Threat Group Cards: A Threat Actor Encyclopedia
Archived: 2026-04-05 13:33:06 UTC
Home > List all groups > List all tools > List all groups using tool ChewBacca
 Tool: ChewBacca
Names ChewBacca
Category Malware
Type POS malware, Keylogger, Credential stealer
Description
(Trend Micro) ChewBacca is a PoS RAM scraper family, first discovered at the end of 2013, which uses
the Tor network to exfiltrate stolen data. When first executed, ChewBacca copies itself to
%USERPROFILE%\START MENU\Programs\Startup\spoolsv.exe and adds itself to an Auto Start
runkey to remain persistent. It is self-contained and installs obfsproxy v0.2.3.25—a Tor proxy
application—in %TEMP%. It then hooks WH_KEYBOARD_LL, which monitors keyboard input
events. This allows ChewBacca to capture all keyboard events, which are then logged to
%TEMP%\system.log.
Information
Malpedia Last change to this tool card: 25 May 2020
Download this tool card in JSON format
All groups using tool ChewBacca
Changed Name Country Observed
Unknown groups
 _[ Interesting malware not linked to an actor yet ]_
1 group listed (0 APT, 0 other, 1 unknown)
https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=639ab604-a3b4-4e35-9eaf-b67b0d4d9503
Page 1 of 2

Source: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=639ab604-a3b4-4e35-9eaf-b67b0d4d9503
https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=639ab604-a3b4-4e35-9eaf-b67b0d4d9503
Page 2 of 2

Unknown groups _[ Interesting malware not linked to an actor yet ]_
1 group listed (0 APT, 0 other, 1 unknown) 
   Page 1 of 2