{
	"id": "e60d98f4-271f-414c-8de7-c7c3510e7aba",
	"created_at": "2026-04-06T00:17:41.552077Z",
	"updated_at": "2026-04-10T03:21:01.641127Z",
	"deleted_at": null,
	"sha1_hash": "dc39620cb541d853dbaf4861644b760c7c870a8d",
	"title": "Mispadu: Advertisement for a discounted Unhappy Meal",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4726065,
	"plain_text": "Mispadu: Advertisement for a discounted Unhappy Meal\r\nBy ESET Research\r\nArchived: 2026-04-05 21:59:35 UTC\r\nIn this installment of our blog series, we will focus on Mispadu, an ambitious Latin American banking trojan that\r\nutilizes McDonald’s malvertising and extends its attack surface to web browsers.\r\nWe believe this malware family is targeting the general public. Its main goals are monetary and credential theft. In\r\nBrazil, we have seen it distributing a malicious Google Chrome extension that attempts to steal credit card data and\r\nonline banking data, and that compromises the Boleto payment system.\r\nCharacteristics\r\nMispadu is a malware family, identified during our research of Latin American banking trojans, that targets Brazil\r\nand Mexico. It is written in Delphi and attacks its victims using the same method as the families described earlier in\r\nthis series: by displaying fake pop-up windows and trying to persuade the potential victims to divulge sensitive\r\ninformation.\r\nFor its backdoor functionality, Mispadu can take screenshots, simulate mouse and keyboard actions, and capture\r\nkeystrokes. It can update itself via a Visual Basic Script (VBS) file that it downloads and executes.\r\nAs with the other Latin American banking trojans, Mispadu also collects information about its victims, namely:\r\nOS version\r\ncomputer name\r\nlanguage ID\r\nwhether Diebold Warsaw GAS Tecnologia (an application, popular in Brazil, to protect access to online\r\nbanking) is installed\r\nlist of installed common Latin American banking applications\r\nlist of installed security products\r\nAs in the cases of Amavaldo and Casbaneiro, Mispadu can also be identified by its use of a unique, custom\r\ncryptographic algorithm to obfuscate the strings in its code. This is used in all components, as well as to protect its\r\nconfiguration files and C\u0026C communications. Figure 1 illustrates the core code implementing this algorithm, and\r\nFigure 2 pseudocode for the algorithm.\r\nhttps://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/\r\nPage 1 of 18\n\nFigure 1. Core of Mispadu's algorithm for data decryption\r\ndef decrypt_string(data_enc, key):\r\nseed = data_enc[0] - 0x41 # 'A'\r\ndata_dec = str()\r\nfor i in range(1, len(data_enc), 2):\r\nb1 = (data_enc[i] - 0x41) * 25\r\nb2 = data_enc[i+1] - 0x41 - seed - key\r\ndata_dec += chr(b1 + b2)\r\nreturn data_dec\r\nFigure 2. Pseudocode of Mispadu's algorithm for data decryption\r\nThe banking trojan executable comes with four potentially unwanted applications stored in its resource section.\r\nThese applications are all otherwise legitimate files from Nirsoft, but have been patched to run from the command\r\nline with no GUI. They are used by the malware to extract stored credentials from:\r\nbrowsers (Google Chrome, Mozilla Firefox, Internet Explorer), and\r\nemail clients (Microsoft Outlook, Mozilla Thunderbird, and Windows Live Mail, among others).\r\nMispadu also monitors the content of the clipboard and tries to replace potential bitcoin wallets with its own, as\r\nCasbaneiro did. However, from examining the attacker’s wallet (see Figure 3), it has not been very successful to\r\ndate.\r\nhttps://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/\r\nPage 2 of 18\n\nFigure 3. Bitcoin wallet used by the Mispadu operator\r\nDistribution\r\nMispadu employs two distribution methods: spam (see Figure 4) and malvertising. While the former method is very\r\ncommon for Latin American banking trojans, the latter is not, so let’s look at it more closely. Figure 5 shows how\r\nthe Mispadu attack unfolds.