Home/Threat Actor/Mispadu / URSA
Threat Actor

Mispadu / URSA

mispadu · latin_america_brazilian_organized_cybercrime · active since 2019

Mispadu (canonical ESET naming per November 2019 "Advertisement for a discounted Unhappy Meal" disclosure.

also known as URSA per industry alternative naming + SCILabs Mexico canonical tracking) is a Brazilian-origin banking trojan + infostealer active since 2019, operated by Malteiro cybercriminal group via Malware-as-a-Service (MaaS) business model per SCILabs Mexico canonical Cyber Threat Profile MALTEIRO (late 2021)

Brazilian-origin organized cybercrime attribution via ESET canonical November 2019 first documentation ("ESET identifies Latin American banking trojan, Mispadu, targeting victims with malicious Facebook ads" + "Mispadu: Advertisement for a discounted Unhappy Meal") + ESET Dirty Dozen canonical December 15, 2021 retrospective "The Dirty Dozen of Latin America: From Amavaldo to Zumanek" + Morphisec Labs canonical April 2025 European expansion disclosure + SCILabs Mexico canonical Malteiro attribution + Trend Micro detection TrojanSpy.Win32.MISPADU.THIADBO.

standalone malware platform cluster paralleling javali + melcoz + casbaneiro in v0.1.139 LATAM banking trojan operators cell expansion.

operational target profile Brazil + Mexico (primary post-2021 per ESET telemetry shift "Mispadu seems to have shifted its focus almost exclusively to Mexico, occasionally accompanied by Casbaneiro and Grandoreiro") + Spain + Portugal + Peru + Argentina + European countries (secondary 2024+ expansion per Morphisec finance + services + motor vehicle manufacturing + law firms + commercial facilities)

operational attack architecture: (1) dual distribution via spam + Facebook malvertising, per ESET: "two different distribution methods - spam and malvertising. While the former is common among Latin American banking trojans, the latter is quite rare".

(2) cluster- defining Facebook sponsored advertisements with fake McDonald's discount coupons (ESET title pun "Advertisement for a discounted Unhappy Meal"), distinctive among LATAM banking trojans.

(3) ZIP archive containing MSI installer masquerading as discount coupon download.

(4) 3-script chain post- MSI execution resulting in Mispadu banking trojan download + execution.

(5) cluster-defining 4 modified PUAs (potentially unwanted applications) for credential extraction ("The trojan uses four potentially unwanted applications, all modified copies of legitimate software, to extract the victim's stored credentials from web browsers and email clients" per ESET)

(6) cluster-defining malicious "Protect your Chrome" Google Chrome extension for credit card + online banking + Boleto Brazilian payment system theft per ESET ("In Brazil, Mispadu has been seen also distributing an interesting, malicious Google Chrome extension. The extension claims to 'Protect your Chrome,' but instead it attempts to steal credit card and online banking data, and can even compromise Boleto, a popular payment system in Brazil that uses a barcode-based payment system")

(7) cluster- defining Boleto Brazilian payment system targeting Brazilian-specific barcode-based payment compromise; (8) fake banking pop-up overlay credential capture typical LATAM banking trojan tradecraft + backdoor functionality + screenshots + mouse/keyboard simulation + keystroke capture.

(9) bitcoin wallet clipboard replacement hijack cluster-cell coherent with v0.1.133 grandoreiro.yaml + Melcoz + Casbaneiro crypto theft tradecraft.

(10) VBS-based update mechanism per PCRisk.

Malteiro cybercriminal group MaaS business model signature per SCILabs ("This malware originated in Brazil, and according to our investigations, the Malteiro cybercriminal group is operating, managing, and distributing the trojan using the Malware-as-a-Service (MaaS) business model")

Delphi programming language origin signature typical LATAM banking trojan codebase; 2024+ European expansion per Morphisec Labs April 2025 "Breaking Boundaries: Mispadu's Infiltration Beyond LATAM", "Initially concentrated on LATAM countries and Spanish-speaking individuals, Mispadu has broadened its scope in the latest campaign... now targeting diverse regions, including European countries... Despite the geographic expansion, Mexico remains the primary target"; cluster fills the Facebook-malvertising + Malteiro- MaaS + Chrome-extension + Boleto-payment-targeting + European-expansion position in Latin American banking trojan operators cell.

