The Mispadu Stealer is an infostealer that has been targeting Spanish- and Portuguese-speaking victims in Latin America since 2019 [3]. Researchers from Unit 42 have recently discovered a new variant of this malware that exploits a SmartScreen vulnerability in Windows [3].


This new variant of Mispadu Stealer allows attackers to bypass the SmartScreen warning system by creating a specially designed internet shortcut file or hyperlink. By doing so, they can direct victims to a malicious payload [3]. Similar to previous versions [3], this variant also uses SQLite for credential extraction. It specifically targets users in Mexico and has already harvested over 90,000 bank account credentials [2], posing a significant threat. Additionally, another malware variant called Phemedrone Stealer also exploits the same SmartScreen flaw to extract sensitive data from web browsers [1], cryptocurrency wallets [1], and messaging platforms [1]. The stolen information is then sent to attackers via Telegram or a command and control server [1]. These Mispadu attacks are attributed to a financially-motivated group known as TA558 [2].


The resurgence of Mispadu highlights the need for a comprehensive and vigilant approach to cybersecurity in the LATAM region and beyond [4]. To protect themselves, users should keep their software updated, exercise caution with emails [4], implement network security measures [4], and educate themselves on the latest threats. Staying informed about the latest threat intelligence and deploying robust endpoint protection are crucial for defending against evolving threats like Mispadu Stealer [3].