\r\nhttps://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/\r\nPage 3 of 18\n\nFigure 4. Examples of spam emails distributing Mispadu. The one targeting Brazil (left) claims the recipient has\r\nbeen absent for three package delivery attempts and should follow the URL to get a refund. The one targeting\r\nMexico (right) urges the recipient to download an invoice to avoid account “blockage”.\r\nhttps://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/\r\nPage 4 of 18\n\nFigure 5. Mispadu’s distribution and execution chain\r\nThe threat actor placed sponsored advertisements (see Figure 6 for a Brazilian example) on Facebook offering fake\r\ndiscount coupons for McDonald’s. Clicking the advertisements leads the potential victim to one of the webpages\r\nshown in Figure 7. Regardless of a visitor’s OS, clicking the button there leads to downloading a ZIP archive\r\ncontaining an MSI installer. Occasionally, this archive also contains legitimate software such as Mozilla Firefox or\r\nPuTTY, but they are mere decoys and are not used at all.\r\nMispadu operators compiled two different versions of the banking trojan based on the country it attacks. Besides\r\nthat, they decided to use different installers and subsequent stages for each attacked country. However, the logic of\r\nboth chains is the same and we describe that general form below.\r\nhttps://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/\r\nPage 5 of 18\n\nFigure 6. Facebook ads set up by the Mispadu operators leading to fake McDonald's coupon websites (translation\r\nof the ad title: “Use them on any September day! Independence coupons. Get yours now”)\r\nhttps://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/\r\nPage 6 of 18\n\nFigure 7. Malicious webpages offering fake discount coupons for McDonald's Brazil (left) and Mexico (right)\r\n(translation of the main text of both: “This coupon can be used only once. I want! / Generate coupon”)\r\nWhen the potential victim executes the MSI installer, a chain of three subsequent VBS scripts follows. The first\r\nscript (unpacker) decrypts and executes the second script (downloader) from its internal data, as seen in Figure 8.\r\nThe downloader script retrieves the third script (loader) and executes it (see Figure 9).\r\nFigure 8. Mispadu distribution chain unpacker script (stage 1). Notice the key is calculated in variable w2 to the\r\nvalue 95.\r\nFigure 9. Mispadu distribution chain downloader script (stage 2). Notice the hardcoded key is the same as in the\r\nprevious stage.\r\nhttps://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/\r\nPage 7 of 18\n\nThe loader script is more complicated than the first two stages. It is locale-specific; it checks the language identifier\r\nof the potential victim machine to verify it really comes from the country targeted by the current campaign (Brazil\r\nor Mexico, respectively). It can detect some virtual environments as well; if a virtual environment is detected or the\r\ndesired locale is not found, the loader quits.\r\nOtherwise, the loader script continues by setting up configuration files (described in detail later) and downloading\r\n(i) a Mispadu banking trojan, (ii) an injector (DLL) used to execute it and (iii) legitimate support DLLs. Each file is\r\ndownloaded in a separate ZIP archive as illustrated in Figure 5. We provide pseudocode for the decryption\r\nalgorithm in Figure 10.\r\ndef decrypt_payload(data_enc):\r\nkey = data_enc[0]\r\ndata_dec = str()\r\nfor i in range(1, len(data_enc)):\r\ndata_dec += chr(data_enc[i] - ((key + i - 1) % 10))\r\nreturn data_dec\r\nFigure 10. Pseudocode of Mispadu's payload decryption algorithm\r\nMispadu’s download servers check the validity of requests they receive. Sending an invalid request results in an\r\nobscene image response we cannot reproduce here.