canonical illustration of Facebook malvertising tradecraft + Malteiro MaaS cybercriminal group + malicious Chrome extension + Brazilian Boleto payment system targeting cited in essentially all subsequent Latin American banking trojan + infostealer industry analyses through 2019-2026 period.

latin_america_brazilian_organized_cybercrime confidence: high 13 aliases
Sigma rules200 YARA rules0 Live IOCs0 CVEs exploited0

Profile

Mispadu (canonical ESET naming per November 2019 "Advertisement for a discounted Unhappy Meal" disclosure.

also known as URSA per industry alternative naming + SCILabs Mexico canonical tracking) is a Brazilian-origin banking trojan + infostealer active since 2019, operated by Malteiro cybercriminal group via Malware-as-a-Service (MaaS) business model per SCILabs. Brazilian-origin organized cybercrime attribution via ESET canonical November 2019 first documentation + SCILabs Mexico canonical Malteiro attribution + ESET Dirty Dozen canonical December 2021 retrospective + Morphisec Labs canonical April 2025 European expansion disclosure. Standalone malware platform cluster paralleling javali + melcoz + casbaneiro in v0.1.139 LATAM banking trojan operators cell expansion.

Operational target profile
  • Brazil + Mexico + Spain + Portugal primary 2019-2021 targets.
  • Mexico-focus shift per ESET 2021 telemetry ("almost exclusively to Mexico")
  • European countries secondary expansion per Morphisec April 2025.
  • Spanish + Portuguese system languages targeted per Trend Micro Operational attack architecture: (1) Spam + Facebook malvertising distribution (cluster-defining): dual distribution methods. Spam common among LATAM banking trojans, but Facebook malvertising distinctive per ESET. (2) Facebook sponsored advertisements with fake McDonald's discount coupons (cluster-defining): per ESET, "The threat actor behind Mispadu places sponsored advertisements on Facebook that offer fake discount coupons for McDonald's." (3) ZIP archive containing MSI installer (signature): masquerades as discount coupon (4) 3-script chain post-MSI execution (signature): results in Mispadu banking trojan download + execution (5) 4 modified PUAs (potentially unwanted applications) for credential extraction (cluster- defining): extract victim's stored credentials from web browsers + email clients (6) Malicious Google Chrome extension "Protect your Chrome" (cluster-defining): steals credit card + online banking data + Boleto Brazilian payment system compromise (7) Boleto Brazilian payment system targeting (cluster-defining): Brazilian-specific barcode- based payment system compromise (8) Fake banking pop-up overlay credential capture (signature): typical LATAM banking trojan tradecraft (9) Bitcoin wallet clipboard replacement hijack (signature): cryptocurrency wallet theft (10) VBS-based update mechanism (signature): malware updates downloaded + executed via Visual Basic Script Signature operational tradecraft:.
  • Facebook malvertising via fake McDonald's discount coupons (cluster-defining): distinctive among LATAM banking trojans.
  • Malicious "Protect your Chrome" Chrome extension (cluster-defining): distinctive credit card + Boleto theft vector.
  • Boleto Brazilian payment system targeting (cluster-defining): Brazilian-specific payment compromise.
  • Malteiro cybercriminal group MaaS business model (signature): organized cybercrime operation per SCILabs.
  • Delphi programming language origin (signature): typical LATAM banking trojan codebase.
  • European expansion post-2024 (signature): per Morphisec, finance + services + motor vehicle manufacturing + law firms targets.
  • Mexico-focus shift per ESET 2021 telemetry (signature): distinctive among LATAM banking trojans The cluster fills the Facebook-malvertising + Malteiro-MaaS + Chrome-extension + Boleto-payment- targeting + European-expansion position in the Latin American banking trojan operators cell.

