{ "id": "ffbfd0c5-773a-4539-8a88-d5cda093767f", "created_at": "2026-04-06T00:10:56.252971Z", "updated_at": "2026-04-10T03:33:52.172801Z", "deleted_at": null, "sha1_hash": "7337a2a83f74928723bfab9d4fb7cbc4fcf23771", "title": "ZeusPOS and NewPOSthings Point-of-Sale Malware Traffic Quadruples For Black Friday | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1531833, "plain_text": "ZeusPOS and NewPOSthings Point-of-Sale Malware Traffic\r\nQuadruples For Black Friday | Proofpoint US\r\nBy December 06, 2016 Proofpoint Staff\r\nPublished: 2016-12-05 · Archived: 2026-04-05 22:06:29 UTC\r\nOverview\r\nPoint-of-Sale (POS) malware made headlines in 2013 with high-profile retail breaches that exposed millions of\r\ncredit cards. POS malware is specifically designed to infect payment terminals at retailers, hotels, restaurants, and\r\nelsewhere. Traditionally, POS malware has scraped credit and debit card information from magnetic stripe readers\r\nor from memory on the terminals. Even with the widespread implementation of chip and PIN technologies, new\r\nPOS malware has emerged that can calculate authentication codes for chipped cards and use them later for\r\nfraudulent transactions.\r\nMore recently, the dangers of POS malware have receded from view as banking Trojans such as Dridex and Ursnif\r\ncaused headaches for businesses, while 2016 has been dominated by large-scale distribution of ransomware like\r\nLocky and CryptXXX. Shifting headlines, however, do not mean that POS malware has gone away. On the\r\ncontrary, POS malware is alive and well, with actors regularly targeting multiple verticals with attempts to capture\r\ncredit card information en masse for sale on the black market. With its “Black Friday” sales, Thanksgiving\r\nweekend demonstrated especially high levels of activity as network traffic for data exfiltration from infected\r\nterminals spiked by nearly 400% for some malware families.\r\nThrough all of this, email has become an important vector for distribution of POS malware to organizations, even\r\nif as a secondary payload for a loader or banking Trojan that provides a beachhead for deeper attacks on\r\nnetworked POS systems. In fact, the role email plays in both early POS malware distribution and modern\r\ncampaigns is representative of broader trends in the use of email as an attack vector: between 2013-2014, POS\r\nmalware was often distributed as a result of infections caused by clicking malicious links in email messages;\r\nbetween 2015-2016, malicious document attachments distributed POS malware and other payloads.\r\nAnalysis\r\nThe POS malware market is varied and evolving, with new tools emerging to take on improved retail security as\r\nwell as to add functions that may be useful to attackers infiltrating networks that support retail and Point-of-Sale\r\noperations. Regardless of the mechanism of delivery, installation, or execution, we can generally observe contact\r\nwith command and control (C\u0026C) servers via a series of network sensors run by our Emerging Threats group.\r\nFigure 1 shows the top POS malware over 2016 based on C\u0026C traffic and check-ins.\r\nhttps://www.proofpoint.com/us/threat-insight/post/zeuspos-newposthings-point-of-sale-malware-traffic-quadruples-black-friday\r\nPage 1 of 10\n\nFigure 1: Top POS malware by indexed volume of network activity\r\nWhile Figure 1 shows occasional spikes with a regular ebb and flow of network activity for several POS malware\r\nfamilies, Proofpoint researchers observed 3-4x increases in data exfiltration traffic related to ZeusPOS and\r\nNewPOSthings variants over the Thanksgiving weekend. While increased traffic associated with Black Friday was\r\nexpected, the spikes, shown in Figures 2 and 3, were dramatic.\r\nhttps://www.proofpoint.com/us/threat-insight/post/zeuspos-newposthings-point-of-sale-malware-traffic-quadruples-black-friday\r\nPage 2 of 10\n\nFigure 2: Thanksgiving 2016 weekend network activity for ZeusPOS\r\nhttps://www.proofpoint.com/us/threat-insight/post/zeuspos-newposthings-point-of-sale-malware-traffic-quadruples-black-friday\r\nPage 3 of 10\n\nFigure 3: Thanksgiving weekend data exfiltration activity for NewPOSthings\r\nAlthough the spike in network activity around the Thanksgiving holiday in the US was noteworthy, a look at\r\noverall traffic patterns since the beginning of the year tells an equally important story. We observed considerable\r\noverlap among various POS malware families, suggesting cases of shared infrastructure (Figure 4).