Rundll32 analytics carefully because both have legitimate administrative and installer uses; prioritize unusual parent processes, remote or uncommon payload locations, and follow-on credential or collection behavior.
- Validate detections for browser-focused activity: browser information discovery, extension abuse, browser credential access, and access to saved password stores.
- Look for behavior chains: discovery of security tools or system details, process injection, persistence changes, collection activity, then outbound C2-channel data movement.
Mitigation priorities
- Reduce malicious-file execution risk with email/web filtering, attachment controls, user reporting workflows, and safe execution policies.
- Harden Windows endpoints by restricting unnecessary script execution and monitoring or controlling abuse-prone signed binaries where operationally feasible.
- Govern browser extensions and browser credential storage; reduce reliance on saved browser passwords for sensitive accounts.
- Enforce credential protections such as MFA and least privilege, recognizing that keylogging and GUI input capture can still create session and fraud risk.
- Monitor and protect persistence locations including Registry Run keys and Startup folders.
Analyst notes and limits
The supplied ATT&CK object identifies Mispadu as a Delphi Windows banking trojan first observed in 2019, operated and sold by Malteiro under a MaaS model, with reported targeting mainly in Brazil and Mexico and confirmed operations across Latin America and Europe. The most useful defensive value comes from the ATT&CK relationships to techniques rather than from a malware-specific detection write-up, which is not provided.
No official detection text, aliases, labels, or explicit malware-level tactics are supplied. This take does not assert current activity, customer exposure, or guaranteed detection. Local validation is required to determine whether the organization collects the telemetry needed for the related ATT&CK techniques.
Mispadu
Mispadu is a banking trojan written in Delphi that was first observed in 2019 and uses a Malware-as-a-Service (MaaS) business model.[1][2] This malware is operated, managed, and sold by the Malteiro cybercriminal group.[2] Mispadu has mainly been used to target victims in Brazil and Mexico, and has also had confirmed operations throughout Latin America and Europe.[2][3][4]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Mispadu decrypts its encrypted configuration files prior to execution.CitationSCILabs Malteiro 2021CitationESET Security Mispadu Facebook Ads 2019 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | Mispadu can steal credentials from Google Chrome.CitationSCILabs Malteiro 2021CitationESET Security Mispadu Facebook Ads 2019CitationMetabase Q Mispadu Trojan 2023 |
| Enterprise | T1113 | Screen Capture | Mispadu has the ability to capture screenshots on compromised hosts.CitationSCILabs Malteiro 2021CitationSCILabs URSA/Mispadu Evolution 2023CitationESET Security Mispadu Facebook Ads 2019CitationMetabase Q Mispadu Trojan 2023 |
| Enterprise | T1218.007 | Msiexec Sub-technique | Mispadu has been installed via MSI installer.CitationSCILabs Malteiro 2021CitationESET Security Mispadu Facebook Ads 2019 |
| Enterprise | T1614.001 | System Language Discovery Sub-technique | Mispadu checks and will terminate execution if the compromised system’s language ID is not Spanish or Portuguese.CitationSegurança Informática URSA Sophisticated Loader 2020CitationSCILabs Malteiro 2021 |
| Enterprise | T1176.001 | Browser Extensions Sub-technique | Mispadu utilizes malicious Google Chrome browser extensions to steal financial data.CitationESET Security Mispadu Facebook Ads 2019 |
| Enterprise | T1217 | Browser Information Discovery | Mispadu can monitor browser activity for online banking actions and display full-screen overlay images to block user access to the intended site or present additional data fields.CitationSegurança Informática URSA Sophisticated Loader 2020CitationSCILabs Malteiro 2021 |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | Mispadu has been spread via malicious links embedded in emails.CitationSCILabs Malteiro 2021 |
| Enterprise | T1082 | System Information Discovery | Mispadu collects the OS version, computer name, and language ID.CitationESET Security Mispadu Facebook Ads 2019 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Mispadu has relied on users to execute malicious files in order to gain execution on victim machines.CitationESET Security Mispadu Facebook Ads 2019CitationMetabase Q Mispadu Trojan 2023CitationSCILabs Malteiro 2021 |
