FighterPOS, also known as BRFighter, was discovered by Trend Micro in April 2015 and was labeled as a “one-man PoS malware campaign.” This variant was used to steal more than 22,000 payment card numbers from Brazil, Canada, and the United States in just one month’s time. Designed and sold by a single threat actor, FighterPOS is written in Visual Basic 6 and collects both Track 1 and 2 payment card data by using a RAM scraper. It also contains a keylogger which records additional sensitive information from infected systems. FighterPOS updates itself and copies itself to multiple locations to maintain persistence. Its control panel has a clean and well-structured interface that provides attackers with detailed information about their targets as well as a wide range of options for control and even includes a Distributed Denial-of-Service (DDoS) tool which can perform both Layer 4 (Transport Layer) and Layer 7 (Application Layer) attacks. More recent versions of FighterPOS have incorporated worm-like propagation capabilities and have featured code strings written in English instead of Portuguese, signaling a potential shift in targets.


  • February 2016: After originally reporting on the discovery of FighterPOS in April 2016, Trend Micro reported on a new and seemingly improved versions of the PoS malware, including the ability to spread from one PoS terminal to another that is connected to the same network and thereby increase the number of potential victims in one organization. They also observed strings of code written in English, instead of Portuguese. (TrendLabs Security Intelligence Blog)

Technical Details

  • Trend Micro provides more information on FighterPOS, including IOCs, in their report here

One example of the FighterPOS format. Image Source: Trend Micro