{
	"id": "8c907d1c-3600-4152-868d-4f67d7407921",
	"created_at": "2026-04-06T00:14:28.051842Z",
	"updated_at": "2026-04-10T13:11:35.665436Z",
	"deleted_at": null,
	"sha1_hash": "a52dc7a21662b67dda349b35f25070c0e796126b",
	"title": "The Evolution of Point-of-Sale (PoS) Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 384048,
	"plain_text": "The Evolution of Point-of-Sale (PoS) Malware\r\nArchived: 2026-04-05 18:46:44 UTC\r\nIn 2014, we saw several data breach incidents where Point of sale (PoS) malware was used to hit organizations,\r\ninstitutions, and users. Since the bad guys naturally go where the money is, it's easy to see why cybercriminals\r\ntarget PoS terminals, given that they know the different places where credit cards are routinely used. As we have\r\nobserved multiple PoS malware families, it is important to learn that personal and sensitive information stolen\r\nfrom credit and debit cards can be used to impersonate unsuspecting customers. This could result in fraudulent\r\npurchases, financial loss, and damaged credit standing.\r\nPoS malware has evolved rapidly over the past few years, targeting mostly big retail companies from which they\r\ncould obtain large chunks of data as opposed to individual sources.\r\nPoS Systems and Evolving Threats\r\nA PoS device is designed to complete transactions as it calculates the amount of purchases made by a customer, as\r\nwell as provide other operational information such as inventory management, accounting, and tracking sales. PoS\r\nsystems require a connection to a network to validate payments by sellers. Small businesses may use a cellular\r\ndata connection, while bigger companies employ internal networks. Most PoS devices run on Windows and UNIX\r\noperating systems, making them easy to operate, maintain and develop software for devices. However, this also\r\nmeans that malware could easily be developed to infect these systems.\r\nIn the past, criminals devised physical skimmers to rub payment cards and steal data. This required the bad guys\r\nto be physically close to the PoS terminal and thus risked being found out. Today, cybercriminals resort to using\r\nmalware for stealing data primarily from credit cards, and the malware used has continually evolved. As shown in\r\nthe timeline below, they've branched out into various malware families that target PoS devices. And where does all\r\nthe stolen data go? They're either used for illegal purchases, or traded in underground markets.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-evolution-of-point-of-sale-pos-malware\r\nPage 1 of 4\n\nHow PoS Malware Works\r\nThe payment card industry complies with a set of security standards that enforce end-to-end encryption of\r\nsensitive payment data captured from payment cards during transactions. However, the data that can be found\r\ninside the PoS device memory could be in stored in an unencrypted form. Typical PoS RAM scraper malware\r\ncaptures the payment card information directly from the memory, where it scrapes customer data and information.\r\nWhile they all typically share a similar end-goal, the different PoS malware types are designed to do the deed in\r\ndifferent ways. Here are some of the notable PoS malware types we have reported on in the past few months:\r\nBackoff – a successor of Alina (aka Track) whose variants are known for scanning all running processes to\r\nretrieve card track data and gather affected system information, Backoff, uses the same installation technique used\r\nin the Alina family of PoS RAM-scraping malware. Based on our research, Backoff implements an updated data\r\nsearch function and drops a watchdog process to ensure that it continuously runs in the system. Discovered by the\r\nUS Computer Emergency Readiness Team (US CERT), this PoS malware targeted the US. Interestingly, we saw a\r\nclear decrease of hits during “dead hours” specifically at 2:00 AM, and an apparent recurring rise of hits at 10:00\r\nAM. This trend follows regular business operation hours wherein PoS devices are more likely to be active and in\r\nuse. Generally, the hits increase during business hours and decline during off-hours.\r\nBlackPoS  version 2.0 –  this PoS malware clones the exfiltration technique that the BlackPoS variant used to\r\ncompromise US retailer Target. BlackPoS version 2.0 pretends to be an antivirus product installed on a system to\r\navoid user suspicion. Our researchers in Trend Micro found that the source code of the original BlackPoS was\r\nleaked, enabling other cybercriminals to enhance its code. According to our findings, this malware appears to have\r\nbeen used in the massive data breach that targeted Home Depot.\r\n[Read: Home Depot confirms breach, reported to be largest on recordnews article]\r\nIn 2014 alone, PoS malware was used to hit several large retail companies in the US. In the wake of these attacks,\r\nwe also recently found a new PoS malware that emerged in time for the holiday shopping weekend. Called\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-evolution-of-point-of-sale-pos-malware\r\nPage 2 of 4\n\nGetMyPass, this new PoS malware is dependent on its configuration file, which means that it was designed to be\r\nflexible. Based on other PoS malware routines we analyzed, GetMyPass appears to be designed as a\r\nmulticomponent malware similar to an earlier BlackPoS variant. We continue to monitor this malware as it\r\ndevelops.\r\nAdditional Resources:\r\nInfographic: Protecting PoS Systemsnews- cybercrime-and-digital-threats\r\nResearch: The Evolution of PoS RAM Scraper Malwarenews- cybercrime-and-digital-threats\r\nResearch: Defending Against PoS RAM Scrapersdefending-against-pos-ram-scrapers-strategies-and-technologies\r\nResearch: FighterPOS: The Anatomy and Operation of a New One-Man PoS Malware Campaign\r\nDefending Against PoS Malware\r\nPoS malware attacks continue to be prevalent, as shown by new malware families that have been recently\r\ndiscovered. As such, we have brought together some recommendations for both companies and their customers to\r\nprotect against such attacks.\r\nSince most attacks target mostly retail and hospitality industries, it is critical for merchants to take these\r\npreventive measures:\r\nSecure PoS devices and networks\r\nComply with Payment Card Industry (PCI) security guidelines\r\nStrengthen anti-malware security\r\nDeploy patches accordingly\r\nCustomers must also take some steps to ensure that their accounts are not at risk:\r\nCheck your bank and credit statements. Reviewing transactions on a regular basis can help you monitor\r\nand spot fraudulent transactions made on their card.\r\nMake sure all operating systems across all devices are up-to-date\r\nInstall security software on devices used for online transactions\r\nHIDE\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-evolution-of-point-of-sale-pos-malware\r\nPage 3 of 4\n\nLike it? Add this infographic to your site:\r\n1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your\r\npage (Ctrl+V).\r\nImage will appear the same size as you see above.\r\nSource: https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-evolution-of-point-of-sale-pos-malware\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-evolution-of-point-of-sale-pos-malware\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-evolution-of-point-of-sale-pos-malware"
	],
	"report_names": [
		"the-evolution-of-point-of-sale-pos-malware"
	],
	"threat_actors": [
		{
			"id": "f9806b99-e392-46f1-9c13-885e376b239f",
			"created_at": "2023-01-06T13:46:39.431871Z",
			"updated_at": "2026-04-10T02:00:03.325163Z",
			"deleted_at": null,
			"main_name": "Watchdog",
			"aliases": [
				"Thief Libra"
			],
			"source_name": "MISPGALAXY:Watchdog",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434468,
	"ts_updated_at": 1775826695,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a52dc7a21662b67dda349b35f25070c0e796126b.pdf",
		"text": "https://archive.orkl.eu/a52dc7a21662b67dda349b35f25070c0e796126b.txt",
		"img": "https://archive.orkl.eu/a52dc7a21662b67dda349b35f25070c0e796126b.jpg"
	}
}