| Enterprise | T1106 | Native API | Mispadu has used a variety of Windows API calls, including ShellExecute and WriteProcessMemory.CitationSegurança Informática URSA Sophisticated Loader 2020CitationSCILabs Malteiro 2021 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | Mispadu uses RunDLL32 for execution via its injector DLL.CitationESET Security Mispadu Facebook Ads 2019 |
| Enterprise | T1056.001 | Keylogging Sub-technique | Mispadu can log keystrokes on the victim's machine.CitationESET Security Mispadu Facebook Ads 2019CitationMetabase Q Mispadu Trojan 2023CitationSCILabs URSA/Mispadu Evolution 2023 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Mispadu uses a custom algorithm to obfuscate its internal strings and uses hardcoded keys.CitationESET Security Mispadu Facebook Ads 2019 Mispadu also uses encoded configuration files and has encoded payloads using Base64.CitationESET Security Mispadu Facebook Ads 2019CitationSCILabs Malteiro 2021CitationSCILabs Malteiro Threat Overlap 2023 |
| Enterprise | T1055 | Process Injection | Mispadu's binary is injected into memory via `WriteProcessMemory`.CitationSegurança Informática URSA Sophisticated Loader 2020CitationSCILabs Malteiro 2021 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | Mispadu can list installed security products in the victim’s environment.CitationESET Security Mispadu Facebook Ads 2019CitationMetabase Q Mispadu Trojan 2023 |
| Enterprise | T1056.002 | GUI Input Capture Sub-technique | Mispadu can monitor browser activity for online banking actions and display full-screen overlay images to block user access to the intended site or present additional data fields.CitationSegurança Informática URSA Sophisticated Loader 2020CitationSCILabs Malteiro 2021 |
| Enterprise | T1057 | Process Discovery | Mispadu can enumerate the running processes on a compromised host.CitationESET Security Mispadu Facebook Ads 2019 |
| Enterprise | T1497.001 | System Checks Sub-technique | Mispadu can run checks to verify if it is running within a virtualized environments including Hyper-V, VirtualBox or VMWare and will terminate execution if the computer name is “JOHN-PC.”CitationESET Security Mispadu Facebook Ads 2019CitationSCILabs Malteiro 2021 |
| Enterprise | T1083 | File and Directory Discovery | Mispadu searches for various filesystem paths to determine what banking applications are installed on the victim’s machine.CitationESET Security Mispadu Facebook Ads 2019 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Mispadu can sends the collected financial data to the C2 server.CitationESET Security Mispadu Facebook Ads 2019CitationSCILabs Malteiro 2021 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | Mispadu contains a copy of the OpenSSL library to encrypt C2 traffic.CitationSegurança Informática URSA Sophisticated Loader 2020 |
| Enterprise | T1115 | Clipboard Data | Mispadu has the ability to capture and replace Bitcoin wallet data in the clipboard on a compromised host.CitationESET Security Mispadu Facebook Ads 2019 |
| Enterprise | T1555 | Credentials from Password Stores | Mispadu has obtained credentials from mail clients via NirSoft MailPassView.CitationSCILabs Malteiro 2021CitationSegurança Informática URSA Sophisticated Loader 2020CitationESET Security Mispadu Facebook Ads 2019 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | Mispadu’s dropper uses VBS files to install payloads and perform execution.CitationSCILabs Malteiro 2021CitationESET Security Mispadu Facebook Ads 2019 |
Groups, software, and campaigns
G1026: Malteiro
Malteiro is a financially motivated criminal group that is likely based in Brazil and has been active since at least November 2019. The group operates and distributes the Mispadu banking trojan via a Malware-as-a-Service (MaaS) business model. Malteiro mainly targets victims throughout Latin America (particularly Mexico) and Europe (particularly Spain and Portugal).[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 5d74ee1f3461… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET Security Mispadu Facebook Ads 2019
ESET Security. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved March 13, 2024.
Open source URL -
[2]
SCILabs Malteiro 2021
SCILabs. (2021, December 23). Cyber Threat Profile Malteiro. Retrieved March 13, 2024.
Open source URL -
[3]
SCILabs URSA/Mispadu Evolution 2023
SCILabs. (2023, May 23). Evolution of banking trojan URSA/Mispadu. Retrieved March 13, 2024.
Open source URL -
[4]
Segurança Informática URSA Sophisticated Loader 2020
Pedro Tavares (Segurança Informática). (2020, September 15). Threat analysis: The emergent URSA trojan impacts many countries using a sophisticated loader. Retrieved March 13, 2024.
Open source URL -
[5]
mitre-attack S1122Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.