{
	"id": "07b929fb-9d86-4622-a388-e2e438007e11",
	"created_at": "2026-04-06T00:15:38.824829Z",
	"updated_at": "2026-04-10T03:20:26.394262Z",
	"deleted_at": null,
	"sha1_hash": "ed314a32696f8012fa3b0c060e5b2c7143de9db6",
	"title": "Breaking Boundaries: Mispadu's Infiltration Beyond LATAM",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 9357084,
	"plain_text": "Breaking Boundaries: Mispadu's Infiltration Beyond LATAM\r\nBy Arnold Osipov\r\nArchived: 2026-04-05 19:19:23 UTC\r\nRecently, Morphisec Labs identified a significant increase in activity linked to Mispadu (also known as URSA), a banking\r\ntrojan first flagged by ESET in 2019. Initially concentrated on LATAM countries and Spanish-speaking individuals,\r\nMispadu has broadened its scope in the latest campaign.  \r\nIntroduction\r\nMispadu is a highly active banking trojan and Infostealer, now targeting diverse regions, including European countries,\r\nwhich previously were not targeted. Morphisec has prevented attacks from the same campaign across a variety of industries,\r\nincluding finance, services, motor vehicle manufacturing, law firms, and other commercial facilities.\r\nDespite the geographic expansion, Mexico remains the primary target. The campaign has resulted in thousands of stolen\r\ncredentials, with records dating back to April 2023. The threat actor leverages these credentials to orchestrate malicious\r\nphishing emails, posing a significant threat to recipients. \r\nMispadu has been expanding outside of LATAM (Image generated by: Datawrapper.de)\r\nInfection Chain \r\nThe attack chain consists of multiple stages, which largely remain the same when compared to previous campaigns.\r\nHowever, most changes occur at the initial stages.\r\nDelivery \r\nThe image below demonstrates an example of a phishing email sent by the threat actor. Each email in this campaign\r\nincluded a PDF attachment, luring the victim to open their supposed invoice.\r\nhttps://blog.morphisec.com/mispadu-infiltration-beyond-latam\r\nPage 1 of 9\n\n(Email body translated: “The XML and PDF of your invoice are available.”) \r\nClicking the “View Full Invoice” (translated) button in the PDF will initiate the download of a ZIP file through a URL\r\nshortener service, insprl.com, which redirects to the payload stored on Yandex.Mail (a Russian free email service) as an\r\nattachment. \r\nhttps://webattach.mail.yandex[.]net/message_part_real/?sid=\u003csid\u003e\u0026name=\u003cpayload_name\u003e\r\nFirst Stage VB Script \r\nThe downloaded archive contains either an MSI installer or an HTA script, which ultimately leads to the deployment and\r\nexecution of the first stage VB script. The MSI installer does that by invoking the export function of a DLL it contains under\r\nCustomActions . \r\nThe export function decrypts a string, which contains the executed command responsible for dropping the first stage VB\r\nscript. Additionally, it pops a message box to distract the victim from the malicious activity occurring in the background.\r\nThe decryption algorithm used to decrypt the string is the same one used throughout the entire campaign. \r\nhttps://blog.morphisec.com/mispadu-infiltration-beyond-latam\r\nPage 2 of 9\n\nThe executed command is obfuscated, its purpose is to drop a VB script into the public folder and invoke it. \r\nThe HTA operates similarly when executing the following command. Therefore, from this stage onward, the\r\nexecution is similar to the HTA attack chain.\r\nThe downloaded script is the second stage VB script, evaluated and executed in memory. The C2 will not serve the payload\r\nunless the User-Agent field contains “(MSIE)”, which appended by default when executing the VB script that manner\r\n(Default value – Mozilla/4.0 (compatible; MSIE 7.0)…). \r\nSecond Stage VB Script \r\nThis script is heavily obfuscated and employs the same decryption algorithm as mentioned in the DLL. Before downloading\r\nand invoking the next stage, the script conducts several Anti-VM checks, including querying the computer’s model,\r\nmanufacturer, and BIOS version, and comparing them to those associated with virtual machines. \r\nhttps://blog.morphisec.com/mispadu-infiltration-beyond-latam\r\nPage 3 of 9\n\nIt will also compare the OS language code against hardcoded language codes that belong to the set of victim’s language\r\ncodes. Additionally, it ensures that the computer name is not equal to JOHN-PC which is a common machine name used in\r\nsandboxes. \r\nIf the aforementioned checks pass, the execution proceeds with downloading three files: \r\n1. A download of an archive file containing an obfuscated file from\r\nhttps://contdskl.bounceme[.]net/dhyhsh3am1.ahgrher2 . This file will be later decrypted to be the final Mispadu\r\npayload.  \r\n2. An obfuscated file is downloaded, decrypted to its archive form, and then unzipped. This file is a compiled AutoIT\r\nscript utilized to load the final payload. Before invoking the request, it prompts for an index to download from\r\nhttps://blog.morphisec.com/mispadu-infiltration-beyond-latam\r\nPage 4 of 9\n\n\u003cbase_name\u003e3\u003cindex\u003e.\u003cextension\u003e , with the index incrementing by one for each request.