{ "id": "271301af-70d2-4524-816b-842a19e5c14a", "created_at": "2026-04-06T00:19:23.919398Z", "updated_at": "2026-04-10T03:33:53.641613Z", "deleted_at": null, "sha1_hash": "50fe1eae747b9a4ddaee49e154cd8034220e30c9", "title": "FrameworkPOS and the adequate persistent threat", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 65258, "plain_text": "FrameworkPOS and the adequate persistent threat\r\nBy Brian Donohue\r\nArchived: 2026-04-05 12:42:47 UTC\r\nAll too often the information security community focuses on a category of adversary known as an Advanced\r\nPersistent Threat (APT). Marketing and sales departments all around this industry have focused their messaging\r\non the premise that their product or service will protect you against APT-level adversaries, and this sometimes\r\ncauses us to lose sight of a simpler truth. Most adversaries do not need to be advanced or sophisticated to execute\r\ncode or persist in an organization. More often than not, they can simply settle to be an adequate persistent threat,\r\nusing techniques and artifacts that anyone can find within their organization.\r\nIn this threat detection post, we’ll look at FrameworkPOS, a point-of-sale malware family that has been tied to an\r\norganized APT group in the past. In doing so, we’ll show that an adversary doesn’t need advanced techniques to\r\nexecute and persist; they simply need to be good enough.\r\nPoint of sale and compromise\r\nOur first indication of trouble for one particular endpoint was the execution of an encoded PowerShell command\r\nspawning from the Windows Service Controller, services.exe .\r\nThis kind of event typically suggests that there is a Windows Service (T1035, T1050) on the host that will issue\r\nthis cmd.exe and powershell.exe command when started. We sometimes see this functionality used\r\nlegitimately in the maintenance of systems, but those instances almost always use scripts with names and paths.\r\nPowerShell is almost always evil when we see it encoded in this context.\r\nhttps://redcanary.com/blog/frameworkpos-and-the-adequate-persistent-threat/\r\nPage 1 of 5\n\nIn this case, the malicious PowerShell code deobfuscated partially to reveal some telling strings:\r\n$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(\"H4sI\r\nThe base64 encoded PowerShell decoded into the above, showing that a second payload had been compressed\r\nusing gzip and encoded using base64. We can make this assertion based partially on the FromBase64String\r\nfunction, and partially on the H4sI value at the start of the second payload. Whenever we see this base64 value in\r\nthe wild, it indicates that there is a gzipped payload within the encoding.\r\nThe PowerShell code went on to download and execute installer_8.exe , a malicious payload that hadn’t been\r\nobserved by antivirus (AV) vendors at that point. This is an important distinction because it shows how\r\nadversaries can evade AV detection just by using tools that are new. In fact, a dynamic-link library (DLL) written\r\nby this binary also evaded detection by AV due to a misclassification. AV tools thought the DLL was not malware,\r\nwhich turned out to be false.\r\nhttps://redcanary.com/blog/frameworkpos-and-the-adequate-persistent-threat/\r\nPage 2 of 5\n\nInstaller_8.exe proceeded to establish persistence using two methods:\r\na Windows Registry autorun key\r\na Scheduled Task\r\nNeither of these methods are particularly sophisticated; the adversary used a well-known autorun key when they\r\ncould’ve used far more obscure ones. The task is also relatively simple: it’s just trying to blend in under the guise\r\nof a Windows Help tool.\r\nSomething to note: both of these persistence mechanisms are relatively easy to enumerate and hunt at scale across\r\nan enterprise using several solutions.\r\nTo execute its final payload, installer_8.exe spawned rundll32.exe to load the workerInstance function\r\nfrom assistant32.dll . Once this ran, it created a file named btid.dat . When the persistence mechanisms\r\nexecuted, we observed the same rundll32.exe behavior again.\r\nhttps://redcanary.com/blog/frameworkpos-and-the-adequate-persistent-threat/\r\nPage 3 of 5\n\nAt this point, we can tell the behaviors observed are most likely malicious due to PowerShell activity, but we\r\ndon’t have a lot of information around this particular DLL. Some quick Google searches unearthed this research\r\nfrom Morphisec, suggesting that we apparently found FrameworkPOS malware!\r\nFinding patient zero\r\nA concerning part of this detection within the Red Canary Cyber Incident Response Team (CIRT) was that the\r\nearlier PowerShell communication did not establish an external network connection. Instead we observed a\r\nnetwork connection to another host on the internal network. This spawned a lateral movement hypothesis for us:\r\nthere was likely another host on the network that was patient zero.\r\nAfter hopping around hosts to find the original source of activity, we found another PowerShell command\r\nexecuting as a service that did establish an external network connection.\r\nAfter consulting the Morphisec research again, we found the external network connection was consistent with the\r\nsame campaign they observed in the wild.