TreasureHunt is PoS malware that appears to have been custom-built for the operations of a particular blackmarket website where payment card numbers are posted and sold, known as “dump shop," according to reported from FireEye in March. TreasureHunt enumerates running processes, extracts payment card information from memory, and then transmits this information to a C2 server. In a typical scenario, TreasureHunt would be implanted on a PoS system through the use of previously stolen credentials or through brute forcing common passwords that allow access to poorly secured PoS systems. When executed, TreasureHunt installs itself to the %APPDATA% directory and sets up a registry ‘run’ key for persistence: 


The malware will then initiate a beacon to a C2 server via HTTP POST.


  • March 2016: FireEye released a report on TreasureHunt PoS malware. (FireEye)
  • March 2016: TreasureHunt targets outdated PoS systems before transitioning to new, chip-based systems. (ZDNet)                                                                   

Technical Details

  • FireEye provides technical analysis and indicators for TreasureHunt, available here.

Image Source: threatpost