Threat Actor Profile
High APT
Description

Malteiro is a financially motivated criminal group that is likely based in Brazil and has been active since at least November 2019. The group operates and distributes the Mispadu banking trojan via a Malware-as-a-Service (MaaS) business model. Malteiro mainly targets victims throughout Latin America (particularly Mexico) and Europe (particularly Spain and Portugal).(Citation: SCILabs Malteiro 2021)

Confidence Score
90%
Known Aliases
Malteiro
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (12)
T1555 - Credentials from Password Stores
Credential Access
T1555.003 - Credentials from Web Browsers
Credential Access
T1027.013 - Encrypted/Encoded File
Defense Evasion
T1055.001 - Dynamic-link Library Injection
Defense Evasion
T1140 - Deobfuscate/Decode Files or Information
Defense Evasion
T1082 - System Information Discovery
Discovery
T1518.001 - Security Software Discovery
Discovery
T1614.001 - System Language Discovery
Discovery
T1059.005 - Visual Basic
Execution
T1204.002 - Malicious File
Execution
T1657 - Financial Theft
Impact
T1566.001 - Spearphishing Attachment
Initial Access
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['Malteiro'],
 'created': '2024-03-13T20:23:54.698Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[Malteiro](https://attack.mitre.org/groups/G1026) is a '
                'financially motivated criminal group that is likely based in '
                'Brazil and has been active since at least November 2019. The '
                'group operates and distributes the '
                '[Mispadu](https://attack.mitre.org/software/S1122)  banking '
                'trojan via a Malware-as-a-Service (MaaS) business model. '
                '[Malteiro](https://attack.mitre.org/groups/G1026) mainly '
                'targets victims throughout Latin America (particularly '
                'Mexico) and Europe (particularly Spain and '
                'Portugal).(Citation: SCILabs Malteiro 2021)',
 'external_references': [{'external_id': 'G1026',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G1026'},
                         {'description': 'SCILabs. (2021, December 23). Cyber '
                                         'Threat Profile Malteiro. Retrieved '
                                         'March 13, 2024.',
                          'source_name': 'SCILabs Malteiro 2021',
                          'url': 'https://blog.scilabs.mx/en/cyber-threat-profile-malteiro/'}],
 'id': 'intrusion-set--bf668120-e9a6-4017-a014-bfc0f5232656',
 'modified': '2024-03-29T14:10:35.711Z',
 'name': 'Malteiro',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Daniel Fernando Soriano Espinosa', 'SCILabs'],
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '1.0'}
Quick Actions
Related TTPs (12)
Credentials from Password Sto…
Credential Access
Credentials from Web Browsers
Credential Access
Encrypted/Encoded File
Defense Evasion
Dynamic-link Library Injection
Defense Evasion
Deobfuscate/Decode Files or I…
Defense Evasion
View All 12 TTPs
Back to Threat Actors
Dashboard Home