{
	"id": "59958de8-68ac-4378-a99f-43c7dba3b219",
	"created_at": "2026-04-06T01:30:39.891632Z",
	"updated_at": "2026-04-10T13:12:48.605499Z",
	"deleted_at": null,
	"sha1_hash": "a6ab22bec3bcf12bd25061813c109d641a5b1797",
	"title": "RawPos Malware: Deconstructing an Intruder’s Toolkit",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 29420,
	"plain_text": "RawPos Malware: Deconstructing an Intruder’s Toolkit\r\nPublished: 2017-02-16 · Archived: 2026-04-06 00:09:48 UTC\r\nOver the years, Kroll’s Cyber investigators have been engaged by our clients in diverse industries to address a\r\nwide range of issues, from breach response to traditional digital forensics, and from identification of custom\r\nmalicious software (“malware”) to breach response.\r\nCommonly, network intruders will leverage malware as part of the compromise or network reconnaissance and\r\ninformation gathering phases of their malicious cyber intrusion. Once Kroll’s team is engaged, it is common for\r\nour investigators to discover fragments of malware remaining in the system’s memory (“fileless malware”) or\r\nwritten to the disk in scattered locations. What begins as a hunt for circumstantial clues evolves into a deep dig to\r\nidentify and understand the malware capabilities, so that the knowledge gained from the analysis can be used to\r\nanswer questions that otherwise would often go unresolved in the course of a traditional forensic and incident\r\nresponse scenario.\r\nIn 2016, Kroll’s Cyber experts had the opportunity to focus on a collection of malware related to the RawPOS\r\nfamily, and Kroll proceeded to identify numerous tools that the attacker(s) had dropped into the enterprise\r\nenvironment in order to expand their foothold, target specific machines, collect additional information about the\r\ncompromised environment, and prepare that data for exfiltration.\r\nThrough the following Report, Kroll is pleased to share the research conducted on the malware and the intruder’s\r\ntoolkit with the greater information security community.\r\nSource: https://www.kroll.com/en/insights/publications/malware-analysis-report-rawpos-malware\r\nhttps://www.kroll.com/en/insights/publications/malware-analysis-report-rawpos-malware\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.kroll.com/en/insights/publications/malware-analysis-report-rawpos-malware"
	],
	"report_names": [
		"malware-analysis-report-rawpos-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775439039,
	"ts_updated_at": 1775826768,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a6ab22bec3bcf12bd25061813c109d641a5b1797.pdf",
		"text": "https://archive.orkl.eu/a6ab22bec3bcf12bd25061813c109d641a5b1797.txt",
		"img": "https://archive.orkl.eu/a6ab22bec3bcf12bd25061813c109d641a5b1797.jpg"
	}
}