{
	"id": "ec59ab89-4b5d-4380-8bed-f28436f29277",
	"created_at": "2026-04-06T00:06:49.161639Z",
	"updated_at": "2026-04-10T03:20:16.309953Z",
	"deleted_at": null,
	"sha1_hash": "6c46b7a5cabd134fb2f8bbd5899f7873efc2425f",
	"title": "GlitchPOS: New PoS malware for sale",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5216527,
	"plain_text": "GlitchPOS: New PoS malware for sale\r\nBy Paul Rascagneres\r\nPublished: 2019-03-13 · Archived: 2026-04-05 13:08:57 UTC\r\nWednesday, March 13, 2019 10:52\r\nWarren Mercer and Paul Rascagneres authored this post with contributions from Ben Baker.\r\nThe actor behind this malware created a video, which we embedded below, showing how easy it is to use it. This\r\nis a case where the average user could purchase all the tools necessary to set up their own credit card-skimming\r\nbotnet.\r\nGlitchPOS\r\nPacker overview\r\nA packer developed in VisualBasic protects this malware. It's, on the surface, a fake game. The\r\nuser interface of the main form (which is not displayed at the execution) contains various pictures\r\nof cats:\r\nhttps://blog.talosintelligence.com/2019/03/glitchpos-new-pos-malware-for-sale.html\r\nPage 1 of 13\n\nThe purpose of the packer is to decode a library that's the real payload encoded with the UPX packer. Once\r\ndecoded, we gain access to GlitchPOS, a memory grabber developed in VisualBasic.\r\nPayload analysis\r\nThe payload is small and contains only a few functions. It can connect to a command and control\r\n(C2) server to:\r\nRegister the infected systems\r\nReceive tasks (command execution in memory or on disk)\r\nExfiltrate credit card numbers from the memory of the infected system\r\nUpdate the exclusion list of scanned processes\r\nUpdate the \"encryption\" key\r\nUpdate the User Agent\r\nClean itself\r\nTasks mechanism\r\nThe malware receives tasks from the C2 server. Here is the task pane:\r\nhttps://blog.talosintelligence.com/2019/03/glitchpos-new-pos-malware-for-sale.html\r\nPage 2 of 13\n\nThe commands are executed via a shellcode directly sent by the C2 server. Here is an example in Wireshark:\r\nThe shellcode is encoded with base64. In our screenshot, the shellcode is a RunPE:\r\n\"Encryption\" key\r\nThe \"encryption\" key of the communication can be updated in the panel. The communication is not\r\nencrypted but simply XORed:\r\nhttps://blog.talosintelligence.com/2019/03/glitchpos-new-pos-malware-for-sale.html\r\nPage 3 of 13\n\nCredit card grabber\r\nThe main purpose of this malware is to steal credit card numbers (Track1 and Track2) from the memory of\r\nthe infected system. GlitchPOS uses a regular expression to perform this task:\r\n(%B)\\d{0,19}\\^[\\w\\s\\/]{2,26}\\^\\d{7}\\w*\\?\r\nThe purpose of this regular expression is to detect Track 1 format B\r\nHere is an example of Track 1:\r\nCardholder : M. TALOS\r\nCard number*: 1234 5678 9012 3445\r\nExpiration: 01/99\r\n%B1234567890123445^TALOS/M.\r\n;\\d{13,19}=\\d{7}\\w*\\?\r\nThe purpose of this regular expression is to detect Track 2\r\nHere is an example of Track 2 based on the previous example:\r\n;1234567890123445=99011200XXXX00000000?*\r\nIf a match is identified in memory, the result is sent to the C2 server. The malware maintains an exclusion list\r\nprovided by the server. Here is the default list: chrome, firefox, iexplore, svchost, smss, csrss, wininit, steam,\r\ndevenv, thunderbird, skype, pidgin, services, dwn, dllhost, jusched, jucheck, lsass, winlogon, alg, wscntfy,\r\ntaskmgr, taskhost, spoolsv, qml, akw.\r\nPanel\r\nHere are some additional screenshots of the GlitchPOS panel. These screenshots were provided by\r\nthe seller to promote the malware.\r\nThe \"Dashboard:\"\r\nhttps://blog.talosintelligence.com/2019/03/glitchpos-new-pos-malware-for-sale.html\r\nPage 4 of 13\n\nThe \"Clients\" list:\r\nThe \"Cards Date:\"\r\nhttps://blog.talosintelligence.com/2019/03/glitchpos-new-pos-malware-for-sale.html\r\nPage 5 of 13\n\nLinked with DiamondFox L!NK botnet\r\nAuthor: Edbitss\r\nThe first mention of GlitchPOS was on Feb. 2, 2019 on a malware forum:\r\nEdbitss is allegedly the developer of the DiamondFox L!NK botnet in 2015/2016 and 2017 as explained in a\r\nreport by CheckPoint.\r\nhttps://blog.talosintelligence.com/2019/03/glitchpos-new-pos-malware-for-sale.html\r\nPage 6 of 13\n\nThe developer created this video to promote GlitchPOS, as well. In this video, you can see the author set up the\r\nmalware and capture the data from a swiped card. We apologize for the quality, shakiness, music, and generally\r\nanything else with this video, again, it's not ours.\r\nThe built malware is sold for $250, the builder $600 and finally, the gate address change is charged at $80.\r\nPanel similarities\r\nIn addition to the malware language (VisualBasic), we identified similarities between the\r\nhttps://blog.talosintelligence.com/2019/03/glitchpos-new-pos-malware-for-sale.html\r\nPage 7 of 13\n\nDiamondFox panel and the GlitchPOS panel. In this section, the DiamondPOS screenshots come\r\nfrom the CheckPoint report mentioned previously.