{ "id": "bec7a23f-074b-467c-b93b-b86e3ed05604", "created_at": "2026-04-06T00:12:16.957494Z", "updated_at": "2026-04-10T03:33:53.583604Z", "deleted_at": null, "sha1_hash": "cd32735b9f4fbb8bf8c7b3d35436b0479ceb2d76", "title": "New Global Cyber Attack on Point of Sale Systems", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2294200, "plain_text": "New Global Cyber Attack on Point of Sale Systems\r\nBy Morphisec Labs\r\nArchived: 2026-04-05 13:39:45 UTC\r\nThis post was authored by Michael Gorelik and Alon Groisman.\r\nOver the past 8-10 weeks, Morphisec has been tracking multiple sophisticated attacks targeting Point of Sale thin\r\nclients globally.\r\nMore specifically, on the 6th of February we identified an extremely high number of prevention events stopping\r\nCobalt Strike backdoor execution, with some of the attacks expressly targeting Point of Sale VMWare Horizon\r\nthin clients.\r\nBased on the initial indicators, we identified FrameworkPOS scraping malware installed on some of the thin\r\nclients, after initializing PowerShell/WMI stages that downloaded and reflectively loaded Cobalt-Strike beacon\r\nwith PowerShell extension directly into the memory.\r\nWe found many indicators linking specifically to the FIN6 group (WMI/PowerShell, FrameworkPOS, lateral\r\nmovement and privilege escalation), with the difference of moving from Metasploit to Cobalt-Strike). Some\r\nindicators are also tied to the EmpireMonkey group. At this point, we don’t have enough data for proper\r\nattribution.\r\nIf successful, the Cobalt Strike beacon payload gives attackers full control over the infected system and the ability\r\nto move laterally to other systems, harvest user credentials, execute code and more, all while evading advanced\r\nEDR scanning techniques.\r\nDigging deeper into the notification and the telemetry, we identified victims across the United States, Japan and\r\nIndia from the finance, insurance and healthcare (diagnostic image processing) sectors, as well as additional\r\ntargets globally.\r\nFollowing additional retro-hunting on Virus Total, we identified multiple servers that were, and still are, delivering\r\nthe Cobalt Strike beacon using the same delivery pattern and same C2 communication pattern. We have notified\r\nthe customers and the legal authorities about the currently active C2 servers.\r\nMorphisec Labs is currently still analyzing the infiltration methods (unknown); due to this we will present only\r\npartial technical information in this report. However, we believe it important to publish even a partial analysis so\r\nthat enterprises are aware of, and immediately block, any access to the URLs listed below.\r\nTechnical Information\r\nInfiltration\r\nhttp://blog.morphisec.com/new-global-attack-on-point-of-sale-systems\r\nPage 1 of 10\n\nAs stated in the introduction, the infiltration vector is yet to be determined, although after retro-hunting on VT and\r\nmatching it to our known telemetry events, we believe that at least one vector is executed through HTA files that\r\nexecute PowerShell scripts as part of an embedded VBScript.\r\nScript Stager\r\nAdditional hunting reveals additional scripts that lead to the same Cobalt Strike beacon. It is not known if the\r\nscripts below are part of a lateral movement or just additional examples of infiltration samples. However, at least\r\nsome of them are executed through WMI which may indicate an intermediate stage.