\r\nAdequate adversaries still exist\r\nLooking into Morphisec’s research, there is a possibility that this campaign could be tied to cybercriminal group\r\nknown commonly as FIN6. This group has targeted POS systems in the past, and recent reports indicate they may\r\nbe involved with ransomware attacks. FrameworkPOS is very much a tool used by groups considered to be APTs.\r\nEven with this qualification, we can see a tendency to use “good enough” persistence and execution.\r\nThis provides a good starting point for defenders. We can start simple and grow to have more complex detection\r\ncapabilities as we mature. To begin hunting for malicious persistence mechanisms, we can search for Registry key\r\nvalues that shouldn’t exist in Microsoft\\Windows\\CurrentVersion\\Run before hunting for every key referenced\r\nin the infamous “Beyond good ol’ Run key” blog series.\r\nIn addition to the Registry key, we can start simple with event logging by focusing on just events for Scheduled\r\nTask execution and new service creation. By the time we become proficient at collecting and hunting through\r\nthese artifacts, we’ll be ready to tackle more advanced techniques.\r\nBehaviors from this detection\r\nhttps://redcanary.com/blog/frameworkpos-and-the-adequate-persistent-threat/\r\nPage 4 of 5\n\nHere are some of the search queries that contributed to this post.\r\nFrameworkPOS DLL execution\r\nHigh confidence\r\nProcess is ‘rundll32.exe` AND command line contains ‘workerInstance’\r\nShell execution as a service\r\nMedium confidence, needs tuning for your products and admin tools\r\nParent process is ‘services.exe’ AND process is ‘cmd.exe’ or ‘powershell.exe’\r\nPrivileged Scheduled Task execution\r\nLow/medium confidence, tune out administrative activity.\r\nParent process is ‘taskeng.exe’ AND username is ‘SYSTEM’\r\nWindows Registry Autorun Key modification\r\nLow/medium confidence, tune out new installations and software updates\r\nModification to Registry Key ‘Microsoft\\Windows\\CurrentVersion\\Run’\r\nConclusion\r\nDon’t be intimidated by adversaries. More often than not, you’ll find they don’t have to use sophisticated\r\ntechniques during attacks. If you start simple and work toward becoming more mature as you grow, you’ll be\r\nready for the small stuff and able to hunt down the more complex challenges when they come to you.\r\nSource: https://redcanary.com/blog/frameworkpos-and-the-adequate-persistent-threat/\r\nhttps://redcanary.com/blog/frameworkpos-and-the-adequate-persistent-threat/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://redcanary.com/blog/frameworkpos-and-the-adequate-persistent-threat/" ], "report_names": [ "frameworkpos-and-the-adequate-persistent-threat" ], "threat_actors": [ { "id": "12517c87-040a-4627-a3df-86ca95e5c13f", "created_at": "2022-10-25T16:07:23.61665Z", "updated_at": "2026-04-10T02:00:04.689Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "ATK 88", "Camouflage Tempest", "FIN6", "G0037", "Gold Franklin", "ITG08", "Skeleton Spider", "Storm-0538", "TAAL", "TAG-CR2", "White Giant" ], "source_name": "ETDA:FIN6", "tools": [ "AbaddonPOS", "Agentemis", "AmmyyRAT", "Anchor_DNS", "BlackPOS", "CmdSQL", "Cobalt Strike", "CobaltStrike", "FlawedAmmyy", "FrameworkPOS", "Grateful POS", "JSPSPY", "Kaptoxa", "LOLBAS", "LOLBins", "Living off the Land", "LockerGoga", "MMon", "Magecart", "Meterpreter", "Mimikatz", "More_eggs", "NeverQuest", "POSWDS", "Reedum", "Ryuk", "SCRAPMINT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Terra Loader", "TerraStealer", "Vawtrak", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "cobeacon", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "ea7bfe06-7c23-481d-b8ba-eafa6cda3bc9", "created_at": "2022-10-25T15:50:23.317961Z", "updated_at": "2026-04-10T02:00:05.280403Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "FIN6", "Magecart Group 6", "ITG08", "Skeleton Spider", "TAAL", "Camouflage Tempest" ], "source_name": "MITRE:FIN6", "tools": [ "FlawedAmmyy", "GrimAgent", "FrameworkPOS", "More_eggs", "Cobalt Strike", "Windows Credential Editor", "AdFind", "PsExec", "LockerGoga", "Ryuk", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "b3acfb48-b04d-4d3d-88a8-836d7376fa2e", "created_at": "2024-06-19T02:03:08.052814Z", "updated_at": "2026-04-10T02:00:03.659971Z", "deleted_at": null, "main_name": "GOLD FRANKLIN", "aliases": [ "FIN6 ", "ITG08 ", "MageCart Group 6 ", "Skeleton Spider ", "Storm-0538 ", "White Giant " ], "source_name": "Secureworks:GOLD FRANKLIN", "tools": [ "FrameWorkPOS", "Metasploit", "Meterpreter", "Mimikatz", "PowerSploit", "PowerUpSQL", "RemCom" ], "source_id": "Secureworks", "reports": null }, { "id": "ee3363a4-e807-4f95-97d8-b603c31b9de1", "created_at": "2023-01-06T13:46:38.485884Z", "updated_at": "2026-04-10T02:00:02.99385Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "SKELETON SPIDER", "ITG08", "MageCart Group 6", "ATK88", "TA4557", "Storm-0538", "White Giant", "GOLD FRANKLIN", "G0037", "Camouflage Tempest" ], "source_name": "MISPGALAXY:FIN6", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434763, "ts_updated_at": 1775792033, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/50fe1eae747b9a4ddaee49e154cd8034220e30c9.pdf", "text": "https://archive.orkl.eu/50fe1eae747b9a4ddaee49e154cd8034220e30c9.txt", "img": "https://archive.orkl.eu/50fe1eae747b9a4ddaee49e154cd8034220e30c9.jpg" } }