\r\nFinally, the loader script sets up persistence by creating a link in the startup folder and executing the injector. This\r\nis done via rundll32.exe by calling an exported function of the injector DLL whose name comes from one of the\r\npreviously set up configuration files. The injector locates the encrypted banking trojan, then decrypts and executes\r\nit.\r\nWe found an open directory on one of the servers Mispadu uses, and files connected to a very similar campaign\r\nwere stored there. Those files can be used to set up a webpage imitating AreaVIP (a tabloid website in Brazil) and\r\nto force a fake Adobe Flash Player update on its potential victims. We have not observed that campaign in the wild\r\nand believe it may be a setup for the future.\r\nSince the Mispadu campaign targeting Brazil used the Tiny.CC URL shortener, we were able to gather statistics. As\r\nseen in Figure 11, this campaign produced almost 100,000 clicks, exclusively from Brazil. The clicks originating\r\nfrom Android are most likely the result of the fact that the advertisement is shown on Facebook regardless of the\r\nuser’s device. You can also see that the campaign is recurring – one phase ended in the second half of September\r\n2019 and emerged again at the beginning of October 2019.\r\nhttps://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/\r\nPage 8 of 18\n\nFigure 11. Brazilian Mispadu campaign statistics\r\nSharing an email attachment\r\nBoth spam emails and the fake McDonald’s website are interesting in one more aspect: from where the fake coupon\r\nis downloaded. Mispadu’s operators abused the Russian Yandex.Mail platform to store their payload (see Figure\r\n12). The most probable scenario is that the operators created an account on Yandex.Mail, sent an email with the\r\nhttps://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/\r\nPage 9 of 18\n\nmalicious coupon as an attachment to themselves and then pointed the potential victim to a direct link to this\r\nattachment.\r\nFigure 12. The URL from which the archive containing the malicious Mispadu MSI installer is downloaded\r\nConfiguration\r\nThe use of configuration files is quite uncommon among Latin American banking trojans; yet, overall, Mispadu\r\nutilizes three different ones and it cannot function without them. All of the configuration files are either contained\r\nin, or obtained by, the loader script described earlier.\r\nMispadu’s execution configuration is stored solely in memory with data downloaded from one of its download\r\nservers (Remote server 1 in Figure 5). It contains three crucial pieces of information:\r\na string necessary to create the URL to download the injector\r\nthe name of the folder where the malware will be installed\r\nthe name of the injector’s exported function to be called in order for it to execute the banking trojan\r\nGeneral configuration data are dropped to C:\\Users\\Public\\%COMPUTERNAME%[1], being named as the second\r\nletter in the victim’s computer name (so for a computer named “JOHN-PC”, the file would be named “O”). It is\r\ncreated from data contained in the loader script and in the execution configuration file and contains the version\r\ninformation, cryptographic key and file system paths.\r\nC\u0026C configuration data are stored to a file in the same location as the previous one under the same filename with\r\n“_” appended (“O_”, to continue the previous example). It consists of:\r\n#ip# (a placeholder for an IP address the banking trojan uses to receive backdoor commands)\r\n#wp[1-3]# (placeholders for 3 ports associated with #ip#)\r\ntwo lists of 31 domains each (main list and backup list)\r\nMispadu chooses its main and backup C\u0026C domains from these lists based on the current day of the month. It then\r\ntries to obtain an updated version of the C\u0026C configuration file from that domain every few hours and replaces the\r\ndropped one with it. We believe the main idea behind this approach is to fill in the placeholders in order to activate\r\nthe backdoor functionality.