Aliases

13
mispaduursamispadu ursamispadu_banking_trojanmispadu_malwaremispadu ursa malteiro maas operationstrojanspy.win32.mispadutrojanspy_win32_mispadu_thiadbomispadu facebook malvertising mcdonaldsmispadu brazil mexico spain portugal banking trojanmispadu ursa delphi banking trojanmispadu eset dirty dozen latin americamispadu boleto brazilian payment system targeting

Notable Campaigns

8
2025Morphisec Canonical April 2025 European Expansion Disclosure
2021SCILabs Cyber Threat Profile MALTEIRO (Late 2021)
2021ESET Dirty Dozen Canonical Retrospective, Mispadu Mexico Shift (December 15, 2021)
2019-2026Continued Industry Reference Status (2019-2026)
2019-2020Mispadu Malicious Chrome Extension + Boleto Targeting Signature
2019Mispadu Origin, Brazil + Mexico (2019)
2019ESET Canonical First Disclosure (November 2019)
2019Mispadu Facebook Malvertising Signature (2019)

Attribution & Reporting

Key reporting
reportESET WeLiveSecurity: Mispadu, Advertisement for a discounted Unhappy Meal (November 2019), canonical first documentation
reportESET (canonical November 2019 press release): ESET identifies Latin American banking trojan, Mispadu, targeting victims with malicious Facebook ads
reportESET WeLiveSecurity: The Dirty Dozen of Latin America, From Amavaldo to Zumanek (December 15, 2021), canonical retrospective with Mispadu Mexico shift
reportSCILabs Mexico: Cyber Threat Profile MALTEIRO (late 2021) + Evolution of banking trojan URSA/Mispadu (2023), canonical Malteiro MaaS attribution
reportMorphisec Labs: Breaking Boundaries, Mispadu's Infiltration Beyond LATAM (April 2025), canonical European expansion disclosure
reportTrend Micro Research: Mispadu Banking Trojan Resurfaces (TrojanSpy.Win32.MISPADU.THIADBO detection)
reportPCRisk: Mispadu Trojan analysis
reportPedro Tavares (Seguranca Informatica + Tempest): Twitter disclosure + analysis
reportMalpedia Software Profile: Mispadu

Operational

State sponsor

Brazilian-origin organized cybercrime, SCILabs Mexico canonical attribution to Malteiro cybercriminal group operating Mispadu/URSA via Malware-as-a-Service (MaaS) business model. Operationally separate from state-sponsored APT activity. Attribution chain: (1) ESET canonical November 2019 first documentation: ESET WeLiveSecurity published "ESET identifies Latin American banking trojan, Mispadu, targeting victims with malicious Facebook ads" + "Mispadu: Advertisement for a discounted Unhappy Meal" canonical disclosure.

Per ESET: "ESET continues its research into Latin American banking trojans with the identification of another previously unknown malware family, Mispadu. Similar to the Amavaldo and Casbaneiro malware families recently described by ESET, Mispadu is written in Delphi and targets victims through the use of fake pop-up windows trying to persuade potential victims to share their personal details and credentials." (2) SCILabs Mexico canonical 2021 Malteiro attribution + Cyber Threat Profile MALTEIRO: per SCILabs: "This malware originated in Brazil, and according to our investigations, the Malteiro cybercriminal group is operating, managing, and distributing the trojan using the Malware-as-a-Service (MaaS) business model. Ursa/Mispadu is developed in Delphi programming language." (3) ESET Dirty Dozen canonical December 15, 2021 retrospective: per ESET WeLiveSecurity "The Dirty Dozen of Latin America: From Amavaldo to Zumanek", Mispadu among 9 actively covered LATAM banking trojans (Amavaldo + Casbaneiro + Mispadu + Guildma + Grandoreiro + Mekotio + Vadokrist + Ousaban + Numando).

Per ESET 2021 telemetry: "Mispadu seems to have shifted its focus almost exclusively to Mexico, occasionally accompanied by Casbaneiro and Grandoreiro." (4) Morphisec Labs canonical April 2025 European expansion disclosure: per Morphisec blog "Breaking Boundaries: Mispadu's Infiltration Beyond LATAM": "Recently, Morphisec Labs identified a significant increase in activity linked to Mispadu (also known as URSA), a banking trojan first flagged by ESET in 2019. Initially concentrated on LATAM countries and Spanish-speaking individuals, Mispadu has broadened its scope in the latest campaign. Mispadu is a highly active banking trojan and Infostealer, now targeting diverse regions, including European countries...

