Threat Research

Mispadu Phishing Malware Baseline: Delivery Chains, Capabilities, and Common Campaigns

Cofense
Mispadu Phishing Malware Baseline: Delivery Chains, Capabilities, and Common Campaigns

Mispadu is a long-standing Latin American banking Trojan that has surged in use since 2019 and is now primarily delivered via dynamically generated HTA→JS→VBS chains often embedded in password-protected PDFs and executed with a legitimate AutoIT interpreter to evade detection. The single APT group behind Mispadu (tracked as TA2725/Malteiro/Manipulated Caiman) has added self-propagation via Outlook contacts, geofencing, advanced obfuscation, and credential theft capabilities while primarily targeting Spanish-speaking countries such as Mexico and Brazil. #Mispadu #TA2725

Keypoints

  • Mispadu is the top Latin American banking Trojan observed by Cofense, targeting primarily Spanish-speaking countries (Mexico, Brazil, Argentina) with some European victims.
  • Current campaigns use attached PDFs or HTA files that initiate a dynamically generated chain (HTA → JavaScript → VBS) that ultimately runs a compiled AutoIT loader and Mispadu payload.
  • The APT group behind Mispadu is tracked under multiple names (TA2725, Malteiro, Manipulated Caiman) and appears to be a single organized operator rather than a broadly shared malware family.
  • Recent builder improvements include extensive anti-analysis, obfuscated scripts, geofenced payload downloads, password-protected attachments, dynamically generated payloads, and use of legitimate binaries/DLLs to frustrate EDR.
  • Mispadu steals credentials using Nirsoft tools, injects into legitimate processes (attrib.exe), and can self-propagate by sending templated emails to Outlook contacts on compromised hosts.
  • Delivery statistics through March 2025 show PDF-first chains dominate (64% PDF or HTA first-step combined) with the HTA→JSDropper→VBS→Mispadu chain appearing in the majority of campaigns.

MITRE Techniques

  • [T1566.001 ] Spearphishing Attachment – Phishing emails deliver attachments that begin the infection chain. Quote relevant content: (‘…attached PDFs that lead to a chain of scripts before Mispadu is run using legitimate files.’)
  • [T1204.002 ] User Execution: Malicious File – Victims open password-protected PDFs or HTA files which initiate the malicious downloader chain. Quote relevant content: (‘…the URL delivering the HTA files is embedded in an attached, password-protected PDF rather than embedded in the email itself.’)
  • [T1059 ] Command and Scripting Interpreter – Execution of dynamically generated HTA/JavaScript/VBS and compiled AutoIT scripts to download and run payloads. Quote relevant content: (‘…a dynamically generated HTA file, which downloads a dynamically generated JavaScript, which finally downloads a dynamically generated VBS file.’)
  • [T1027 ] Obfuscated Files or Information – Use of obfuscation, dynamically generated payloads, and encoded configurations to hinder analysis. Quote relevant content: (‘…extensive anti-analysis techniques, obfuscated scripts, geofenced payload downloads, password-protected attachments, dynamically generated payloads…’)
  • [T1055 ] Process Injection – Malicious code and tools are injected into a legitimate process (attrib.exe) to execute stealthily. Quote relevant content: (‘…malicious code and legitimate Nirsoft binaries are injected into the legitimate process attrib.exe.’)
  • [T1218 ] Signed Binary Proxy Execution – Use of a legitimate AutoIT interpreter binary to run compiled AutoIT payloads, leveraging a trusted executable to evade controls. Quote relevant content: (‘…delivered as a compiled AutoIT script and an associated encrypted file that is run using the legitimate AutoIT interpreter.’)
  • [T1555 ] Credentials from Password Stores – Harvesting stored credentials from browsers, email clients, and FTP clients using Nirsoft utilities. Quote relevant content: (‘…use Nirsoft’s Web Browser Password Viewer and Email Password Recovery applications…’)

Indicators of Compromise

  • [IP Address ] C2/config entries observed in Mispadu configuration – 140[.]82[.]18[.]85 and other C2 IPs referenced in dynamic configuration.
  • [File Hash ] Reused AutoIT interpreter (legitimate binary) MD5 – 0adb9b817f1df7807576c2d7068dd931 (used across many campaigns).
  • [File Name ] Injected process and interpreter – attrib.exe (process injected), AutoIT interpreter (used to run compiled script).
  • [File Type/Extension ] Delivery chain artifacts – PDF (password-protected attachments), HTA, .js (JavaScript droppers), .vbs (VBScript droppers), compiled AutoIT executables.
  • [Tool/Binary ] Credential theft/utilities – Nirsoft Web Browser Password Viewer, Nirsoft Email Password Recovery (used to harvest stored credentials).

Read more: https://cofense.com/blog/mispadu-phishing-malware-baseline

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint