Mispadu Phishing Malware Baseline: Delivery Chains, Capabilities, and Common Campaigns

Mispadu is a persistent Latin American–targeted banking trojan active since 2019 and significantly scaled up in 2024–2025; campaigns deliver dynamically generated HTA/JS/VBS chains (often via password‑protected PDFs) that load AutoIT-based loaders and legitimate utilities to steal credentials, inject web content, and self‑propagate via Outlook. Operators use advanced obfuscation, geofencing, dynamic payloads, and legitimate binaries to evade detection, and the activity is tied to a tracked APT group responsible for widespread, ongoing phishing campaigns across Mexico, Brazil and other regions.