\r\nProtect your Chrome\r\nIt’s a good idea, just don’t do it with the malicious Google Chrome browser extension we have observed being\r\ndistributed together with the Mispadu banking trojan in Brazil (see Figure 13). The extension (see Figure 14 is\r\nhttps://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/\r\nPage 10 of 18\n\nnamed “Securty [sic] System 1.0” and claims to help you “Protege seu Chrome” (translation: “Protect your\r\nChrome”). It consists of three malicious JavaScript files that we describe below.\r\nFigure 13. Part of Mispadu’s distribution chain that changes when the malicious Google Chrome extension is\r\ndistributed as well. The rest of the distribution chain remains the same.\r\nFigure 14. The malicious Google Chrome extension installed by Mispadu\r\nComponent 1: Manipulating windows\r\nThis simple component has only a single functionality: it creates a new Google Chrome window and closes all\r\nothers. This component was not present in all samples we analyzed and we believe it is still in the testing phase.\r\nComponent 2: Stealing credit card data\r\nThe second component contains a hardcoded list of websites. In pages served from these sites, it looks for any input\r\nfield containing “text”, “email”, “tel”, “number”, “password” or “radio”. If “CVV”, “CÓD SEG” or their variants\r\nare found anywhere on the website, the content of those input fields is sent to the attacker when the victim submits\r\nthe information. This clearly reveals the intention of this part of the extension – theft of credit card data.\r\nhttps://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/\r\nPage 11 of 18\n\nComponent 3: Stealing banking and Boleto data\r\nThe third component is the most advanced one. First, using a DGS-like algorithm, it generates two strings based on\r\ncurrent day of month and month number. Those strings are then used to form a GitHub URL in the form of\r\nhttps://raw.githubusercontent.com/%FIRST_STRING%/w/master/%SECOND_STRING%,\r\nwhere %FIRST_STRING% is a GitHub username. Data downloaded from the generated URL are decrypted into a\r\ndifferent URL we will call payload URL.\r\nThis component also contains a hardcoded list of targeted websites, as the previous one did. If the victim visits one\r\nof these websites, a malicious JavaScript file specific to that website is obtained from the payload URL and\r\ndynamically loaded via JavaScript’s eval function.\r\nBesides that, this component also attempts to compromise the use of Boleto, a popular payment system common in\r\nBrazil. The system has been an attractive target for attackers for a long time (you can read more in this paper from\r\n2014). To pay using this system, you have to print a ticket (boleto). That contains mainly an ID number specific to\r\nthe bank account that should receive the payment, and a barcode (see Figure 15). Payment is then done by either\r\nscanning the barcode or typing the ID number manually.\r\nFigure 15. An example of a boleto (source: Wikipedia)\r\nUsing a regular expression, the malware component tries to find the ID number and replace it with the attacker’s\r\n(obtained dynamically). Additionally, it abuses a legitimate website to generate the payment barcode using the\r\nattacker’s account number and replaces the legitimate one with that. The part of the code responsible for\r\ncompromising Boleto is shown in Figure 16.\r\nhttps://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/\r\nPage 12 of 18\n\nFigure 16. Mispadu's Google Chrome extension that compromises Boleto. Code obtaining the attacker's account\r\nnumber is marked in red, malicious barcode generation in green.\r\nDifferences between campaigns\r\nBesides the already mentioned differences and the obvious fact that each variant of the Mispadu banking trojan\r\ntargets a different set of banks dependent on country of residence, the Brazilian campaign differs from the Mexican\r\none in several other minor aspects.