{ "id": "e7557fbc-80c4-4bcd-bd91-4445fba69a4f", "created_at": "2026-04-06T00:09:03.713987Z", "updated_at": "2026-04-10T03:33:52.164499Z", "deleted_at": null, "sha1_hash": "bea7c034e32fb313f10b0a6c2971750c2be0b6f7", "title": "AbaddonPOS Now Targeting Specific POS Software | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 477456, "plain_text": "AbaddonPOS Now Targeting Specific POS Software | Proofpoint\r\nUS\r\nBy May 10, 2016 Matthew Mesa, Darien Huss\r\nPublished: 2016-05-10 · Archived: 2026-04-05 16:49:52 UTC\r\nMuch attention has been focused recently on ransomware and other threats that go after consumers and businesses\r\ndirectly for monetary payouts. Still, point-of-sale (POS) malware continues to be an important source of stolen\r\ncredit card data and associated revenue for cyber criminals.\r\nThe ongoing rollout of chip-and-pin credit cards and tighter standards following the retail megabreaches of 2014\r\nhave put further pressure on the POS malware black market. But as we have seen with the AbaddonPOS malware\r\ndescribed here, POS malware is not just alive and well—it’s being actively developed.\r\nOn May 5, a financially motivated actor whom Proofpoint has been tracking as TA530 (also featured in our\r\nprevious blog post \"Phish Scales\" [1]) sent out a highly-personalized email campaign targeting primarily retail\r\ncompanies and attempting to install TinyLoader and AbaddonPOS point-of-sale malware. The retail vertical was\r\nlikely chosen due to the higher likelihood of infecting a POS system. We first observed AbaddonPOS when it was\r\ndelivered by Vawtrak [2] in October of 2015. We have also found that TinyLoader and AbaddonPOS have since\r\nbeen updated in several ways.\r\nDelivery Details\r\nThe messages we observed used subjects such as “Group Booking at [company name]” and the personalized\r\nattachment names such as:\r\n[company name].doc\r\n[company name]_booking.doc\r\n[company name]_reservation.doc\r\nThe example message shown in Figure 1 uses the recipient's name in the email body and the company’s name in\r\nthe email body and the attachment name. The attachment, shown in Figure 2, uses an interesting lure. It depicts an\r\nimage of a spinner one would expect to see when content is loading and asks the user to enable content.\r\nClicking the “Enable Content” button enables the malicious macro, which then begins the infection by\r\ndownloading TinyLoader, which in turn downloads AbaddonPOS.\r\nMost of the messages we saw were delivered to retail companies (Figure 3).\r\nhttps://www.proofpoint.com/us/threat-insight/post/abaddonpos-now-targeting-specific-pos-software\r\nPage 1 of 16\n\nFigure 1: Example email delivering TinyLoader\r\nhttps://www.proofpoint.com/us/threat-insight/post/abaddonpos-now-targeting-specific-pos-software\r\nPage 2 of 16\n\nFigure 2: Example document delivering TinyLoader\r\nhttps://www.proofpoint.com/us/threat-insight/post/abaddonpos-now-targeting-specific-pos-software\r\nPage 3 of 16\n\nFigure 3: Top targeted verticals by message volume\r\nPayload Analysis\r\nTinyLoader\r\nThe variant of TinyLoader used in this campaign is similar to the one we previously had analyzed in connection\r\nwith AbaddonPOS. One significant change includes the addition of a basic 4-byte XOR layer of obfuscation over\r\nthe shellcode that is received from the command-and-control (C\u0026C) server (Figure 4).\r\nhttps://www.proofpoint.com/us/threat-insight/post/abaddonpos-now-targeting-specific-pos-software\r\nPage 4 of 16\n\nFigure 4: TinyLoader decoding and executing shellcode received from C\u0026C\r\nThe XOR key is dynamically generated by the C\u0026C and is different in every session. Once the shellcode is\r\ndecoded, execution is immediately passed to the decoded shellcode. Although the controllers of TinyLoader could\r\ntheoretically perform any action through custom shellcode, we are still observing this family of malware being\r\nused as a downloader. Figure 5 shows a TinyLoader response containing encoded shellcode to build a fake HTTP\r\nrequest used to download a payload.