\r\nPOWERSHELL\r\nJAVASCRIPT\r\nhttp://blog.morphisec.com/new-global-attack-on-point-of-sale-systems\r\nPage 2 of 10\n\nBAT\r\nPowerShell Stager\r\nAll the various scripts are decoded to the following PowerShell pattern:\r\nThe script above decompresses an additional level of PowerShell stager (regular Gzip):\r\nhttp://blog.morphisec.com/new-global-attack-on-point-of-sale-systems\r\nPage 3 of 10\n\nClearly, the marked base64 encoded script represents the next stage shellcode that is either remotely injected into\r\nthe existing 32 bit or into a newly created 32 bit PowerShell process (if the current PowerShell is 64bit). Some\r\nsamples differentiate in the way the VirtualAlloc and CreateThread are declared.\r\nShellcode Stager\r\nThe injected shellcode is a regular Metasploit downloader shellcode that traverses the PEB, resolves the function\r\nnames by the standard ROR 13 hash, and downloads the next stage shellcode directly into memory from the C2.\r\nThe pattern of the C2 download request destination is generally URL:PORT/[a-zA-Z0-9]{4}.\r\nIt executes InternetConnectA, InternetOpenA, HttpOpenRequestA, HttpSendRequestA for the purpose of\r\ndownloading the next stage.\r\nhttp://blog.morphisec.com/new-global-attack-on-point-of-sale-systems\r\nPage 4 of 10\n\nCobalt Strike Beacon\r\nMorphisec observed 2 types of beacons during this campaign, the first one is a regular direct reflective loaded\r\nCobalt Strike DLL beacon, usually XOR encoded.\r\nThe second type is a shellcode backdoor beacon with PowerShell and Mimikatz functionality.\r\nhttp://blog.morphisec.com/new-global-attack-on-point-of-sale-systems\r\nPage 5 of 10\n\nPersistency and FrameworkPOS\r\nIn some cases, after executing the backdoors, the attackers install “WindowsHelpAssistant” task in the task\r\nscheduler. In turn, this, on login, uses rundll32.exe with System privileges to execute and export function\r\n“workerInstance” from a downloaded binary DLL “Assistant32.dll”. We also observed similar command\r\nexecution as part of the HKLM Run key.\r\nThe “Assistant32.dll” is the FrameworkPOS scraper that shares similar TTPs to a previously seen FrameworkPOS\r\nused by FIN6.\r\nThe malware XOR’s (xor 0xAA) the credit card information before exfiltration through DNS tunneling.\r\nConclusions\r\nThese types of advanced attacks that utilize memory to evade detection solutions either by reflectively loading\r\nlibraries, hollowing process memory or injecting code into new processes, are harder and harder to attribute due to\r\nthe simple fact that more and more criminals are taking advantage of the strength of these evasion techniques and\r\nthe weakness of runtime detection technologies to cope with such evasion. The attackers have the advantage of\r\nhttp://blog.morphisec.com/new-global-attack-on-point-of-sale-systems\r\nPage 6 of 10\n\nchoosing where to execute their malicious code and when to execute it, while runtime detection solutions cannot\r\nconstantly scan the memory to detect the attack precisely when it manifests without significantly impacting the\r\nperformance of the process runtime.\r\nIt is important to note that Morphisec prevents these types of attacks immediately, without any prior knowledge of\r\nthe attack form or techniques. The forensic information used in this analysis was captured after the attack was\r\nalready prevented.\r\nArtifacts\r\nDomains C2s\r\nSTILL ACTIVE:\r\nhxxp://217.12.218[.]95:22222/c7Pr\r\nhxxp://89.105.194[.]236:443/Xaq2\r\nhxxp://46.166.173[.]109:443/Qq9a\r\nhxxp://bbing.co[.]za:443/tXY7\r\nhxxp://47.75.151[.]154:443/ZyBG\r\nhxxp://185.80.233[.]166:443/qPe6\r\nINACTIVE:\r\nhxxp://5.39.219[.]15:8081/JVZb\r\nhxxp://45.247.22[.]27:4444/EzFB\r\nhxxp://standardcertifications[.]com:8080/cArF\r\nhxxp://34.245.88[.]113:9090/tNDV\r\nhxxp://2.72.0[.]200/9RyX\r\nhxxp://185.202.174[.]91:443\r\nhxxp://192.81.223[.]204/rr3E\r\nhxxp://172.16.196[.]200/JSlT\r\nhttp://blog.morphisec.com/new-global-attack-on-point-of-sale-systems\r\nPage 