{ "id": "726b8fbc-b371-4ca0-8dd5-98321691387a", "created_at": "2026-04-06T00:16:06.254002Z", "updated_at": "2026-04-10T03:21:42.225177Z", "deleted_at": null, "sha1_hash": "915499f311defce04e802a7dc007ed2ce63a8767", "title": "LevelBlue - Open Threat Exchange", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 242783, "plain_text": "LevelBlue - Open Threat Exchange\r\nBy TheNewRaikage\r\nArchived: 2026-04-05 21:04:59 UTC\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:multigrain\r\nPage 1 of 5\n\nThreat Research | FireEye Inc\r\nFind out more about FireEye.com, the world's leading cyber security company, which provides security services to\r\nmore than 1.5 million customers across the globe, and offers a wide range of products and services.\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:multigrain\r\nPage 2 of 5\n\n17 Subscribers\r\nAuthor Url\r\nWhat is Multigrain? Learn what makes this PoS malware different.\r\nBY PANDALABS • AUGUST 4, 2016 | Multigrain is a Point of Sale (PoS) malware that specializes in stealing\r\ncredit and debit card information while using RAM-Scraping techniques (it directly accesses the RAM memory\r\nfrom certain processes to obtain the information from the cards). This has become a popular method as\r\ninternational laws prohibit this information from being stored on the disk (not even temporarily). Another\r\ncharacteristic of Multigrain is that it uses DNS petitions in order to communicate with the outside (and so it can\r\nsend the stolen information). In this article we will analyze the malware itself as well as the way the malware\r\ncommunicates.\r\n144 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:multigrain\r\nPage 3 of 5\n\n72 Subscribers\r\nAuthor Url\r\nPosCardStealer and Large-scale Attacks Jeopardize PoS Systems\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:multigrain\r\nPage 4 of 5\n\nBY LUIS CORRONS • AUGUST 9, 2016 | Some weeks ago we unveiled an attack that affected hundreds of\r\nrestaurants in the United States using a malware called PunkeyPOS. Something that we did not disclose is how we\r\ndiscovered PunkeyPOS: it turns out that we’ve actually been investigating a series of PoS (Point of Sale) attacks\r\nthat have also affected hundreds of bars, restaurants and stores in the US. While we were analyzing one of these\r\nattacked systems, it was attacked by yet another cybergang using PunkeyPOS. In this article we are going to\r\ndiscuss this attack that we are still investigating that uses a PoS malware called PosCardStealer.\r\n144 Subscribers\r\nAuthor Url\r\nMULTIGRAIN – POINT OF SALE\r\nFileHash-MD5: 1 | Domain: 1\r\nFireEye recently discovered a new variant of a point of sale (POS) malware family known as NewPosThings. This\r\nvariant, which we call “MULTIGRAIN”, consists largely of a subset of slightly modified code from\r\nNewPosThings. The variant is highly targeted, digitally signed, and exfiltrates stolen payment card data over\r\nDNS. The addition of DNS-based exfiltration is new for this malware family; however, other POS malware\r\nfamilies such as BernhardPOS and FrameworkPOS have used this technique in the past. Using DNS for data\r\nexfiltration provides several advantages to the attacker. Sensitive environments that process card data will often\r\nmonitor, restrict, or entirely block the HTTP or FTP traffic often used for exfiltration in other environments. While\r\nthese common internet protocols may be disabled within a restrictive card processing environment, DNS is still\r\nnecessary to resolve hostnames within the corporate environment and is unlikely to be blocked.\r\n374,006 Subscribers\r\nSource: https://otx.alienvault.com/browse/pulses?q=tag:multigrain\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:multigrain\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://otx.alienvault.com/browse/pulses?q=tag:multigrain" ], "report_names": [ "pulses?q=tag:multigrain" ], "threat_actors": [], "ts_created_at": 1775434566, "ts_updated_at": 1775791302, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/915499f311defce04e802a7dc007ed2ce63a8767.pdf", "text": "https://archive.orkl.eu/915499f311defce04e802a7dc007ed2ce63a8767.txt", "img": "https://archive.orkl.eu/915499f311defce04e802a7dc007ed2ce63a8767.jpg" } }