\r\nIt seems to randomize the file system paths and filenames where configuration files are stored and the banking\r\ntrojan is installed for each victim. Additionally, the loader script contains a part that is not used at the time of\r\nwriting but that is ready to abuse Windows mshta.exe to execute the actual banking trojan instead of rundll.exe.\r\nConclusion\r\nhttps://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/\r\nPage 13 of 18\n\nIn this blog post, we have talked about Mispadu, another Latin American banking trojan family isolated during our\r\nresearch. We have shown its main characteristics including reasons why we consider it a Latin American banking\r\ntrojan - it is written in Delphi, targets Brazil and Mexico, uses pop-up windows and contains backdoor\r\nfunctionality.\r\nWe have described its most recent distribution chain and focused on some interesting aspects like Yandex.Mail\r\nbeing abused to store the malicious payloads and the usage of malicious Facebook ads. We have analyzed the\r\nconfiguration files used by Mispadu as well.\r\nFinally, we have talked about a malicious Google Chrome extension that we have seen Mispadu distributing in\r\nBrazil. This extension’s goal is to steal credit card information, sensitive banking information and attempt to steal\r\nmoney from its victims by compromising the Boleto payment system in Brazil.\r\nFor any inquiries, contact us at threatintel@eset.com. Indicators of Compromise can also be found in our GitHub\r\nrepository.\r\nIndicators of Compromise (IoCs)\r\nHashes\r\nBrazilian campaign\r\nSHA-1 Description ESET detection name\r\nA4EDA0DD2C33A644FEEF170F5C24CF7595C19017\r\nMSI\r\ninstaller\r\nVBS/TrojanDownloader.Agent.RVY\r\nA9BADCBF3BD5C22EEB6FAF7DB8FC0A24CF18D121\r\nMispadu\r\ninjector\r\nWin32/Injector.EHXF\r\n337892E76F3B2DF0CA851CCF4479E56EAF2DB8FD\r\nMispadu\r\nbanking\r\ntrojan (PE\r\ncompilation\r\ntimestamp 8\r\nSep, 2019)\r\nWin32/Spy.Mispadu.C\r\nA8CD12CC0BBD06F14AA136EA5A9A2E299E450B18\r\nMispadu\r\nbanking\r\ntrojan (PE\r\ncompilation\r\ntimestamp 2\r\nOct, 2019)\r\nWin32/Spy.Mispadu.C\r\nMexican campaign\r\nhttps://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/\r\nPage 14 of 18\n\nSHA-1 Description ESET detection name\r\nCFE21DBFB97C2E93F099D351DE54099A3FC0C98B\r\nMSI\r\ninstaller\r\nVBS/TrojanDownloader.Agent.RVY\r\n251AC7386D1B376FB1CB0E02BDFC45472387C7BC\r\nMispadu\r\ninjector\r\nWin32/Injector.EHXF\r\nA4FC4162162A02CE6FEADFE07B22465686A0EC39\r\nMispadu\r\nbanking\r\ntrojan (PE\r\ncompilation\r\ntimestamp\r\n10 Sep,\r\n2019)\r\nWin32/Spy.Mispadu.J\r\n710A20230B9774B3D725539385D714B2F80A5599\r\nMispadu\r\nbanking\r\ntrojan (PE\r\ncompilation\r\ntimestamp\r\n11 Sep,\r\n2019)\r\nWin32/Spy.Mispadu.J\r\nGoogle Chrome extension\r\nSHA-1 Description\r\nESET detection\r\nname\r\n3486F6F21034A33C5425A398839DE80AC88FECA8\r\nComponent 1\r\n(manipulating windows)\r\nJS/Spy.Banker.DQ\r\n1D19191FB2E9DED396B6352CBF5A6746193D05E8 Component 2 (credit cards) JS/Spy.Banker.DQ\r\n22E6EBDFAB7C2B07FF8748AFE264737C8260E81E\r\nComponent 3 (banking and\r\nBoleto data)\r\nJS/Spy.Banker.DQ\r\nPotentially unwanted applications for credential theft\r\nSHA-1 Description ESET detection name\r\n63DCBE2DB9CC14564EB84D5E953F2F9F5C54ACD9\r\nEmail client\r\ncredential\r\nstealer\r\nWin32/PSWTool.MailPassView.E\r\nhttps://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/\r\nPage 15 of 18\n\nSHA-1 Description ESET detection name\r\n8B950BF660AA7B5FB619E1F6E665D348BF56C86A\r\nGoogle\r\nChrome\r\ncredential\r\nstealer\r\nWin32/PSWTool.ChromePass.A\r\nF6021380AD6E26038B5629189A7ADA5E0022C313\r\nMozilla\r\nFirefox\r\ncredential\r\nstealer\r\nWin32/PSWTool.PassFox.F\r\n76F70276EB95FFEC876010211B7198BCBC460646\r\nInternet\r\nExplorer\r\ncredential\r\nstealer\r\nWin32/PSWTool.IEPassView.NAH\r\nFilenames\r\nC:\\Users\\Public\\%COMPUTERNAME%[1]\r\nC:\\Users\\Public\\%COMPUTERNAME%[1]_\r\nC:\\Users\\Public\\{winx86,libeay32,ssleay32}.dll (legitimate DLLs downloaded by the loader script; partial\r\nindicator)\r\nServers used\r\nhttp://18.219.25[.]133/br/mp1a{1,sq,sl,ss}.aj5\r\nhttp://3.19.223[.]147/br/mp1a{1,sq,sl,ss}.aj5\r\nhttp://51.75.95[.]179/la8a{1,sq,sl,ss}.ay2\r\nDiscount coupon URLs\r\nBrazil\r\nhttp://promoscupom[.]cf/\r\nhttp://mcdonalds.promoscupom[.]cf/index3.html\r\nMexico\r\nhttp://mcdonalds.promoscupom[.]cf/index2.html\r\nBitcoin wallet\r\n3QWffRcMw6mmwv4dCyYZsXYFq7Le9jpuWc\r\nMITRE ATT\u0026CK techniques\r\nhttps://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/\r\nPage 16 of 18\n\nTactic ID Name Description\r\nInitial Access T1192 Spearphishing Link\r\nIn Mispadu spam campaigns, the victim is led to\r\nthe payload by a malicious link.