7 of 10\n\nhxxp://37.139.21[.]20/Orb9\r\nhxxp://185.135.157[.]138:8080/9Par\r\nhxxp://188.166.105[.]24/o9ZZ\r\nhxxp://185.202.174[.]84:443/c9Fz\r\nhxxp://35.182.31[.]181:443/jquery-3.3.1.slim.min.js\r\nhxxp://209.126.106[.]228:443 (only 32 bit)\r\nhxxp://172.17.3[.]2/G9fv\r\nhxxp://104.237.131[.]29:443\r\nhxxp://93.115.26[.]171:443\r\nhxxp://188.166.105[.]24/cYj7\r\nSCRIPT DOWNLOADERS:\r\n0328fcc8229397c7bb4d0ccc958b09caa9a116b549cf59ae95b2d030ef70d54c\r\n063060e5031ad4de170ea979e0a8e36c053904f5f4a33f147f9351328c465594\r\n0ac9795a9eb6b374250523f29f55d07bea2c4c7077ab59c1fb38b38eca1f6f2a\r\n0d8cd722c9cb741c68672612d9668aac59b3b116d11943fb4e010940272fe72f\r\n143ca82d8ce9330d45078dcfcf3a75c8bff2d9f4a796729409dcd9d4a2914a5f\r\n1d53bf1f98cab29509c9211e6dcf6d830ba602dd8886d1d9339c426a1ab4dbcf\r\n1e3a4e51b9fe9d2fb94e040d3fcdb6a7874b035233ffc7ef779bd8ba01857097\r\n20c4a40286b5fed63a322bdfc5b3fefdffb248423f2c1d3c586b4e207b7d8d06\r\n21d9044a4314474b0ee50760902e4887a504708b588a3bf33f57417edba9ac9d\r\n255eb59d84d7856bc857320e7e970e90808e7c9f2149cc29be6049ae164f965e\r\n27c5d43786c826ee5072355c5e5aa16714873e389473e7569cdbf8c14a71aefc\r\n31f55ed1989364263d9f150236baf73d73d5ab04c33b833038c983516d56718c\r\n3df945c192636020101feba5fd2587f9bedd509ae093832e7c0bcad58e3082b1\r\n4528b63bfe4ac3f5d757fdb4086f119bfd23972014ef751c10f8dae77e69ca8c\r\n457248cf03d33c33484957c5e3449ff4530ba3f9387c09f835648e57498e9735\r\nhttp://blog.morphisec.com/new-global-attack-on-point-of-sale-systems\r\nPage 8 of 10\n\n47fbbeee59236164e3a99d34c406ee36f1c6243d2e66f0019512d795de3fae1e\r\n5151e0220dc73099dc340e5158fa1a046ca26dfd55c7c8d226a9e3e69872389b\r\n5573a9e82526decf8bba7c594d919cadbb0473c33e926296772ad89c894a9ce6\r\n57c49f5724ecfcce148577456c9b9166664709515bfa266c18b0729f6dadae31\r\n588a4ca6c560b7e3d8ed4cdfcd0c57846439d34fabf32635cda12fe17d2e9d8c\r\n6176941029763c6d91d408f3d63f1006de97eba45cb891b6a55f538d299b8a8c\r\n6a1be30c9854bf7f97ebd6fb2ef85e527279dbebd8f700980718febbf53f4d6a\r\n6f4a257ffaa31402c4062b0c3f98bbdd0d083221ea071a6a6439b56753f9c3f6\r\n88987cb359a26ca6676a7904fef1e360fa37e5bc6c8be7f131b504047ce7dfd7\r\n8ad326cbbfb3486d584f5589353e23e83a8152e2eb75faa5851a09272a80c5d7\r\n900c232af659de5a5c816c756d48459a7cb78ad45f95aa8b869f694eb37551ee\r\n999a8125534fc18e25ced0e24228909b33ac2b88960716cd5b9dfbe6db2ddca7\r\na01f4bf64ef45ffaa2eee0e7eb9a8e10639cdf1551c9809fdfa5bf8262887912\r\na3fe01b478068e0215dbf16bcc70234afead415c89f791261158bed8ea42c48a\r\na608307886cada313944636d60ca7c8f6b2ecd1d5071f51f99634d84a1412ad1\r\nb44e573e2203d1e54e3c0cf8aafff15d9c9659be713710017698fe54589c1d5d\r\nb630986f6f261587d6ca4e36a81268c16840a1a0df1e960a023e10f866b1e6e5\r\nbef5d3646353b43290a6e8f905f69e3c41e5a4f5c784d76a59b44592d79d0422\r\nc018dc64321541f5a815a3688187f26436482c47702b67a6db9d0cba98506b68\r\nc1d1d2db4ec357ce93bc220412a791444bcf6e4a69307a45532457531a60cfde\r\nc6f61bfbd11a723f24122ca618b66a77ec342e26d9423a2751fe7218306b7bc0\r\nd6c41db2531b1aa5ac0a0473e6c3e5b55df47d6ef09756c3fc418583c9b418c1\r\ndeff2bb5bec2f6c7da3b5499764d695d8ad571ce1c3f0a3078bdf89aeaa9ad08\r\ne24bf8cdb99d9404ed4272f980294957b842ee308eb2cd88ab053faf67ba90bf\r\ne468a98a2bec5408437d39aeb8e6c68b83b1c26c33ba3ffa8673104bc9e4c1f7\r\ne777b733918ce04adfe6fe7961885fa9e5408fd2bb0dc97eeee4b5fee08cd77f\r\nhttp://blog.morphisec.com/new-global-attack-on-point-of-sale-systems\r\nPage 9 of 10\n\nf2cbf58594bb9cf670c16cd297e5b0d91568da5a50f92ea3c68ca046e5b25f61\r\nf3a7af069a9ca248961038a0b30f7685ace1080d59449071477798e2164c1ffd\r\nf82f563970927bb4ca5d0c7df4db610b3076a2221761c262974ae7d92be73043\r\nfb312d11d54480b6a4721fda5ede5b97165b0985e1408d206baed2d91838d5d4\r\n876e33b143741d9403f7848aac7f47e04e48d92b083e646fe49628585e4e6b0d\r\nAbout the author\r\nMorphisec Labs\r\nMorphisec Labs continuously researches threats to improve defenses and share insight with the broader cyber\r\ncommunity. The team engages in ongoing cooperation with leading researchers across the cybersecurity spectrum\r\nand is dedicated to fostering collaboration, data sharing and offering investigative assistance.