{
	"id": "6bd19c23-6ea6-4599-a894-106943d32747",
	"created_at": "2026-04-06T02:11:33.084348Z",
	"updated_at": "2026-04-10T03:19:57.845687Z",
	"deleted_at": null,
	"sha1_hash": "b6dcfbecf26af23ad8dec83169ed60d290a56154",
	"title": "Mispadu Banking Trojan Resurfaces",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 259285,
	"plain_text": "Mispadu Banking Trojan Resurfaces\r\nArchived: 2026-04-06 01:29:33 UTC\r\nAdditional insights and analysis by Don Ladores and\r\nRaphael Centeno\r\nRecent spam campaigns leading to URSA/Mispadu banking trojan (detected by Trend Micro as\r\nTrojanSpy.Win32.MISPADU.THIADBOopen on a new tab) have been uncovered, as reported by malware analyst\r\nPedro Tavares in a Twitter post and by Seguranca Informatica in a blog post. Mispadu malware steals credentials\r\nfrom users’ systems.\r\nThis attack targets systems with Spanish and Portuguese as system languages. It is also likely that they have\r\ntargets similar to previous Mispadu attacks where users from Mexico, Spain, Portugal, and other nearby regions\r\nwere targeted. This behavior is in line with past Mispadu schemes, such as the one where spam emails for fake\r\ndiscount couponsnews article were used as bait.\r\nAnalysis of the campaigns\r\nFor this particular case, Mispadu’s entry vector is spam, similar to past campaigns involving the malware. By\r\nsending messages that refer to overdue invoices, attackers create a seemingly urgent situation that then persuades\r\nreceivers to download a .zip file from malicious URLs.\r\nThis zip file contains an MSI (Microsoft Installer file) that has a VBScript. This is followed by three layers of\r\nobfuscation that, when deobfuscated, reveal the final VBScript file that executes an AutoIT Loader/Injector.\r\nThe final VBScript also retrieves data on the operating system version. If the script detects a virtual environment\r\nsuch as the following, the script terminates its execution:\r\nHyper-V\r\nVirtualBox\r\nVMWare\r\nIt also inspects whether the system is using any of the following languages:\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/mispadu-banking-trojan-resurfaces\r\nPage 1 of 7\n\nLanguage Language Code\r\nSpanish – Spain (Traditional) 1034\r\nPortuguese – Brazil 1046\r\nSpanish – Mexico 2058\r\nPortuguese  – Portugal 2070\r\nSpanish 58378, 3082\r\nAs aforementioned, the attackers are targeting users whose machines are set to use these identified languages. If\r\nthe system is using a different language ID from those listed, the attack process stops. It also terminates the attack\r\nif the computer name is equal to “JOHN-PC.”\r\nThe final VBScript also loads the AutoIT file, which loads into the memory the final payload: a Delphi file\r\ncontaining the trojan code and processes. The Delphi binary executes a browser banking overlay that steals the\r\nvictim’s data and uses the name and logo of legitimate banks.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/mispadu-banking-trojan-resurfaces\r\nPage 2 of 7\n\nFigures 1-2. Fake banking overlays using logos of legitimate banks\r\nThe binary also has two legitimate tools, NirSoft’s WebBrowserPassView and Mail PassView, which can collect\r\nuser’s data.\r\nDelving deeper into related attacks, we analyzed indicators of compromise (IOCs) shared in a Twitter post by\r\nCronUp Red Team and Threat Intelligence Leader Germán Fernández. The tweet shared information such as open-dir logs supposedly used by the malware. Using this information, we were able to analyze related malicious files\r\nand dig up some possible exfiltration sites (URLs) from the samples we analyzed. This list is featured in the IOC\r\nportion. Behavior-wise, the results of the analysis echo Tavares’ findings.