Malteiro (G1026) Threat Profile: Mispadu MaaS and Latin American Banking Threats
- Suspected Origin
- Brazil
- Motivation
- Financial Gain
- Aliases
- None documented
- Target Sectors
- Financial, Food, Communication, Health, Retail, Manufacturing, Service, Government, Unspecified
- Associated Malware
- Mispadu (URSA), NirSoft WebBrowserPassView, NirSoft MailPassView, AutoIT v3
Overview
Malteiro, tracked as G1026, is a financially motivated criminal group believed to originate from Brazil, operating since at least November 2019. This group distinguishes itself through the operation and distribution of the Mispadu banking trojan via a Malware-as-a-Service (MaaS) business model. This MaaS approach amplifies Malteiro’s reach and impact, as other threat actors can rent or purchase access to their infrastructure and malware, making the group and its associated campaigns more difficult to disrupt effectively. Mispadu is also known by the alias URSA. Other monikers used to track this group include TA2725 and Manipulated Caiman.
Initially, Malteiro’s primary focus was on victims in Latin America, particularly Mexico and Brazil, and Europe, specifically Spain and Portugal. However, since 2022, the group has demonstrably expanded its target geography to include Central America and additional European countries, indicating a growing scope of operations. Malteiro targets organizations across a wide variety of sectors, including financial, food, communication, health, retail, manufacturing, service, and government industries, with the ultimate goal of financial theft.
Tactics & Techniques
Malteiro employs a diverse and evolving set of tactics, techniques, and procedures (TTPs) designed to gain initial access, maintain persistence, evade defenses, and ultimately achieve financial objectives.
Initial Access (T1566.001 - Phishing: Spearphishing Attachment): The group predominantly relies on phishing as its initial entry vector. Campaigns often involve spam emails crafted to create a sense of urgency, using lures such as fake overdue invoices, rejected refund requests from tax authorities, payment confirmations, or enticing fake discount coupons. These emails typically contain malicious attachments, often .zip files embedding malicious URLs, or various dropper formats like LNK files, BAT files, EXE files, or MSI files with embedded VBScripts.
Execution (T1204.002 - User Execution, T1059.005 - Command and Scripting Interpreter: Visual Basic): Malteiro’s attack chain necessitates user interaction to execute the malicious files. The group consistently uses AutoIT v3 as a core execution mechanism throughout its campaigns. Early campaigns frequently utilized VBScript (VBS) droppers, with later iterations introducing SMB-hosted JSE files as a second-stage dropper. Mispadu’s DLL is eventually injected into a running process using RunDLL32.
Persistence (T1547.001 - Registry Run Keys / Startup Folder): To maintain access to compromised systems, Malteiro establishes persistence by creating entries in the Windows Registry Run keys and placing links within the Windows startup folder.
Defense Evasion (T1027.013 - Obfuscated Files or Information: Encrypted/Encoded File, T1140 - Deobfuscate/Decode Files or Information, T1518.001 - Software Discovery: Security Software Discovery): The group employs several techniques to avoid detection and analysis. They deobfuscate downloaded files prior to execution and commonly use scripts encoded in Base64 certificates for malware distribution. Malteiro’s malware actively collects information about installed antivirus software on victim machines. A notable evasion tactic includes a geographic filter: Mispadu’s infection process will terminate if the victim machine’s language is not Spanish or Portuguese. Additionally, the malware performs checks for virtualized environments (e.g., Hyper-V, VirtualBox, VMWare) and will cease execution if it detects a specific computer name, “JOHN-PC,” often associated with analysis sandboxes. Some dropper stages feature fake CAPTCHA validation to thwart automated analysis.
Credential Access (T1555 - Credentials from Password Stores): A primary objective is credential theft. Malteiro utilizes legitimate tools like NirSoft WebBrowserPassView to steal credentials stored in web browsers and NirSoft MailPassView to extract credentials from mail clients. Mispadu itself is capable of stealing credentials directly from Google Chrome.
Discovery (T1082 - System Information Discovery): Prior to full infection, the malware gathers extensive system information, including the operating system version, computer name, system architecture, Windows product name, and language ID. It also enumerates running processes and searches for installed banking applications on the victim’s machine.
