Home/ Threat Actors/ Malteiro

🌐Malteiro

🌐 Malteiro is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Unknown. We map 14 detection use cases to this actor across 12 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G1026) ↗

14Use cases

0Articles

12Techniques

0IOCs

About this actor (MITRE)

[Malteiro](https://attack.mitre.org/groups/G1026) is a financially motivated criminal group that is likely based in Brazil and has been active since at least November 2019. The group operates and distributes the [Mispadu](https://attack.mitre.org/software/S1122) banking trojan via a Malware-as-a-Service (MaaS) business model. [Malteiro](https://attack.mitre.org/groups/G1026) mainly targets victims throughout Latin America (particularly Mexico) and Europe (particularly Spain and Portugal).(Citation: SCILabs Malteiro 2021)

Known aliases

Malteiro

Top techniques

T1027.013 · Encrypted/Encoded File T1055.001 · Dynamic-link Library Injection T1059.005 · Visual Basic

All other tracked techniques

T1082 · System Information Discovery T1140 · Deobfuscate/Decode Files or Information T1204.002 · Malicious File T1518.001 · Security Software Discovery T1555 · Credentials from Password Stores T1555.003 · Credentials from Web Browsers T1566.001 · Spearphishing Attachment T1614.001 · System Language Discovery T1657 · Financial Theft

Detection use cases (14)

Malteiro/Mispadu loader chain — VBS/MSI script host invoking certutil/bitsadmin/PowerShell downloader AI · profile SΣ Malteiro/Mispadu browser credential exfil — non-browser process touching Chromium 'Login Data' / Firefox logins.json AI · profile SΣ 1Password item exfiltration attempt MITRE match 1Password vault export attempted MITRE match Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match npm/yarn/pnpm Install-Hook Spawn → Credential-Store Read or Worm-Payload Drop in node_modules MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Package Manager Install Spawning Outbound Egress to Non-Registry Infrastructure Within 5 Minutes MITRE match Package manager lifecycle hook spawns network-fetching shell or runtime MITRE match Supply-chain repo credential theft → outbound exfil to attacker infra MITRE match