Punkey was discovered and disclosed by Trustwave in April 2015 during a U.S. Secret Service investigation. Its name is a play on the 1980s children's TV show "Punky Brewster" and is believed to have evolved from the NewPosThings malware family. Punkey works by injecting itself into the Windows OS Explorer process, creating registry start-up entries to maintain persistence, and using a RAM scraper to look for plaintext payment card information. It then encrypts that data with AES and establishes several connections to a C2 server in order to upload the stolen data and download additional code and malware. Punkey also includes a keylogger to capture additional sensitive information, such as login credentials and manually-entered payment card data.


  • June 2016: Punkey is suspected to be linked to the CiCi's data breach. (Krebs on Security)

Technical Details

  • Trustwave provides additional information about Punkey, including IOCs, here.

One example of Punkey's infection process. Image Source: Trustware