\r\nBanking on protection against spam\r\nAs institutions directly handling finances, banks are attractive targets for cybercriminals who are after monetary\r\ngain. Trojans are one of the tools threat actors use to steal from users of banking systems, and spam is one of the\r\nways that they are propagated.\r\nTo avoid compromise brought about by malicious emails, the following steps are recommended:\r\nNever open links or download attachments from emails from untrusted sources.\r\nCheck if the sender’s email address is spoofed.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/mispadu-banking-trojan-resurfaces\r\nPage 3 of 7\n\nInspect the email for grammatical errors or misspelled words, which are common in spam emails.\r\nContact the companies that supposedly sent the emails to verify that the messages came from them.\r\nHere are some recommended security solutions for protecting yourself from spam:\r\nTrend Micro™ Email Securityproducts – protects systems against spam, phishing, Business Email\r\nCompromise (BEC), and other email threats.\r\nTrend Micro™ Deep Discovery™ Email Inspectorproducts – has an optimal gateway module that filters\r\ninbound messages based on senders, spam and phishing filters, and content.\r\nIndicators of Compromise\r\nURLs\r\nhxxp://01fckgwxqweod01.ddns.net\r\nhxxp://01odinxqwefck01.ddns.net\r\nhxxp://02fckgwxqweod02.ddnsking.com\r\nhxxp://02odinxqwefck02.ddnsking.com\r\nhxxp://03fckgwxqweod03.3utilities.com\r\nhxxp://03odinxqwefck03.3utilities.com\r\nhxxp://04fckgwxqweod04.bounceme.net\r\nhxxp://04odinxqwefck04.bounceme.net\r\nhxxp://05fckgwxqweod05.freedynamicdns.net\r\nhxxp://05odinxqwefck05.freedynamicdns.net\r\nhxxp://06fckgwxqweod06.freedynamicdns.org\r\nhxxp://06odinxqwefck06.freedynamicdns.org\r\nhxxp://07fckgwxqweod07.gotdns.ch\r\nhxxp://07odinxqwefck07.gotdns.ch\r\nhxxp://08fckgwxqweod08.hopto.org\r\nhxxp://08odinxqwefck08.hopto.org\r\nhxxp://09fckgwxqweod09.myddns.me\r\nhxxp://09odinxqwefck09.myddns.me\r\nhxxp://10fckgwxqweod10.myftp.biz\r\nhxxp://10odinxqwefck10.myftp.biz\r\nhxxp://11fckgwxqweod11.myftp.org\r\nhxxp://11odinxqwefck11.myftp.org\r\nhxxp://12fckgwxqweod12.ddns.net\r\nhxxp://12odinxqwefck12.ddns.net\r\nhxxp://13fckgwxqweod13.ddnsking.com\r\nhxxp://13odinxqwefck13.ddnsking.com\r\nhxxp://14fckgwxqweod14.3utilities.com\r\nhxxp://14odinxqwefck14.3utilities.com\r\nhxxp://15fckgwxqweod15.bounceme.net\r\nhxxp://15odinxqwefck15.bounceme.net\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/mispadu-banking-trojan-resurfaces\r\nPage 4 of 7\n\nhxxp://16fckgwxqweod16.freedynamicdns.net\r\nhxxp://16odinxqwefck16.freedynamicdns.net\r\nhxxp://17fckgwxqweod17.freedynamicdns.org\r\nhxxp://17odinxqwefck17.freedynamicdns.org\r\nhxxp://18fckgwxqweod18.gotdns.ch\r\nhxxp://18odinxqwefck18.gotdns.ch\r\nhxxp://19fckgwxqweod19.hopto.org\r\nhxxp://19odinxqwefck19.hopto.org\r\nhxxp://20fckgwxqweod20.myddns.me\r\nhxxp://20odinxqwefck20.myddns.me\r\nhxxp://21fckgwxqweod21.myftp.biz\r\nhxxp://21odinxqwefck21.myftp.biz\r\nhxxp://22fckgwxqweod22.myftp.org\r\nhxxp://22odinxqwefck22.myftp.org\r\nhxxp://23fckgwxqweod23.ddns.net\r\nhxxp://23odinxqwefck23.ddns.net\r\nhxxp://24fckgwxqweod24.ddnsking.com\r\nhxxp://24odinxqwefck24.ddnsking.com\r\nhxxp://25fckgwxqweod25.3utilities.com\r\nhxxp://25odinxqwefck25.3utilities.com\r\nhxxp://26fckgwxqweod26.bounceme.net\r\nhxxp://26odinxqwefck26.bounceme.net\r\nhxxp://27fckgwxqweod27.freedynamicdns.net\r\nhxxp://27odinxqwefck27.freedynamicdns.net\r\nhxxp://28fckgwxqweod28.freedynamicdns.org\r\nhxxp://28odinxqwefck28.freedynamicdns.org\r\nhxxp://29fckgwxqweod29.gotdns.ch\r\nhxxp://29odinxqwefck29.gotdns.ch\r\nhxxp://30fckgwxqweod30.hopto.org\r\nhxxp://30odinxqwefck30.hopto.org\r\nhxxp://31fckgwxqweod31.myddns.me\r\nhxxp://31odinxqwefck31.myddns.me\r\nhxxp://87.98.137.173/\r\nhxxp://87.98.137.173/gt21.php\r\nhxxp://87.98.137.173/k1oa\r\nhxxp://87.98.137.173/m/k1\r\nSHA-256 Trend Micro Pattern Detection\r\n 048afd4276b67b78fdb03714c3bcc7\r\n66f83407ea4012aa6eae9de5c7cb2d87b8\r\nTrojan.Win32.MISPADOENC.THIADBO\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/mispadu-banking-trojan-resurfaces\r\nPage 5 of 7\n\n073f9d7bbdca94b3e6f5e572522e8e\r\nd17629abf6ef27f0e6a65895a107b52881\r\nTrojan.VBS.MISPADU.THIAHBO\r\n0d57869a4d6509a13ff48af46492f1\r\na8bb2ee33f5c01897e6ccdc4dd29b1cc85\r\nTrojan.AutoIt.MISPADO.THIADBOopen on a\r\nnew tab\r\n1590e809dbad3c77d555e135412553\r\n7e80294d0847e7867cc8a9b5893eb2269f\r\nTrojan.VBS.MISPADU.THIADBOopen on a new\r\ntab\r\n23892054f9494f0ee6f4aa8749ab3e\r\ne6ac13741a0455e189596edfcdf96416b3\r\nTrojan.VBS.MISPADU.THIAHBO\r\n 2f21d474ca430cab72f924117ace06\r\nd8c5b42377a993fe8f6fd4c52733e04575\r\nTrojan.VBS.MISPADU.THIAHBO\r\n400b411a9bffd687c5e74f51d43b7d\r\nc92cdb8d5ca9f674456b75a5d37587d342\r\nHKTL_MAILPASSVIEW\r\n 58fae847c81a61fe43b12885b98863\r\n03e58ad4f96d53393a146999ad4d700c4f\r\nTrojan.VBS.MISPADU.THIADBOopen on a new\r\ntab\r\n5b91c8acffe1980653718a493e24bd\r\ne7211ee825ea2947df54c03e9733d61a70\r\nTrojan.VBS.MISPADU.THIAHBO\r\n779e52e5dd7f28a6d51a333f651da4\r\ne50ff0aabdd99a4f341159ba76363b4c10\r\nTrojan.VBS.MISPADU.THIADBOopen on a new\r\ntab\r\n93488eab403fafb3d8e10d38c80f0a\r\nf745e3fa4cf26228acff24d35a149f6269\r\nTrojan.VBS.MISPADU.THIAHBO\r\nc96b32d44a44cd6f1496f88bc22739\r\nb9dd885b56af05ae925fbb57706ad48420\r\nTrojanSpy.Win32.MISPADU.THIADBOopen on\r\na new tab\r\n d1fb8a5061fc40291cc02cec0f1c2d\r\n13168b17d22ffcabea62816e14ed58e925\r\nTrojan.Win32.MISPADO.THENC\r\nde7168cd978a33926ea7ffad027cc1\r\n51aa1ea2d2f2581da3ce4fe22bad25c904\r\nTrojan.Win32.MISPADU.THIADBO\r\n f999357a17e672e87fbed66d14ba2b\r\nebd6fb04e058a1aae0f0fdc49a797f58fe\r\nHackTool.Win32.NirsoftPT.SM\r\n fb91bdd5ee38a3e163231fa78fd85e\r\n2da890e4e116ac530f2b4879e0e50a76a5\r\nHackTool.Win32.NirsoftPT.SM\r\n fe8c60df1fbc9c983ae13582998087\r\n4e6d793631684d40f93d2321b6d687cff6\r\nTrojan.VBS.MISPADU.THIAHBO\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/mispadu-banking-trojan-resurfaces\r\nPage 6 of 7\n\nHIDE\r\nLike it? Add this infographic to your site:\r\n1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your\r\npage (Ctrl+V).\r\nImage will appear the same size as you see above.\r\nSource: https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/mispadu-banking-trojan-resurfaces\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/mispadu-banking-trojan-resurfaces\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/mispadu-banking-trojan-resurfaces"
	],
	"report_names": [
		"mispadu-banking-trojan-resurfaces"
	],
	"threat_actors": [],
	"ts_created_at": 1775441493,
	"ts_updated_at": 1775791197,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b6dcfbecf26af23ad8dec83169ed60d290a56154.pdf",
		"text": "https://archive.orkl.eu/b6dcfbecf26af23ad8dec83169ed60d290a56154.txt",
		"img": "https://archive.orkl.eu/b6dcfbecf26af23ad8dec83169ed60d290a56154.jpg"
	}
}