{
	"id": "4c4616da-15c1-4a12-be29-75a1311dbc74",
	"created_at": "2026-04-06T03:37:56.872796Z",
	"updated_at": "2026-04-10T03:20:19.433366Z",
	"deleted_at": null,
	"sha1_hash": "5ea319c922e7fc8889dca0bf190f2098b317e6c8",
	"title": "Chewbacca Point-of-Sale Malware Campaign Found in 10 Countries",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 39147,
	"plain_text": "Chewbacca Point-of-Sale Malware Campaign Found in 10\r\nCountries\r\nBy Michael Mimoso\r\nPublished: 2014-01-31 · Archived: 2026-04-06 02:58:35 UTC\r\nA criminal campaign using the Tor-based Chewbacca Trojan, which includes memory-scraping malware and a\r\nkeylogger, is responsible for the theft of more than 49,000 credit card numbers in 10 countries.\r\nBefore you think that RAM scraper malware was a phenomenon specific to the Target breach, think again. A four-month-long crime spree targeting point-of-sale systems in a number of industries has been discovered; the\r\ncampaign, however, is not related to the mammoth Target break-in or other recently reported hacks at Neiman\r\nMarcus or Michaels.\r\nThe malware in question is the privately sold Chewbacca Trojan, which is a two-pronged threat that uses the Tor\r\nanonymity network to hide its communication with the attackers’ command and control infrastructure. Chewbacca\r\nnot only infects point-of-sale terminals with the RAM scraping malware in order to steal payment card data before\r\nit is encrypted, but also drops keylogging software onto compromised systems.\r\nResearchers at RSA Security discovered the criminal campaign and say it has found malware samples used in 10\r\ncountries, primarily in the United States and the Russian Federation. Will Gragido, senior manager at RSA\r\nFirstWatch, the company’s research arm, said the command and control server they intercepted has been taken\r\noffline—likely by its Ukrainian handlers rather than law enforcement—putting a halt to the campaign. Gragido\r\nsaid the criminals had their hands on 49,330 credit card numbers and there were 24 million transaction records on\r\nthe attackers’ server.\r\n“It’s actually a mixture of industries that have been hit: some broadband providers were impacted, retailers,\r\nsupermarkets, gas stations, and other associated businesses,” Gragido said. “It’s a sloppily put-together piece of\r\ncode; it’s not the most sophisticated code, but it seems effective.”\r\nThe original Chewbacca samples were found in October and reported by Kaspersky Lab’s Global Research and\r\nAnalysis Team in December.  While the original attack vector is not yet understood, Chewbacca’s behaviors are\r\npretty self-evident. Chewbacca finds running processes on compromised computers, reads process memory, drops\r\na keylogger and is able to move that information off of infected machines, said Marco Preuss, director of research\r\nfor Kaspersky Lab in Europe.\r\nThe malware is a PE32 executable compiled with Free Pascal 2.7.1; its 5 MB file includes the Tor executable,\r\nwhich the attackers use to move data and communication between infected POS terminals and servers, and the\r\nattackers. Once executed, Chewbacca drops as spoolsv.exe into the victim machine’s startup folder and then\r\nlaunches its keylogger and stores all keystrokes to a log created by the malware, Preuss said. Spoolsv.exe is the\r\nsame name used by the Windows Print Spooling service; the malware does so to insert itself into the startup\r\nprocess and maintain persistence.\r\nhttps://threatpost.com/chewbacca-point-of-sale-malware-campaign-found-in-10-countries/103985/\r\nPage 1 of 2\n\nGragido said RSA FirstWatch had infiltrated the attackers’ original command server, which was using a Tor .onion\r\ndomain for obfuscation.\r\n“We think we caught this campaign early on,” Gragido said. “Chewbacca has not been out there very long. We’ve\r\nseen it established in a few small retailers and service providers.”\r\nThe Target breach has elevated awareness around point of sale malware, in particular RAM scrapers. Target\r\nadmitted shortly before Christmas that attackers has been on its network and stolen 40 million payment card\r\nnumbers from infected point of sale systems, along with the personal information of 70 million people, putting\r\npotentially 110 million at risk for identity theft and fraud.\r\nNew details emerged this week on just how burrowed into Target’s network the attackers were. Experts believe the\r\ninitial compromise was a SQL injection attack that allowed the attackers access to the network. Once there, it’s\r\napparent they took advantage of hard-coded credentials on system management software used by the retailer to set\r\nup a control server on the Target network and moved data out in batches.\r\n“We don’t have anything from an evidentiary perspective that this is tied to Target, Neiman Marcus or Michaels,”\r\nGragido said. “The malware is different, the attackers’ MO is different, there’s no common infrastructure or\r\ncommon malware. The gang behind it, we think, is a newer crop of folks with activity in Eastern Europe, but it’s\r\nhard to say.”\r\nSource: https://threatpost.com/chewbacca-point-of-sale-malware-campaign-found-in-10-countries/103985/\r\nhttps://threatpost.com/chewbacca-point-of-sale-malware-campaign-found-in-10-countries/103985/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://threatpost.com/chewbacca-point-of-sale-malware-campaign-found-in-10-countries/103985/"
	],
	"report_names": [
		"103985"
	],
	"threat_actors": [],
	"ts_created_at": 1775446676,
	"ts_updated_at": 1775791219,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5ea319c922e7fc8889dca0bf190f2098b317e6c8.pdf",
		"text": "https://archive.orkl.eu/5ea319c922e7fc8889dca0bf190f2098b317e6c8.txt",
		"img": "https://archive.orkl.eu/5ea319c922e7fc8889dca0bf190f2098b317e6c8.jpg"
	}
}