\r\nExecution T1085 Rundll32\r\nMispadu banking trojan is executed by an\r\ninjector that is run via rundll32.exe.\r\nPersistence\r\nT1176 Browser Extensions\r\nMispadu variant targeting Brazil utilizes a\r\nGoogle Chrome browser extension.\r\nT1060\r\nRegistry Run Keys / Startup\r\nFolder\r\nMispadu ensures persistence by creating a link in\r\nthe startup folder.\r\nDefense\r\nEvasion\r\nT1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nMispadu uses encoded configuration files.\r\nT1036 Masquerading Mispadu masquerades as a discount coupon.\r\nT1064 Scripting\r\nMispadu utilizes VBS exclusively in its\r\ndistribution chains.\r\nCredential\r\nAccess\r\nT1056 Input Capture\r\nMispadu may execute a keylogger. Its Google\r\nChrome extension tries to steal various sensitive\r\ninformation via input capturing.\r\nT1081 Credentials in Files\r\nMispadu uses other tools to extract credentials\r\nfor email clients and web browsers from files.\r\nT1214 Credentials in Registry\r\nMispadu uses other tools to extract credentials\r\nfor email clients and web browsers from the\r\nWindows Registry.\r\nDiscovery\r\nT1083 File and Directory Discovery\r\nMispadu searches for various filesystem paths in\r\norder to determine what applications are installed\r\non the victim's machine.\r\nT1057 Process Discovery\r\nMispadu searches for various process names in\r\norder to determine what applications are running\r\non the victim's machine.\r\nT1063 Security Software Discovery\r\nMispadu scans the system for installed security\r\nsoftware.\r\nT1082\r\nSystem Information\r\nDiscovery\r\nMispadu extracts the version of the operating\r\nsystem, computer name and language ID.\r\nhttps://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/\r\nPage 17 of 18\n\nTactic ID Name Description\r\nCollection\r\nT1115 Clipboard Data\r\nMispadu captures and replaces bitcoin wallets in\r\nthe clipboard.\r\nT1113 Screen Capture\r\nMispadu contains a command to take\r\nscreenshots.\r\nCommand and\r\nControl\r\nT1024\r\nCustom Cryptographic\r\nProtocol\r\nMispadu uses a custom cryptographic protocol to\r\nprotect its data.\r\nExfiltration T1041\r\nExfiltration Over Command\r\nand Control Channel\r\nMispadu sends the data it collects to its C\u0026C\r\nserver.\r\nSource: https://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/\r\nhttps://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/\r\nPage 18 of 18\n\n https://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/     \nFigure 11. Brazilian Mispadu campaign statistics    \nSharing an email attachment     \nBoth spam emails and the fake McDonald’s website are interesting in one more aspect: from where the fake coupon\nis downloaded. Mispadu’s operators abused the Russian Yandex.Mail platform to store their payload (see Figure\n12). The most probable scenario is that the operators created an account on Yandex.Mail, sent an email with the\n   Page 9 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/"
	],
	"report_names": [
		"mispadu-advertisement-discounted-unhappy-meal"
	],
	"threat_actors": [],
	"ts_created_at": 1775434661,
	"ts_updated_at": 1775791261,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dc39620cb541d853dbaf4861644b760c7c870a8d.pdf",
		"text": "https://archive.orkl.eu/dc39620cb541d853dbaf4861644b760c7c870a8d.txt",
		"img": "https://archive.orkl.eu/dc39620cb541d853dbaf4861644b760c7c870a8d.jpg"
	}
}