Mispadu

Malware Profile Updated 3 months ago

Download STIX

Preview STIX

Mispadu is a malicious software (malware) that has been used to exploit and damage computer systems, often infiltrating the system through suspicious downloads, emails, or websites. It was first uncovered by Eset in 2019, who detailed its theft of money and credentials from Spanish- and Portuguese-speaking victims. The malware identifies the victim's Windows version, performs an HTTP/HTTPS check-in to a remote command-and-control server, and interacts with the victim's browser history via SQLite. In recent developments, Mispadu has been implicated in a large-scale cyber attack across Latin America. In a series of spam campaigns that have been ongoing since August, the malware, also known as URSA, has exfiltrated more than 90,000 bank account credentials across 17,500 websites in Mexico, Chile, Bolivia, Peru, and Portugal, according to reports from The Hacker News. These attacks were reported in March 2023 by SC Magazine and Infosecurity, revealing that Mispadu had been utilized in 20 different spam campaigns targeting victims in these regions. Furthermore, there have been instances where Mispadu exploited a security flaw in Windows SmartScreen (CVE-2023-36025), which allowed it to deliver other types of malware such as Phemedrone Stealer and DarkGate. This bypass flaw, which has now been patched, was used by threat actors to facilitate payload deployment. The last observation of Mispadu exploiting this vulnerability was made by Cisco Talos in September 2023.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Ursa	1	URSA is a harmful malware, typically delivered as an archive attachment to phishing emails. It operates as a backdoor into the infected system, enabling unauthorized access and exploitation. The malware has been particularly active in Latin America, where it's known as the Mispadu banking trojan. Si
Phemedrone Stealer	1	Phemedrone Stealer is a sophisticated malware that targets Windows Defender SmartScreen's vulnerability, CVE-2023-36025, for its defense evasion and infection chain. The malware campaign was uncovered by Trend Micro researchers who found it exploiting this vulnerability, despite the release of a sec
Darkgate	1	DarkGate is a malicious software (malware) that poses significant threats to computer systems and data. It infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold your data hos

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Trojan

Spam

Windows

Vulnerability

Malware

Antivirus

Infostealer ...

Ransomware

Phishing

Talos

Sqlite

Cisco

Cybercrime

Backdoor

Infostealer

Payload

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Grandoreiro	Unspecified	1	Grandoreiro is a malicious software (malware) that forms part of a Brazilian banking operation targeting banks worldwide. This malware, along with Guildma, Javali, and Melcoz, represents an expanding threat from Brazil that has begun to impact other countries. Grandoreiro infiltrates systems through
Javali	Unspecified	1	Javali is a multistage malware that has been active since November 2017, primarily targeting customers of financial institutions in Portuguese- and Spanish-speaking countries, with a particular focus on Brazil and Mexico. Part of a group of banking trojans including Guildma, Melcoz, and Grandoreiro,

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
CVE-2023-36025	Unspecified	2	CVE-2023-36025 is a significant vulnerability, representing a flaw in the design or implementation of Microsoft's Windows SmartScreen security feature. This vulnerability was discovered as one of three zero-days affecting Microsoft Windows and Server. The exploit begins with the execution of a malic

Source Document References

Information about the Mispadu Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
CERT-EU	4 months ago	Malware Alert - Increasing Trend of DarkGate Malware Attacks Exploiting Microsoft Windows SmartScreen's Critical Vulnerability
CERT-EU	4 months ago	CVE-2024-21412 Used in DarkGate Malware Campaigns
CERT-EU	a year ago	Linux SSH servers targeted by novel ShellBot malware variants
CERT-EU	a year ago	More than $1.6M stolen in General Bytes hack
CERT-EU	a year ago	Ukraine targeted by novel malware attacks
CERT-EU	5 months ago	TimbreStealer Malware Targets Mexican Victims with Tax-Related Lures
BankInfoSecurity	6 months ago	New Banking Trojan Exploits Patched Windows SmartScreen Flaw
DARKReading	6 months ago	Fresh 'Mispadu Stealer' Variant Emerges
Unit42	6 months ago	Exploring the Latest Mispadu Stealer Variant
InfoSecurity-magazine	a year ago	Mispadu Trojan Steals 90,000+ Banking Credentials From Latin American Victims
CERT-EU	a year ago	Over 90K credentials stolen by Mispadu trojan in LatAm attacks