{ "id": "3d276d61-f3b1-45d2-af02-b1f85115e6dc", "created_at": "2026-04-06T01:32:04.746515Z", "updated_at": "2026-04-10T13:11:27.908361Z", "deleted_at": null, "sha1_hash": "3f3566144f6a3e9dfc642e9ace73747e82ad4e17", "title": "Dexter, Project Hook POS Malware Campaigns Persist", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 782368, "plain_text": "Dexter, Project Hook POS Malware Campaigns Persist\r\nBy Chris Brook\r\nPublished: 2014-03-06 · Archived: 2026-04-06 00:33:00 UTC\r\nResearch this week makes it’s clear that many attackers are still using point of sale malware, namely Dexter and\r\nProject Hook, in active attacks.\r\nWhile the Target data breach may be in the rear view mirror, research this week shows it’s clear that many\r\nattackers are still using point of sale malware, namely Dexter and Project Hook, in active attacks.\r\nResearchers at Arbor Networks’ Security Engineering \u0026 Response Team (ASERT) looked at several such\r\ncampaigns, exfiltrated data dumps and decoded them to analyze the scope of their compromises. The group also\r\nanalyzed network activity triggered by Dexter malware samples.\r\nAccording to Arbor’s Threat Intelligence Brief 2014-3 released yesterday, researchers noticed a specific variation\r\nof Dexter, Dexter Revelation, exfiltrating stolen data, stored in fake .zip files and .txt files – via FTP credentials –\r\nfrom compromised terminals.\r\nRevelation was one of three Dexter variants (along with Stardust and Millennium) that ASERT noticed in\r\nDecember but at that time it was unclear just how the infections were happening.\r\nWhile researchers were under the assumption that Revelation was a fairly new brand of malware, new research\r\nhas traced developmental versions of the malware back almost a year, early builds date back to April 2013.\r\nIt turns out the Revelation malware has several handy functions it uses including using a memory scraping\r\nprocedure that “scours system memory looking for plaintext data that matches a credit or debit card format” and a\r\nkeylogger function it uses to “capture keyboard activity and other system information.” The fake .zip files store a\r\nfour-byte XOR key that can actually be used to decode the file’s contents.\r\nThe report suspects a threat actor going by either “Rome0” or “rome0” is directly involved with Dexter.\r\nResearchers say they’ve noticed actors going by both of the usernames demonstrating their familiarity with\r\nbanking Trojans online and frequenting various carding forums.\r\nASERT posted a list of IP addresses and hostnames associated with Dexter’s command and control activity in the\r\nreport that it’s hoping organizations review.\r\n“Organizations are encouraged to check logs and other indicators of network activity associated with these IP\r\naddresses and/or hostnames to find systems compromised as part of a past or current attack campaign.”\r\nhttps://threatpost.com/dexter-project-hook-pos-malware-campaigns-persist/104655/\r\nPage 1 of 4\n\nhttps://threatpost.com/dexter-project-hook-pos-malware-campaigns-persist/104655/\r\nPage 2 of 4\n\nThe IP addresses listed in red indicate that the C\u0026C servers associated with them were still active as of the report.\r\nWhile Project Hook, another point-of-sale malware, is less active than Dexter, researchers are still encouraging\r\norganizations to remain vigilant especially after they found a special URL set up hosting back-end panels for\r\nProject Hook and another PoS malware: Alina, in January and early February.\r\nhttps://threatpost.com/dexter-project-hook-pos-malware-campaigns-persist/104655/\r\nPage 3 of 4\n\nArbor’s report came out the same day that Target announced it would finally overhaul its information security\r\nprocesses and that it’s chief information officer, Beth Jacob, had resigned.\r\nTarget reports that it will fill the position with an external hire as well as assign a new role: chief compliance\r\nofficer.\r\n“Target will be conducting an external search for an interim CIO who can help guide Target through this\r\ntransformation,” Target’s Chairman, President, and CEO Gregg Steinhafel said Wednesday.\r\nThe transformation Steinhafel is referring to is the stress the U.S. retailer has undoubtedly had to grapple with\r\nafter suffering a massive breach in November. Attackers were able to set up a command and control server and lift\r\nmore than 40 million credit and debit card records and 70 million other records of customer details from Target\r\npoint of sale systems.\r\nWe may be three months removed from the Target fiasco but point-of-sale malware campaigns continue to\r\npermeate the headlines.\r\nTexas-based Sally Beauty Supply, a chain with around 2,700 locations nationwide, confirmed yesterday that\r\nsomeone attempted to breach its system but would not confirm that customer data was at risk. According to Krebs\r\non Security a batch of 282,000 stolen credit card numbers popped up on an underground market and three banks\r\npurchased their of their customers cards in hopes of finding the theft’s origin. All of the banks then found that the\r\ncards they had gotten hold of had all been used at a Sally Beauty Supply store within 10 days before.\r\nSource: https://threatpost.com/dexter-project-hook-pos-malware-campaigns-persist/104655/\r\nhttps://threatpost.com/dexter-project-hook-pos-malware-campaigns-persist/104655/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://threatpost.com/dexter-project-hook-pos-malware-campaigns-persist/104655/" ], "report_names": [ "104655" ], "threat_actors": [], "ts_created_at": 1775439124, "ts_updated_at": 1775826687, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3f3566144f6a3e9dfc642e9ace73747e82ad4e17.pdf", "text": "https://archive.orkl.eu/3f3566144f6a3e9dfc642e9ace73747e82ad4e17.txt", "img": "https://archive.orkl.eu/3f3566144f6a3e9dfc642e9ace73747e82ad4e17.jpg" } }