{
	"id": "8aa8ce4f-0f61-4a9c-af4e-71922b46690d",
	"created_at": "2026-04-06T00:16:01.356202Z",
	"updated_at": "2026-04-10T03:21:21.03222Z",
	"deleted_at": null,
	"sha1_hash": "52116ed70c5d3a3cae0dfa6e0a0c4a06ee263fe1",
	"title": "New POS Malware PinkKite Takes Flight",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 169860,
	"plain_text": "New POS Malware PinkKite Takes Flight\r\nBy Tom Spring\r\nPublished: 2018-03-14 · Archived: 2026-04-05 20:24:21 UTC\r\nResearchers shed light on a newly discovered family of point of sale malware that is extremely small in size and\r\nadept at siphoning credit card numbers from POS endpoints.\r\nA new family of point-of-sale malware, dubbed PinkKite, has been identified by researchers who say the malware\r\nis tiny in size, but can delivered a hefty blow to POS endpoints.\r\nResearchers at Kroll Cyber Security first identified PinkKite in 2017 during a nine-month investigation into a\r\nlarge POS malware campaign that ended in December. The campaign is believed to be the first instance of\r\nPinkKite identified, according to researchers Courtney Dayter and Matt Bromiley, who presented their findings at\r\nKaspersky Lab’s Security Analyst Summit on Friday.\r\nPinkKite is less than 6k in size and similar to other small POS malware families such as TinyPOS and\r\nAbaddonPOS. Similar to those small-sized malware families, PinkKite uses its tiny footprint to avoid detection\r\nand comes equipped with memory-scraping and data validation tools.\r\n“Where PinkKite differs is its built-in persistence mechanisms, hard-coded double-XOR encryption (used on\r\ncredit card numbers) and backend infrastructure that uses a clearinghouse to exfiltrate data to,” Dayter said.\r\nCriminals behind the PinkKite campaign used three clearinghouses (or depots) located in South Korea, Canada\r\nand the Netherlands to send data to. Typically, POS malware sends data directly to a C2 server.\r\n“From a malware collection point of view, it was probably easier for adversaries to send data to clearinghouses. It\r\nalso may have helped them keep a little bit of distance from the POS terminals,” Bromiley said. “But, from an\r\ninvestigative point of view we loved it because it made the operation very noisy.”\r\nPinkKite’s executable naming convention attempted to\r\nmasquerade as a legitimate Windows program with names such as Svchost.exe, Ctfmon.exe and AG.exe. In all,\r\nhttps://threatpost.com/new-pos-malware-pinkkite-takes-flight/130428/\r\nPage 1 of 2\n\nKroll identified several PinkKite families. “A white list version (of PinkKite) had a list of processes it was\r\nspecifically targeting. The black list version had a list of processes it was specifically ignoring,” Bromiley said.\r\nOnce the credit card data was scraped from system memory, PinkKite uses a Luhn algorithm to validate credit and\r\ndebit card numbers. To further frustrate analysis and detection, PinkKite adds another layer of obfuscation via a\r\ndouble-XOR operation that encodes the 16 digits of the credit card number with a predefined key. Next, credit\r\ncard data is stored in compressed files with names such as .f64, .n9 or .sha64. Those records can contain as many\r\nas 7,000 credit card numbers each and are periodically sent manually using a separate Remote Desktop Protocol\r\n(RDP) session to one of the three PinkKite clearinghouses.\r\n“Once the data was scraped by PinkKite, it was written to a file on a remote system. These remote ‘collection’\r\nsystems served as central collection points (clearinghouses) for hundreds or thousands of malware output files,”\r\nDayter said.\r\nKroll isn’t sharing many details regarding the group behind PinkKite, beyond the infection technique used to plant\r\nthe POS malware on endpoints. According to researchers, the hackers likely infiltrated one main system and then\r\nfrom there used PsExec to move laterally across the company’s network environment. Hackers then identified the\r\nLocal Security Authority Subsystem Service (LSASS) and extracted credentials using Mimikatz. Once systems\r\nwere compromised, attackers would swoop in to remove the credit card data via the RDP session.\r\nDayter and Bromiley said they were tipped off to the infection because the client had been made aware that its\r\ncustomer’s credit cards were being sold on the black market. The name PinkKite follows Kroll’s malware naming\r\nconvention, and was randomly selected, according to the company. There are no ties to the malware’s name and\r\nthe malware itself.\r\nSource: https://threatpost.com/new-pos-malware-pinkkite-takes-flight/130428/\r\nhttps://threatpost.com/new-pos-malware-pinkkite-takes-flight/130428/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://threatpost.com/new-pos-malware-pinkkite-takes-flight/130428/"
	],
	"report_names": [
		"130428"
	],
	"threat_actors": [],
	"ts_created_at": 1775434561,
	"ts_updated_at": 1775791281,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/52116ed70c5d3a3cae0dfa6e0a0c4a06ee263fe1.pdf",
		"text": "https://archive.orkl.eu/52116ed70c5d3a3cae0dfa6e0a0c4a06ee263fe1.txt",
		"img": "https://archive.orkl.eu/52116ed70c5d3a3cae0dfa6e0a0c4a06ee263fe1.jpg"
	}
}