\r\nhttps://www.proofpoint.com/us/threat-insight/post/zeuspos-newposthings-point-of-sale-malware-traffic-quadruples-black-friday\r\nPage 4 of 10\n\nFigure 4: Network graph showing relative activity and connections by POS malware family\r\nFigure 4 in particular demonstrates that\r\nLike other forms of malware, POS malware activity tends to be concentrated around a few dominant\r\nvariants, even as minor variants continue to make the rounds and wait in the wings to become \"the next big\r\nthing\"\r\nMajor variants are often related by shared infrastructure or actors that move from using one variant to\r\nanother, as happened with Dridex and Locky in the banking Trojan and ransomware spaces\r\nEstablishing these relationships helps organizations better defend against POS malware by observing\r\nsimilarities in C\u0026C check-ins, infection methods, etc.\r\nIn many cases, we can also associate malicious email campaigns with initial attempts to install POS malware.\r\nFigure 5 shows the relative volume of malware payloads targeting the retail vertical in October. Note that after\r\nremoving Locky ransomware, which accounted for 90% of all message volume, the top two payloads were\r\nloaders: Pony and H1N1. It is also worth noting that we first discovered AbaddonPOS, a widespread POS\r\nmalware variant, being spread by Vawtrak, the third-ranked payload in Figure 5. While these were not necessarily\r\ndropping POS malware, this chart shows that attackers have mature tools at their disposal, as well as databases of\r\nretail contacts, through which they can target retailers via email in order to attack POS systems.\r\nhttps://www.proofpoint.com/us/threat-insight/post/zeuspos-newposthings-point-of-sale-malware-traffic-quadruples-black-friday\r\nPage 5 of 10\n\nFigure 5: Relative message volumes by payload targeting retail in October, with Locky removed for improved\r\nvisibility\r\nTaking a closer look at specific campaigns this year gives us additional insight into the distribution of POS\r\nmalware and the changing landscape in this sector.\r\nPersonalized TinyLoader -\u003e AbaddonPOS\r\nThe \"personalized actor\" or TA530 frequently engages in small to medium-sized campaigns that involve\r\npersonalized emails and lures to increase their effectiveness. We observed campaigns from this actor targeting big-box retailers and grocery chains in July and October. The attacks involved thousands of messages dropping\r\nAbaddonPOS via TinyLoader. The attacker uses a personalized “client feedback” email with the recipient's name\r\nin the subject, attachment name, and email body that references a specific store location (Figure 6). This creates a\r\nsocially engineered, legitimate-looking lure that entices users to open an attached Word document and enable\r\nmacros. Enabling macros installs TinyLoader which in turn installs AbaddonPOS.\r\nFigure 6: Personalized client feedback email lure featuring a social engineered complaint - \"I am emailing you to\r\nsubmit my feedback about the bad treatment that I and my wife received at a store of [store name and location\r\nredacted]...\"\r\nhttps://www.proofpoint.com/us/threat-insight/post/zeuspos-newposthings-point-of-sale-malware-traffic-quadruples-black-friday\r\nPage 6 of 10\n\nWe have previously observed TinyLoader leading to AbaddonPOS, but the campaigns were not personalized.\r\nJackPOS\r\nJackPos is a POS malware that attempts to scrape credit card details (track 1 and track 2) from computer memory.\r\nIn April, we observed a campaign with thousands of email messages that contained malicious URLs linking to a\r\ncompressed JackPOS malware executable. The executables were hosted on securepos[.]cf, which appears to be a\r\nfake page and a convincing front pretending to market ARP-IT Antivirus, Retail POS, and other products.\r\nFigure 7: Fake website purporting to sell AV, POS software, and other tools, and hosting POS malware\r\nProject Hook\r\nIn October, we observed a low-volume email campaign distributing \"Project Hook\" POS malware. Interestingly,\r\nthis campaign was highly targeted at spas, with a link to a fake update for spa management software. Clicking the\r\nupdate link in the emails led to a compressed .vbs file that loads Project Hook, leading to the \"update\r\nconfirmation\" in Figure 8.\r\nhttps://www.proofpoint.com/us/threat-insight/post/zeuspos-newposthings-point-of-sale-malware-traffic-quadruples-black-friday\r\nPage 7 of 10\n\nFigure 8: Fake update confirmation for spa management software\r\nProject Hook malware has been observed in the wild since 2013 and continues to make the rounds in various\r\nincarnations.\r\nKronos -\u003e ScanPOS\r\nMost recently, we observed a relatively large campaign distributing an instance of the Kronos banking Trojan.\r\nThis campaign was highly targeted at the hospitality vertical, as shown in Figure 9.\r\nFigure 9: Relative volumes for vertical targeting in the October Kronos -\u003e ScanPOS campaign.\r\nOnce installed via either malicious macros in a document attachment or via a link to a malicious document,\r\nKronos downloaded one of three secondary payloads, including a new POS malware variant called ScanPOS.