\r\nBoth dashboards' world map are similar (image, code and color):\r\nThe author used the same terminology such ask \"Clients\" or \"Tasks\" on the left menu:\r\nhttps://blog.talosintelligence.com/2019/03/glitchpos-new-pos-malware-for-sale.html\r\nPage 8 of 13\n\nThe icons are the same too in both panels, as well as the infected machine list (starting with the HWID). The PHP\r\nfile naming convention is similar to DiamondFox, too.\r\nThe author clearly reused code from DiamondFox panel on the GlitchPOS panel.\r\nComparison of GlitchPOS and the DiamondFox POS module\r\nIn 2017, the DiamondFox malware included a POS plugin. We decided to check if this module was\r\nthe same as GlitchPOS, but it is not. For DiamondFox, the author decided to use the leaked code\r\nof BlackPOS to build the credit card grabber. On GlitchPOS, the author developed its own code\r\nto perform this task and did not use the previously leaked code.\r\nBad guys are everywhere\r\nIt's interesting to see that someone else attempted to push the same malware 25\r\ndays after edbitss on an alternative forum:\r\nhttps://blog.talosintelligence.com/2019/03/glitchpos-new-pos-malware-for-sale.html\r\nPage 9 of 13\n\nThis attacker even tried to cash in by increasing some prices.\r\nSome members even attempted to call out the unscrupulous behaviour:\r\nhttps://blog.talosintelligence.com/2019/03/glitchpos-new-pos-malware-for-sale.html\r\nPage 10 of 13\n\nWith the different information we have, we think that Chameleon101 has taken the previous malware created by\r\nEdbitss to sell it on an alternative forum and with a higher price.\r\nConclusion\r\nThis investigation shows us that POS malware is still attractive and some people\r\nare still working on the development of this family of malware. We can see that\r\nedbitss developed malware years even after being publicly mentioned by\r\ncybersecurity companies. He left DiamondFox to switch on a new project targeting\r\npoint-of-sale. The sale opened a few weeks ago, so we don't know yet how many\r\npeople bought it or use it. We also see that bad guys steal the work of each other\r\nand try to sell malware developed by other developers at a higher price. The final\r\nword will be a quote from Edbitss on a DiamondFox screenshot published by\r\nhimself \"In the future, even bank robbers will be replaced.\"\r\nhttps://blog.talosintelligence.com/2019/03/glitchpos-new-pos-malware-for-sale.html\r\nPage 11 of 13\n\nCoverage  \r\nAdditional ways our customers can detect and block this threat are listed below.\r\nAdvanced Malware Protection(AMP) is ideally suited to prevent the execution of the malware used by these threat\r\nactors. Below is a screenshot showing how AMP can protect customers from this threat. Try AMP for free here.\r\nhttps://blog.talosintelligence.com/2019/03/glitchpos-new-pos-malware-for-sale.html\r\nPage 12 of 13\n\nCisco Cloud Web Security (CWS) orWeb Security Appliance (WSA) web scanning prevents access to malicious\r\nwebsites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such asNext-Generation Firewall (NGFW), Next-Generation Intrusion Prevention\r\nSystem (NGIPS), and Meraki MX can detect malicious activity associated with this threat.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nOpen Source SNORTⓇ Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nIndicators of Compromise (IOCs)\r\nThe following IOCs are associated to this campaign:\r\nGlitchPOS samples ed043ff67cc28e67ba36566c340090a19e5bf87c6092d418ff0fd3759fb661ab\r\n(SHA256)\r\nabfadb6686459f69a92ede367a2713fc2a1289ebe0c8596964682e4334cee553 (SHA256)\r\nC2 server coupondemo[.]dynamicinnovation[.]net\r\nURLshxxp://coupondemo[.]dynamicinnovation[.]net/cgl-bin/gate.php\r\nhxxp://coupondemo[.]dynamicinnovation[.]net/admin/gate.php\r\nhxxp://coupondemo[.]dynamicinnovation[.]net/glitch/gate.php\r\nSource: https://blog.talosintelligence.com/2019/03/glitchpos-new-pos-malware-for-sale.html\r\nhttps://blog.talosintelligence.com/2019/03/glitchpos-new-pos-malware-for-sale.html\r\nPage 13 of 13\n\nmalware and anything else capture the data with this video, from a swiped again, it's not card. We apologize ours. for the quality, shakiness, music, and generally\nThe built malware is sold for $250, the builder $600 and finally, the gate address change is charged at $80.\nPanel similarities       \nIn addition to the malware language (VisualBasic), we identified similarities between the\n   Page 7 of 13   \n\n  https://blog.talosintelligence.com/2019/03/glitchpos-new-pos-malware-for-sale.html \nThis attacker even tried to cash in by increasing some prices.\nSome members even attempted to call out the unscrupulous behaviour:\n   Page 10 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://blog.talosintelligence.com/2019/03/glitchpos-new-pos-malware-for-sale.html"
	],
	"report_names": [
		"glitchpos-new-pos-malware-for-sale.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434009,
	"ts_updated_at": 1775791216,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6c46b7a5cabd134fb2f8bbd5899f7873efc2425f.pdf",
		"text": "https://archive.orkl.eu/6c46b7a5cabd134fb2f8bbd5899f7873efc2425f.txt",
		"img": "https://archive.orkl.eu/6c46b7a5cabd134fb2f8bbd5899f7873efc2425f.jpg"
	}
}