Collection (T1056.001 - Keylogging, T1113 - Screen Capture): Mispadu is equipped with capabilities to log keystrokes and capture screenshots of the compromised host, allowing attackers to gather sensitive information visually and interactively.
Command and Control (T1071.001 - Application Layer Protocol: Web Protocols): Mispadu uses the OpenSSL library to encrypt its command and control (C2) traffic, securing communication with the attackers. Collected financial data is then exfiltrated to the C2 server.
Impact (T1657 - Financial Theft): The ultimate impact sought by Malteiro is financial gain through various means. The banking trojan creates apocryphal (fake) banking windows that overlay legitimate browser interfaces when victims attempt to access banking portals, tricking them into divulging credentials. Mispadu can also tamper with the clipboard contents, specifically replacing Bitcoin wallet addresses to redirect cryptocurrency transactions, and provides the attackers with full remote control over the victim’s mouse and keyboard.
Notable Campaigns
Malteiro has been consistently active since its emergence in late 2019, continuously refining its TTPs.
- February 2024 CVE Exploitation: A significant development in February 2024 saw a new variant of Mispadu actively exploiting CVE-2023-36025, a Windows SmartScreen bypass vulnerability. This was notable as Microsoft had only patched the vulnerability in November 2023, demonstrating Malteiro’s rapid weaponization capabilities and highlighting the shrinking window between patch release and exploitation. This specific campaign primarily targeted users in Mexico.
- May 2023 Dropper Evolution: In May 2023, Malteiro introduced a new technique, utilizing JSE files hosted on public SMB file servers as a second-stage dropper in their infection chains. This exemplifies their continuous experimentation with infrastructure and delivery methods.
- Social Engineering Sophistication: The group has shown increasing sophistication in its social engineering tactics, including the use of compromised Business Email Compromise (BEC) accounts for distributing phishing campaigns.
- Ongoing Development: Even as late as the end of 2025, IBM X-Force documented further changes in Mispadu’s C2 encoding, indicating active and continuous development of the malware’s communication protocols.
- Credential Volume: Documented campaigns attributed to Malteiro have collectively stolen over 90,000 credentials across eight countries.
Associated Malware & Tools
Malteiro’s operations revolve around its primary malware, Mispadu, complemented by the use of legitimate tools for credential harvesting.
- Mispadu (S1122) / URSA: This is the flagship banking trojan of the Malteiro group, written in Delphi. It serves as the core of their MaaS offering. Mispadu’s functionalities include performing remote overlay attacks to trick users into revealing banking credentials, capturing screenshots, logging keystrokes, stealing credentials from browsers and email clients, replacing Bitcoin wallet addresses in the clipboard, and granting remote control over the victim’s system.
- NirSoft WebBrowserPassView: A legitimate utility abused by Malteiro to extract stored passwords from various web browsers on compromised systems.
- NirSoft MailPassView: Another legitimate NirSoft tool leveraged by the group to retrieve passwords from email clients. Security professionals often recommend blocking NirSoft tools at the application level due to their frequent misuse in malicious contexts.
- AutoIT v3: A scripting language and associated runtime used extensively by Malteiro as a foundational execution mechanism for their droppers and loaders within the infection chain.
- OpenSSL library: Integrated into Mispadu to provide encryption for its command and control (C2) communications, enhancing the stealth and security of exfiltrated data.
- Various Dropper/Loader Formats: Malteiro employs a range of file types in its initial infection stages, including malicious VBS scripts, LNK files, BAT files, self-extracting EXE files (sometimes with fake CAPTCHA validation), MSI installers with embedded VBScript, and JSE files. These are typically multi-stage, highly obfuscated payloads.
Current Status
Malteiro remains an active and continuously evolving threat actor. Reports as of February 2026 indicate consistent weekly campaigns distributing Mispadu, successfully bypassing secure email gateways. The group demonstrates a commitment to ongoing development, as evidenced by its rapid exploitation of new vulnerabilities, such as CVE-2023-36025, and continuous modifications to Mispadu’s C2 communication protocols. The Malware-as-a-Service model ensures that Mispadu campaigns persist even if specific operators or infrastructures are targeted, making Malteiro a resilient and enduring threat. Their expanding geographical focus signals an increasing risk beyond their historical primary targets.
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call