AbaddonPOS malware was first identified by Proofpoint in October 2015, after discovering an infection that resulted from the Vawtrak Trojan. In this case, Vawtrak downloaded multiple payloads including TinyLoader and shellcode that downloaded the AbaddonPOS malware. At this time, AbaddonPOS features include anti-analysis, code obfuscation, custom protocol for exfiltrating data, locating of credit card data, and persistence.


Alina, originally written in late 2012, was not publicly disclosed until February 2013 and is believed to have been written by the Dexter PoS malware author. In October 2013, reports surfaced that the source code for Alina was being sold on underground forums for $2,000 USD. This led to Alina's code and characteristics surfacing in additional variants and families such as BackoffJackPOSSparkEagleKatrina, and most recently, Pro PoS.


Backoff PoS malware was active from 2013 into 2014, reportedly impacting 1,000 US businesses. The hackers used brute force techniques to gain access to victims’ remote desktop servers in order to install the malware. Backoff uses its RAM scraper to harvest the payment card data and then transmits it back to the hacker over HTTP (port 80).


FighterPOS, also known as BRFighter, was discovered by Trend Micro in April 2015 and was labeled as a “one-man PoS malware campaign.” This variant was used to steal more than 22,000 payment card numbers from Brazil, Canada, and the United States in just one month’s time. Designed and sold by a single threat actor, FighterPOS is written in Visual Basic 6 and collects both Track 1 and 2 payment card data by using a RAM scraper.


FrameworkPOS, aka TRINITY, is PoS malware associated with a cybercrime group known as FIN6, according to an investigation conducted by FireEye. It is designed to capture payment card data from the memory of running processes and save it to a file on the system. Once FrameworkPOS identifies track data, it copies and encodes it to a local file in a subdirectory of the c:\windows\ directory while attempting to conceal these files with .dll or .chm extensions.


MalumPOS is a PoS malware family first reported by Trend Micro in 2015. It specifically targets the Oracle MICROS Systems platform which is used by 330,000 customers in 180 countries. MalumPOS is installed as a service using command-line arguments and disguises itself as the "NVIDIA Display Driver" (often stylized as NVIDIA Display Driv3r) to avoid discovery.