\r\nhttps://www.proofpoint.com/us/threat-insight/post/abaddonpos-now-targeting-specific-pos-software\r\nPage 5 of 16\n\nFigure 5: Encoded response received from TinyLoader C\u0026C\r\nOnce the shellcode is decoded, the strings used to craft an HTTP request can be seen (Figure 6). After this code is\r\nloaded, the TinyLoader C\u0026C operator(s) is free to provide a target IP and URI to instruct an infected bot to\r\nretrieve a payload.\r\nFigure 6: Decoded TinyLoader shellcode used to build HTTP request\r\nIn this campaign, we observed the initial TinyLoader payload retrieve another TinyLoader payload that connected\r\nto a different C\u0026C. This new TinyLoader infection then received another instruction to download a different\r\npayload (Figures 7 and 8), which was a new variant of AbaddonPOS.\r\nhttps://www.proofpoint.com/us/threat-insight/post/abaddonpos-now-targeting-specific-pos-software\r\nPage 6 of 16\n\nFigure 7: TinyLoader receiving instructions to download AbaddonPOS\r\nFigure 8: TinyLoader HTTP request to download AbaddonPOS\r\nAbaddonPOS\r\nThe AbaddonPOS downloaded in this campaign functions much like the original samples we discovered. It does,\r\nhowever, include a few significant changes:\r\nOptimized code for checking blacklisted processes (processes that will not be checked for credit card data)\r\nWhitelisted process list of potential point-of-sale (POS) related process names (these are the only processes\r\nthat will be scanned for POS data)\r\nThe exfiltration XOR key has been changed\r\nAbaddonPOS whitelisted process name checking now uses a single string of partial process names (6-bytes each)\r\nconcatenated together. Both the common process name blacklist and POS process name list (see Process List\r\nsection) are stored in allocated memory at static offsets (Fig. 8), 0x1A8 for the blacklist and 0x5B4 for the POS\r\nprocess list.\r\nhttps://www.proofpoint.com/us/threat-insight/post/abaddonpos-now-targeting-specific-pos-software\r\nPage 7 of 16\n\nFigure 9: AbaddonPOS storing process lists for later use\r\nAbaddonPOS utilizes both lists separately from each other. That means the common process name list has no\r\neffect on the POS name list. Both lists are also checked using the exact same code. However, different results\r\noccur based on whether execution is currently in the main thread or a spawned thread. The authors use a\r\nhardcoded 0x0C0C0C0C value (Fig 10) to implement this tracking capability.\r\nFigure 10: AbaddonPOS saving main thread identifier\r\nBefore checking the process name against either of the lists, the running process name will first be converted to\r\nlowercase (Fig. 11). Whether the current execution exists inside the main thread or a spawned thread is checked\r\nnext. If 0x0C0C0C0C is found, then AbaddonPOS knows it is in the main thread and so will prepare to check\r\nprocess names against the common process name blacklist (Fig. 12). If 0x0C0C0C0C is not found, then the POS\r\nprocess name list will be used.\r\nFigure 11: Change uppercase letters to lowercase\r\nFigure 12: Utilizing process list depending on whether execution is in main or spawned thread\r\nhttps://www.proofpoint.com/us/threat-insight/post/abaddonpos-now-targeting-specific-pos-software\r\nPage 8 of 16\n\nSimilar to older AbaddonPOS variants, the first 4-bytes of the process name will be checked first (Fig. 13, A). If\r\nthey are equal, then the next 2-bytes are checked (Fig. 13, B). If the second check was successful then thread\r\ncontext will be checked again (Fig. 13, C). If the current execution is in the main thread then the current process\r\nwill be skipped (Fig. 13, D), while in a spawned thread context the process would be opened and searched for\r\nPOS data (Fig. 13, E).