Despite the geographic expansion, Mexico remains the primary target." (5) Trend Micro canonical industry coverage: Trend Micro detection TrojanSpy.Win32.MISPADU.THIADBO. Per Trend Micro: "Mispadu malware steals credentials from users' systems. This attack targets systems with Spanish and Portuguese as system languages." Operational mission objective: Banking credential theft + infostealer + credit card theft + Boleto Brazilian payment system compromise + Bitcoin wallet clipboard hijack.

Per ESET: "The Mispadu banking trojan, which primarily targets Brazil and Mexico, contains backdoor functionality, can take screenshots, simulates mouse and keyboard actions, and captures keystrokes.

" Operational target profile
  • Brazil + Mexico + Spain + Portugal primary targets per ESET 2019-2021 tracking.
  • European countries secondary expansion per Morphisec April 2025.
  • Mexico-focus shift per ESET 2021 telemetry (almost exclusively Mexico in 2021)
  • Finance + services + motor vehicle manufacturing + law firms + other commercial facilities per Morphisec 2025 industry coverage The cluster fills the Facebook-malvertising + Malteiro-MaaS + Chrome-extension + Boleto-payment- system-targeting position in the Latin American banking trojan operators cell.
Motivations
banking_credential_theft_brazil_mexico_spain_portugal_targeting, facebook_malvertising_mcdonalds_discount_coupon_tradecraft, malteiro_cybercriminal_group_maas_business_model_operations, infostealer_dual_capability_banking_credentials_plus_browser_email_credentials, malicious_chrome_extension_credit_card_boleto_theft_capability, bitcoin_wallet_clipboard_hijack_cryptocurrency_theft, 2025_european_expansion_geographic_scope_broadening
Sectors
banking_financial_institutionsonline_banking_usersboleto_brazilian_payment_system_userscryptocurrency_wallet_usersemail_client_usersfinance_services_per_morphisec_2025motor_vehicle_manufacturing_per_morphisec_2025law_firms_per_morphisec_2025
Regions
brazilmexicospainportugalperuargentinaeuropean_countries_2025_expansionspanish_speaking_countriesportuguese_speaking_countries

Techniques Used

60
T1003T1003.001T1005T1010T1014T1016T1018T1020T1027T1027.002T1027.005T1033T1036T1036.001T1036.005T1037T1041T1055T1056T1056.001T1056.002T1057T1059T1059.001T1059.003T1059.005T1059.007T1068T1069T1070T1070.004T1071T1071.001T1078T1082T1083T1087T1090T1090.001T1090.002T1095T1102T1106T1113T1114T1115T1119T1129T1133T1140T1176T1185T1190T1203T1204T1204.001T1204.002T1213T1218T1218.005

Detection Blind Spots

60 techniques
Across this actor’s 60 mapped techniques, the share covered by each detection layer. Low bars are where you’d be blind if this actor targeted you.
Behavioral / log (Sigma)57/60 · 95%
Analytics (MITRE CAR)25/60 · 41%
Runtime / container (Falco)7/60 · 11%
File / malware (YARA)0/60 · 0%
Network (Suricata/Snort)16/60 · 26%
Vuln scan (Nuclei)0/60 · 0%

Atomic Test Plan

30 techniques
Runnable Atomic Red Team tests covering this actor’s mapped techniques - validate your detections against this specific adversary. Cross-reference the blind spots above. For authorized lab / purple-team use. Open the full builder

Tools Used

0 mapped
Other tooling / TTPs (curation, not ATT&CK-mapped):
MALTEIRO CYBERCRIMINAL GROUP MAAS BUSINESS MODELMISPADU URSA DELPHI BANKING TROJAN + INFOSTEALER DUAL CAPABILITYMISPADU MALWAREMORPHISEC BREAKING BOUNDARIES EUROPEAN EXPANSION 2025SPAM EMAIL CAMPAIGN DISTRIBUTION
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE searchMalpediaGoogle
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin