{
	"id": "2ad11790-232f-43a9-8bdc-f98402b0ceb3",
	"created_at": "2026-04-06T00:08:30.326378Z",
	"updated_at": "2026-04-10T03:36:13.938124Z",
	"deleted_at": null,
	"sha1_hash": "376b50c2d9b4a2ca09cbb8b3e96fa6420a1f744f",
	"title": "LockPoS Joins the Flock | NETSCOUT",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 768361,
	"plain_text": "LockPoS Joins the Flock | NETSCOUT\r\nArchived: 2026-04-05 15:31:04 UTC\r\nWhile revisiting a Flokibot campaign that was targeting point of sale (PoS) systems in Brazil earlier this year, we\r\ndiscovered something interesting. One of the command and control (C2) servers that had been dormant for quite\r\nsome time had suddenly woken up and started distributing what looks to be a new PoS malware family we’re\r\ncalling LockPoS. This post opens the lock up and takes a look inside.\r\nLoaders and Injectors\r\nThe analyzed sample has a recent compilation date (2017-06-24) and is available on VirusTotal. It starts out by\r\nresolving several Windows functions using API hashing (CRC32 is used as the hashing function). Here are a few\r\nof the functions and their corresponding hashes:\r\nFindResourceW - 0xcad4de2b\r\nCryptDecrypt - 0x9c2d8fb5\r\nRtlDecompressBuffer - 0x52fe26d8\r\nAs hinted by the above functions it continues by:\r\nExtracting a resource named “CORE”\r\nDecrypting it using AES-256 in CBC mode and an initialization vector (IV) of all zero bytes\r\nDecompressing the plaintext\r\nThe resulting file is an executable (available on VirusTotal) that has the following debugging string:\r\nC:\\Users\\Admin\\Desktop\\key\\dropper\\Release\\dropper.pdb\r\nThis executable is manually loaded and executed. The self-named dropper continues by extracting a resource from\r\nitself named “XXXX”. This resource file contains multiple components, which are injected into “explorer.exe”.\r\nOnce running in explorer.exe it behaves similarly to the above loader decrypting, decompressing, and loading the\r\nfinal LockPoS payload. To summarize, the loading and injecting process looks like:\r\n1. Original executable loads dropper executable\r\n2. Dropper injects a second stage loader and the final LockPoS payload into explorer.exe\r\n3. The loader in explorer.exe loads the final LockPoS DLL.\r\nLockPoS Component\r\nThe analyzed LockPoS DLL is available on VirusTotal and has the following debugging string:\r\nC:\\Users\\Admin\\Desktop\\key\\lock\\Release(DLL)\\lock.pdb\r\nhttps://www.arbornetworks.com/blog/asert/lockpos-joins-flock/\r\nPage 1 of 5\n\nLockPoS uses the regular “registry run” method for persistence. It obfuscates important strings using XOR and a\r\nkey of “A”. An initial configuration (which includes the C2 URL) is stored unencrypted as a resource named\r\n“XXXX”:\r\nThe config is stored as a binary structure where the first DWORD (5 in this example) indicates the number of\r\ntrailing data entries. Each data entry is composed of:\r\nType (DWORD)\r\nData length (DWORD)\r\nData\r\nFor ease of use later, let’s call this structure a “data chunk”. C2 communications are via HTTP and using a very\r\ntelling User-Agent. An example request looks like:\r\nThe POST data is a structure consisting of “data chunks” which looks like this:\r\nNumber of data chunks (DWORD)\r\nSize of data chunk 1\r\nData chunk 1\r\nSize of data chunk 2\r\nData chunk 2\r\n…\r\nIn the above example there is one data chunk that contains the following nine entries:\r\n1. Type 0: Message type (0)\r\nhttps://www.arbornetworks.com/blog/asert/lockpos-joins-flock/\r\nPage 2 of 5\n\n2. Type 3: String consisting of username, computer name, and bot ID\r\n3. Type 1: Value from the config\r\n4. Type 2: Bot version (1.0.0.6)\r\n5. Type 8: CPU\r\n6. Type 9: Physical memory\r\n7. Type 10: Display devices\r\n8. Type 4: Windows version and architecture\r\n9. Type 6: MD5 hash of currently running sample\r\nAn example response from the C2 looks like this:\r\nThe returned data, like the request data, is structured and in this case is returning an updated config. LockPoS\r\nsupports the following commands:\r\nUpdate config\r\nDownload and execute\r\nRotate data file\r\nUpdate self\r\nInject executable file into explorer.exe\r\nThe malware’s PoS credit card stealing functionality works similarly to other PoS malware: it scans the memory\r\nof other running programs looking for data that matches what credit card track data looks like. Here’s a snippet of\r\nthe matching function:\r\nhttps://www.arbornetworks.com/blog/asert/lockpos-joins-flock/\r\nPage 3 of 5\n\nUsing some example credit card track two data from this site, here is an example credit card exfiltration by\r\nLockPoS:\r\nIn this example there are two data chunks. The first is similar to the phone home example above. The second data\r\nchunk consists of the following seven entries:\r\n1. Type 0: Message type (2)\r\n2. Type 113: Tick count\r\n3. Type 111: Hardcoded zero\r\n4. Type 112: Credit card track data and application it came from\r\n5. Type 3: String consisting of username, computer name, and bot ID\r\n6. Type 1: Value from the config\r\n7. Type 114: Index of the entry\r\nConclusion\r\nhttps://www.arbornetworks.com/blog/asert/lockpos-joins-flock/\r\nPage 4 of 5\n\nSo far, we’ve seen LockPoS distributed via a Flokibot botnet (a reference sample is available on VirusTotal). They\r\nboth share a common C2 host (treasurehunter[.]at) so it is likely the same threat actor controls them. As referenced\r\nearlier, the Flokibot campaign was targeting Brazil so a good first guess is that LockPoS will target the same. One\r\nthing to note about the analyzed C2 server (treasurehunter[.]at) is that there is a name overlap with another PoS\r\nmalware that FireEye wrote about in 2016 called TREASUREHUNT. Based on their research on its C2\r\ncommunications, panel, and other IoCs it looks like LockPoS and TREASUREHUNT are separate families. It is\r\ncurrently unclear whether LockPoS is an exclusive malware associated with one threat actor or whether it will be\r\nsold on underground forums like Flokibot was. Based on the internals of the malware described in this post,\r\nLockPoS seems to be coded well and stable, but doesn’t particularly raise the bar when it comes to “highly\r\nadvanced malware”. However, given the havoc PoS malware has inflicted on the hotel, restaurant, and retail\r\nindustries the past few years, LockPoS’ lack of novelty is probably a moot point.\r\nSource: https://www.arbornetworks.com/blog/asert/lockpos-joins-flock/\r\nhttps://www.arbornetworks.com/blog/asert/lockpos-joins-flock/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.arbornetworks.com/blog/asert/lockpos-joins-flock/"
	],
	"report_names": [
		"lockpos-joins-flock"
	],
	"threat_actors": [
		{
			"id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf",
			"created_at": "2023-01-06T13:46:38.626906Z",
			"updated_at": "2026-04-10T02:00:03.043681Z",
			"deleted_at": null,
			"main_name": "Tick",
			"aliases": [
				"G0060",
				"Stalker Taurus",
				"PLA Unit 61419",
				"Swirl Typhoon",
				"Nian",
				"BRONZE BUTLER",
				"REDBALDKNIGHT",
				"STALKER PANDA"
			],
			"source_name": "MISPGALAXY:Tick",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "54e55585-1025-49d2-9de8-90fc7a631f45",
			"created_at": "2025-08-07T02:03:24.563488Z",
			"updated_at": "2026-04-10T02:00:03.715427Z",
			"deleted_at": null,
			"main_name": "BRONZE BUTLER",
			"aliases": [
				"CTG-2006 ",
				"Daserf",
				"Stalker Panda ",
				"Swirl Typhoon ",
				"Tick "
			],
			"source_name": "Secureworks:BRONZE BUTLER",
			"tools": [
				"ABK",
				"BBK",
				"Casper",
				"DGet",
				"Daserf",
				"Datper",
				"Ghostdown",
				"Gofarer",
				"MSGet",
				"Mimikatz",
				"Netboy",
				"RarStar",
				"Screen Capture Tool",
				"ShadowPad",
				"ShadowPy",
				"T-SMB",
				"down_new",
				"gsecdump"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b",
			"created_at": "2022-10-25T16:07:23.419513Z",
			"updated_at": "2026-04-10T02:00:04.591062Z",
			"deleted_at": null,
			"main_name": "Bronze Butler",
			"aliases": [
				"Bronze Butler",
				"CTG-2006",
				"G0060",
				"Operation ENDTRADE",
				"RedBaldNight",
				"Stalker Panda",
				"Stalker Taurus",
				"Swirl Typhoon",
				"TEMP.Tick",
				"Tick"
			],
			"source_name": "ETDA:Bronze Butler",
			"tools": [
				"8.t Dropper",
				"8.t RTF exploit builder",
				"8t_dropper",
				"9002 RAT",
				"AngryRebel",
				"Blogspot",
				"Daserf",
				"Datper",
				"Elirks",
				"Farfli",
				"Gh0st RAT",
				"Ghost RAT",
				"HOMEUNIX",
				"HidraQ",
				"HomamDownloader",
				"Homux",
				"Hydraq",
				"Lilith",
				"Lilith RAT",
				"McRAT",
				"MdmBot",
				"Mimikatz",
				"Minzen",
				"Moudour",
				"Muirim",
				"Mydoor",
				"Nioupale",
				"PCRat",
				"POISONPLUG.SHADOW",
				"Roarur",
				"RoyalRoad",
				"ShadowPad Winnti",
				"ShadowWali",
				"ShadowWalker",
				"SymonLoader",
				"WCE",
				"Wali",
				"Windows Credential Editor",
				"Windows Credentials Editor",
				"XShellGhost",
				"XXMM",
				"gsecdump",
				"rarstar"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434110,
	"ts_updated_at": 1775792173,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/376b50c2d9b4a2ca09cbb8b3e96fa6420a1f744f.pdf",
		"text": "https://archive.orkl.eu/376b50c2d9b4a2ca09cbb8b3e96fa6420a1f744f.txt",
		"img": "https://archive.orkl.eu/376b50c2d9b4a2ca09cbb8b3e96fa6420a1f744f.jpg"
	}
}