\r\nSource: http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems\r\nhttp://blog.morphisec.com/new-global-attack-on-point-of-sale-systems\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems" ], "report_names": [ "new-global-attack-on-point-of-sale-systems" ], "threat_actors": [ { "id": "56daf304-dd2c-4fa1-a01f-8c0a7e5e5c30", "created_at": "2022-10-25T16:07:23.586985Z", "updated_at": "2026-04-10T02:00:04.676803Z", "deleted_at": null, "main_name": "EmpireMonkey", "aliases": [ "Anthropoid Spider", "CobaltGoblin", "EmpireMonkey" ], "source_name": "ETDA:EmpireMonkey", "tools": [ "AKO Doxware", "AKO Ransomware", "MedusaLocker", "MedusaReborn" ], "source_id": "ETDA", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "12517c87-040a-4627-a3df-86ca95e5c13f", "created_at": "2022-10-25T16:07:23.61665Z", "updated_at": "2026-04-10T02:00:04.689Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "ATK 88", "Camouflage Tempest", "FIN6", "G0037", "Gold Franklin", "ITG08", "Skeleton Spider", "Storm-0538", "TAAL", "TAG-CR2", "White Giant" ], "source_name": "ETDA:FIN6", "tools": [ "AbaddonPOS", "Agentemis", "AmmyyRAT", "Anchor_DNS", "BlackPOS", "CmdSQL", "Cobalt Strike", "CobaltStrike", "FlawedAmmyy", "FrameworkPOS", "Grateful POS", "JSPSPY", "Kaptoxa", "LOLBAS", "LOLBins", "Living off the Land", "LockerGoga", "MMon", "Magecart", "Meterpreter", "Mimikatz", "More_eggs", "NeverQuest", "POSWDS", "Reedum", "Ryuk", "SCRAPMINT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Terra Loader", "TerraStealer", "Vawtrak", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "cobeacon", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ea7bfe06-7c23-481d-b8ba-eafa6cda3bc9", "created_at": "2022-10-25T15:50:23.317961Z", "updated_at": "2026-04-10T02:00:05.280403Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "FIN6", "Magecart Group 6", "ITG08", "Skeleton Spider", "TAAL", "Camouflage Tempest" ], "source_name": "MITRE:FIN6", "tools": [ "FlawedAmmyy", "GrimAgent", "FrameworkPOS", "More_eggs", "Cobalt Strike", "Windows Credential Editor", "AdFind", "PsExec", "LockerGoga", "Ryuk", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "b3acfb48-b04d-4d3d-88a8-836d7376fa2e", "created_at": "2024-06-19T02:03:08.052814Z", "updated_at": "2026-04-10T02:00:03.659971Z", "deleted_at": null, "main_name": "GOLD FRANKLIN", "aliases": [ "FIN6 ", "ITG08 ", "MageCart Group 6 ", "Skeleton Spider ", "Storm-0538 ", "White Giant " ], "source_name": "Secureworks:GOLD FRANKLIN", "tools": [ "FrameWorkPOS", "Metasploit", "Meterpreter", "Mimikatz", "PowerSploit", "PowerUpSQL", "RemCom" ], "source_id": "Secureworks", "reports": null }, { "id": "ee3363a4-e807-4f95-97d8-b603c31b9de1", "created_at": "2023-01-06T13:46:38.485884Z", "updated_at": "2026-04-10T02:00:02.99385Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "SKELETON SPIDER", "ITG08", "MageCart Group 6", "ATK88", "TA4557", "Storm-0538", "White Giant", "GOLD FRANKLIN", "G0037", "Camouflage Tempest" ], "source_name": "MISPGALAXY:FIN6", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434336, "ts_updated_at": 1775792033, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cd32735b9f4fbb8bf8c7b3d35436b0479ceb2d76.pdf", "text": "https://archive.orkl.eu/cd32735b9f4fbb8bf8c7b3d35436b0479ceb2d76.txt", "img": "https://archive.orkl.eu/cd32735b9f4fbb8bf8c7b3d35436b0479ceb2d76.jpg" } }