\r\n3. Another obfuscated file is downloaded, decrypted to its archive form, and unzipped. This file is a legitimate AutoIT\r\nexecutable used to launch the AutoIT script. \r\nNext, it will execute the legitimate AutoIT executable, passing the compiled script as a parameter. This script loads a DLL\r\ninto memory and invokes its export function. The DLL is responsible for decrypting and injecting the encrypted Mispadu\r\npayload into memory. \r\nAutoIT Script \r\nThe following is part of the decompiled AutoIT script, responsible loading the DLL into memory and invoking its export\r\nfunction. \r\nInjector DLL \r\nOnce loaded to memory and invoked, the DLL decrypts the Mispadu payload downloaded in the second stage VB script and\r\ninjects it to either attrib.exe or RegSvcs.exe . \r\nhttps://blog.morphisec.com/mispadu-infiltration-beyond-latam\r\nPage 5 of 9\n\nMispadu Payload \r\nSimilar to the preceding steps in the infection chain, the final Mispadu payload remains largely unchanged. It continues to\r\nutilize NirSoft’s legitimate WebBrowserPassView and Mail PassView to extract browser and email client credentials. It\r\nactively monitors foreground windows of websites and applications for specific strings, including bank names,\r\ncryptocurrency exchanges, finance-related applications, and email clients. Over 200 such services are monitored for\r\npotential credential exfiltration.  \r\nhttps://blog.morphisec.com/mispadu-infiltration-beyond-latam\r\nPage 6 of 9\n\nBelow is an example of credentials obtained from the C2 server, encoded using the algorithm employed across the infection\r\nchain. The threat actor divides the exfiltrated data into two parts. The first part comprises credentials extracted from email\r\nclients and browser passwords, while the second consists of email addresses obtained from the victim’s machine.\r\nSubsequently, the TA uses those email addresses to craft and distribute the malicious phishing emails. \r\nConclusion\r\nThe threat actor utilizes two command and control (C2) servers throughout the infection chain. The first C2 server is\r\nemployed to fetch payloads utilized in the attack, such as the second stage VB script, Mispadu payload, and additional\r\ncomponents. While the second C2 server is utilized for exfiltrating the extracted credentials. The first C2 server undergoes\r\nfrequent alterations, whereas the second C2 server utilized for credential exfiltration remains relatively consistent across\r\nvarious campaigns.\r\nBased on the stolen credentials discovered on the C2 server, the earliest records date back to as early as April 2023 and\r\ncontinue to be ongoing up to the present day. Currently, there are more than 60K files in the C2 server. \r\nhttps://blog.morphisec.com/mispadu-infiltration-beyond-latam\r\nPage 7 of 9\n\nHow Morphisec Can Help \r\nMispadu is an extremely evasive threat that generally bypasses many of the leading solutions that organizations have in\r\nplace today. Morphisec’s Automated Moving Target Defense (AMTD) stops attacks like Mispadu and other banking trojans\r\nacross the attack chain, detecting malicious installers, scripts and the payload itself. Morphisec doesn’t rely on signature or\r\nbehavioral patterns. Instead, it uses patented moving target defense technology to prevent the attack at its earliest stages,\r\npreemptively blocking attacks on memory and applications, effectively remediating the need for response. \r\nSchedule a demo today to see how Morphisec stops Mispadu and other new and emerging threats. \r\nIndicators of Compromise (IOCs)\r\nType IOCs\r\nPDF  d0239871a9979bea53d538ca2ef680f433699b749600ab2e93f318fc31a4c33f b6faf2e8ded0ec241c53ed1462032e43d32671877773\r\nMSI  eda8af62c033636d38f9e70e77b011df89c48feb8a393415a7752b7759dcef4c 50687300a0d51a86bd5c858b6ee6fa0db171926da7fc\r\nVBS  1266c3ffada5bf0620bf64a60c24457f14468c26996af6d321d7ca2cb3977f37 4c6f9607aeb8da098fd2e802a0722a3f1ee2c1d4cbe5cc\r\nC2  160.126.168[.]184.host.secureserver.net contdskl.bounceme[.]net betmaniaplus[.]com arq.carpedum[.]com mtw.toh[.]info 1fu11ub\r\nBitcoin\r\nAddresses \r\nbc1qn5fwarp0wesjahyaavj3zpzawsh3mp0mpuw94n bc1qzcdrhp30eztexrmyvz5dwuyzzqyylq5muuyllf\r\nAbout the author\r\nhttps://blog.morphisec.com/mispadu-infiltration-beyond-latam\r\nPage 8 of 9\n\nArnold Osipov\r\nMalware Researcher\r\nArnold Osipov is a Malware Researcher at Morphisec, who has spoken at BlackHat and and been recognized by Microsoft\r\nSecurity for his contributions to malware research related to Microsoft Office. Prior to his arrival at Morphisec 6 years ago,\r\nArnold was a Malware Analyst at Check Point.\r\nSource: https://blog.morphisec.com/mispadu-infiltration-beyond-latam\r\nhttps://blog.morphisec.com/mispadu-infiltration-beyond-latam\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://blog.morphisec.com/mispadu-infiltration-beyond-latam"
	],
	"report_names": [
		"mispadu-infiltration-beyond-latam"
	],
	"threat_actors": [],
	"ts_created_at": 1775434538,
	"ts_updated_at": 1775791226,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ed314a32696f8012fa3b0c060e5b2c7143de9db6.pdf",
		"text": "https://archive.orkl.eu/ed314a32696f8012fa3b0c060e5b2c7143de9db6.txt",
		"img": "https://archive.orkl.eu/ed314a32696f8012fa3b0c060e5b2c7143de9db6.jpg"
	}
}