\r\nScanPOS is a relatively simple POS malware that scans memory processes for credit card numbers that are\r\nsubsequently sent to a C\u0026C server via HTTP POST.\r\nhttps://www.proofpoint.com/us/threat-insight/post/zeuspos-newposthings-point-of-sale-malware-traffic-quadruples-black-friday\r\nPage 8 of 10\n\nThese campaigns provide a snapshot of the current POS malware landscape and the tactics, techniques, and\r\nprocedures (TTPs) that threat actors are using to deliver the malware to their targets. A closer look at the\r\ncampaigns reveals some common threads:\r\nIncreasing degrees of personalization and targeting: whether actors are personalizing their lures to increase\r\neffectiveness or going after a very specific vertical with specialized bogus software, email campaigns\r\nprovide a rich basis for attacks\r\nFake software, websites, and email lures are sophisticated and compelling social engineered tools that go\r\nfar beyond the basic credential phishing that characterized attacks on POS systems in 2013 and 2014\r\nAttackers are using a diverse set of approaches, ranging from malicious document attachments to a variety\r\nof malware loaders that have proven successful with banking Trojans and ransomware to deliver POS\r\nmalware payloads.\r\nTargeting Retailers Indirectly\r\nUnfortunately, the threats to retail aren't limited to POS malware. We have also observed a significant uptick in\r\nretail account phishing attempts. The most recent use lures of payment for \"secret shoppers\" or online reviews and\r\ntarget students at higher education institutions who may be willing to enter credentials for a chance at some quick,\r\neasy money.\r\nFigure 10: A fake customer satisfaction survey for an Australian supermarket chain\r\nhttps://www.proofpoint.com/us/threat-insight/post/zeuspos-newposthings-point-of-sale-malware-traffic-quadruples-black-friday\r\nPage 9 of 10\n\nIn other cases, actors use further variations of credential phishing to obtain login details for “big box” store and\r\nother retailer accounts, allowing them to conduct fraudulent transactions. Regardless of the method or particular\r\nretailer targeted, though, it is the retailer that will ultimately bear the costs associated with these transactions.\r\nWhile POS malware can net threat actors potentially very large paydays, higher volume credential phishing can\r\nalso be quite lucrative and threatens retailers brands as well as their bottom lines -- and the pocketbooks of\r\nunsuspecting consumers.\r\nConclusion\r\nPoint-of-Sale malware continues to be distributed and operate at relatively high volumes. This isn't surprising\r\ngiven the potentially large payouts for threat actors if they can capture large numbers of credit cards. Even as the\r\npayment industry works to ensure PCI compliance and moves toward more secure credit card transactions with\r\nchip and PIN technologies, POS malware is evolving to work around these new barriers. At the same time, threat\r\nactors are innovating to deliver their payloads more effectively, diversify their approaches, or even cash in on\r\nsimple credential phishing using retail brands as the lure.\r\nSource: https://www.proofpoint.com/us/threat-insight/post/zeuspos-newposthings-point-of-sale-malware-traffic-quadruples-black-friday\r\nhttps://www.proofpoint.com/us/threat-insight/post/zeuspos-newposthings-point-of-sale-malware-traffic-quadruples-black-friday\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.proofpoint.com/us/threat-insight/post/zeuspos-newposthings-point-of-sale-malware-traffic-quadruples-black-friday" ], "report_names": [ "zeuspos-newposthings-point-of-sale-malware-traffic-quadruples-black-friday" ], "threat_actors": [ { "id": "f8fd6c94-f1bf-43b8-8613-edc46ca097ee", "created_at": "2022-10-25T16:07:24.285532Z", "updated_at": "2026-04-10T02:00:04.922819Z", "deleted_at": null, "main_name": "TA530", "aliases": [], "source_name": "ETDA:TA530", "tools": [ "AbaddonPOS", "August Stealer", "Bugat v5", "CryptoWall", "Dofoil", "Dridex", "Gozi ISFB", "H1N1", "H1N1 Loader", "ISFB", "Nymaim", "Pandemyia", "Sharik", "Smoke Loader", "SmokeLoader", "SpY-Agent", "TVRAT", "TVSpy", "TeamSpy", "TeamViewerENT", "TinyLoader", "nymain" ], "source_id": "ETDA", "reports": null }, { "id": "af77521e-c35f-4030-a95d-bcd1eaeeaac1", "created_at": "2023-01-06T13:46:38.476089Z", "updated_at": "2026-04-10T02:00:02.990237Z", "deleted_at": null, "main_name": "TA530", "aliases": [], "source_name": "MISPGALAXY:TA530", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434256, "ts_updated_at": 1775792032, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7337a2a83f74928723bfab9d4fb7cbc4fcf23771.pdf", "text": "https://archive.orkl.eu/7337a2a83f74928723bfab9d4fb7cbc4fcf23771.txt", "img": "https://archive.orkl.eu/7337a2a83f74928723bfab9d4fb7cbc4fcf23771.jpg" } }