\r\nDepending on which context is being executed, different behavior will occur when the process name being\r\nchecked does not match anything in the hard coded lists. If in the main execution context and no matches were\r\nfound, then the process will be opened and checked for POS data (Fig. 13, F), while if in a spawned thread\r\ncontext, the process would not be opened and checked (Fig. 13, G).\r\nThis peculiar implementation effectively nullifies the POS process name list because the main thread would\r\neventually search for POS data in all processes not matching the common process name blacklist, including all of\r\nthe POS processes.\r\nThis implementation could result  from a mistake on the part of the malware author, but it seems more likely that\r\nthe author is testing various blacklist/whitelist implementations in this sample. Dedicating a thread to only\r\nprocesses with known POS-related names ensures a thread is always scanning those processes more often vs. the\r\nmain thread used to scan all non-system related processes. Also, it would not be surprising to eventually see\r\nAbaddonPOS variants that contain only the common process name method or POS process name method rather\r\nthan both.\r\nhttps://www.proofpoint.com/us/threat-insight/post/abaddonpos-now-targeting-specific-pos-software\r\nPage 9 of 16\n\nFigure 13. Process name comparison code\r\nSome minor changes were also made to the way stolen credit card data is exfiltrated. First, the IP address is no\r\nlonger stored as an ASCII string (Fig. 14). That also means the inet_addr API is no longer needed. Finally, the\r\nhardcoded XOR key was changed to 0x4C5D6E7F (Fig. 15). \r\nFigure 14: Hardcoded C\u0026C IP address and port\r\nFigure 15: New exfiltration XOR key\r\nhttps://www.proofpoint.com/us/threat-insight/post/abaddonpos-now-targeting-specific-pos-software\r\nPage 10 of 16\n\nAlthough the second XOR key was changed, the overall method of encoding and exfiltration of the data has\r\nstayed almost identical (Fig. 16, 17) when compared to our previous analysis.\r\nFigure 16: Encoded exfiltrated credit card data\r\nFigure 17: Decoded exfiltrated credit card data\r\nConclusion\r\nWe continue to see TA530 periodically send email-borne threats to target point-of-sale systems using personal\r\ndetails to increase the chances of infection.\r\nTinyLoader and AbaddonPOS are under active development. We expect both to continue to appear in email\r\nattacks as cybercriminals target point-of-sale systems to harvest credit card data. Despite changes in the credit-card landscape and more stringent PCI DSS compliance requirements, credit card-related cybercrime remains\r\nprofitable for threat actors when it can be conducted at scale. Comprehensive email, network, and endpoint\r\nprotection—along with user education—remain the best ways to protect systems and customer data.\r\nReferences\r\n[1] https://www.proofpoint.com/us/threat-insight/post/phish-scales-malicious-actor-target-execs\r\n[2] https://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak\r\nAbaddonPOS Process Lists\r\nCommon process name blacklist\r\ncmd.ex\r\nconhos\r\ndllhos\r\nexcel.\r\nexplor\r\nhttps://www.proofpoint.com/us/threat-insight/post/abaddonpos-now-targeting-specific-pos-software\r\nPage 11 of 16\n\nlsass.\r\nmmc.ex\r\ndwm.ex\r\ncsrs.e\r\nwinlog\r\nclamsc\r\nregsvr\r\nmobsyn\r\nrundll\r\nrunonc\r\nspools\r\nsvchos\r\ntaskho\r\nwinwor\r\nsystem\r\nwinini\r\nsmss.e\r\nlsm.ex\r\ncsrss.\r\nsearch\r\nnotepa\r\nPOS process name list\r\nactive\r\nmercur\r\nocius4\r\nrs232m\r\nhttps://www.proofpoint.com/us/threat-insight/post/abaddonpos-now-targeting-specific-pos-software\r\nPage 12 of 16\n\nsdpdvk\r\nsihot.\r\nunilec\r\nfocus8\r\nehubem\r\nfdfdo.\r\ncashbo\r\ncps.po\r\npowerp\r\nsaleso\r\nfinedi\r\npointo\r\ninfigm\r\nadrm.e\r\nafr38.\r\naldelo\r\naraavl\r\naracs.\r\nbestpo\r\nbosrv.\r\ncardau\r\ncashcl\r\nchecki\r\ncre200\r\ncross.\r\ncrosss\r\nhttps://www.proofpoint.com/us/threat-insight/post/abaddonpos-now-targeting-specific-pos-software\r\nPage 13 of 16\n\ncxsret\r\nddcdsr\r\ndovepo\r\ndsihea\r\neagles\r\nelectr\r\nfincha\r\ninvent\r\nisspos\r\nissret\r\nmagtek\r\nnails1\r\nomnipo\r\npaymen\r\npaymen\r\npixela\r\npos24f\r\nposini\r\nprm.cl\r\nptserv\r\nqbdbmg\r\nqbpos.\r\nqbposs\r\nretail\r\nrmposl\r\nroomke\r\nhttps://www.proofpoint.com/us/threat-insight/post/abaddonpos-now-targeting-specific-pos-software\r\nPage 14 of 16\n\nrpro8.\r\nrwpos.\r\nsales3\r\nsoposu\r\nspaint\r\ntelefl\r\ntransa\r\nutg2sv\r\nvisual\r\nwickr.\r\nxcharg\r\nIndicators of Compromise (IOC)\r\nTable 1: Indicators of Compromise\r\nIOC\r\nIOC\r\nType\r\nDescription\r\n7dc57aef76a1ddb5eef7bfd1a1350e1e951b5f216bfc805f51796545d04d80a0\r\nSHA56\r\nHash\r\nExample macro\r\ndocument\r\ne5fbfd61b19561a4c35d1f7aa385f4ca73a65adb2610504398e4ca47c109bace\r\nSHA56\r\nHash\r\nInitial\r\nTinyLoader\r\ndownload\r\nb30ee5185c7f649da42efabe9512d79adcaa53f3f3647e0025b7c68bf7cc8734\r\nSHA56\r\nHash\r\nTinyLoader\r\nupdate\r\n24e39756c5b6bdbdc397dabde3ece587cdb987af9704d5e5329e00b5b2aaa312\r\nSHA56\r\nHash\r\nAbaddonPOS\r\n[hxxp://dolcheriva[.]com/img/del/a/cg-bn/word.exe] URL\r\nExample\r\nTinyLoader\r\ndownload\r\n[hxxp://50.7.124[.]178/file.e] URL\r\nExample\r\nTinyLoader\r\nupdate download\r\nhttps://www.proofpoint.com/us/threat-insight/post/abaddonpos-now-targeting-specific-pos-software\r\nPage 15 of 16\n\n[hxxp://85.93.5[.]136/ZRH4J2/P_KYJ3gxEhTpasmJxz.d] URL\r\nExample\r\nAbaddonPOS\r\ndownload\r\n50.7.124[.]178:30010 IP TinyLoader C2\r\n85.93.5[.]136:50010 IP TinyLoader C2\r\n85.93.5[.]136:50011 IP AbaddonPOS C2\r\nCHAMEL1ON Mutex\r\nTinyLoader\r\nmutex\r\nSelect ET Signatures that would fire on such traffic:\r\n2022658 || ET CURRENT_EVENTS Possible Malicious Macro DL EXE Feb 2016 (WinHTTPRequest)\r\n2812523 || ETPRO TROJAN TinyLoader.C CnC Beacon x86\r\n2812524 || ETPRO TROJAN TinyLoader.C CnC Beacon x64\r\n2814778 || ETPRO TROJAN TinyLoader.D CnC Beacon x86\r\n2814779 || ETPRO TROJAN TinyLoader.D CnC Beacon x64\r\n2814803 || ETPRO TROJAN Win64.TinyLoader CnC Beacon\r\n2814810 || ETPRO TROJAN TinyDownloader Retrieving PE\r\n2816697 || ETPRO TROJAN AbaddonPOS Exfiltrating CC Numbers 5\r\n2816698 || ETPRO TROJAN AbaddonPOS Exfiltrating CC Numbers 6\r\n2816699 || ETPRO TROJAN AbaddonPOS Exfiltrating CC Numbers 7\r\n2816700 || ETPRO TROJAN AbaddonPOS Exfiltrating CC Numbers 8\r\nSource: https://www.proofpoint.com/us/threat-insight/post/abaddonpos-now-targeting-specific-pos-software\r\nhttps://www.proofpoint.com/us/threat-insight/post/abaddonpos-now-targeting-specific-pos-software\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.proofpoint.com/us/threat-insight/post/abaddonpos-now-targeting-specific-pos-software" ], "report_names": [ "abaddonpos-now-targeting-specific-pos-software" ], "threat_actors": [ { "id": "f8fd6c94-f1bf-43b8-8613-edc46ca097ee", "created_at": "2022-10-25T16:07:24.285532Z", "updated_at": "2026-04-10T02:00:04.922819Z", "deleted_at": null, "main_name": "TA530", "aliases": [], "source_name": "ETDA:TA530", "tools": [ "AbaddonPOS", "August Stealer", "Bugat v5", "CryptoWall", "Dofoil", "Dridex", "Gozi ISFB", "H1N1", "H1N1 Loader", "ISFB", "Nymaim", "Pandemyia", "Sharik", "Smoke Loader", "SmokeLoader", "SpY-Agent", "TVRAT", "TVSpy", "TeamSpy", "TeamViewerENT", "TinyLoader", "nymain" ], "source_id": "ETDA", "reports": null }, { "id": "af77521e-c35f-4030-a95d-bcd1eaeeaac1", "created_at": "2023-01-06T13:46:38.476089Z", "updated_at": "2026-04-10T02:00:02.990237Z", "deleted_at": null, "main_name": "TA530", "aliases": [], "source_name": "MISPGALAXY:TA530", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434143, "ts_updated_at": 1775792032, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bea7c034e32fb313f10b0a6c2971750c2be0b6f7.pdf", "text": "https://archive.orkl.eu/bea7c034e32fb313f10b0a6c2971750c2be0b6f7.txt", "img": "https://archive.orkl.eu/bea7c034e32fb313f10b0a6c2971750c2be0b6f7.jpg" } }