BlackPOS was first disclosed in 2013 and is most known for its alleged role in the Target and Home Depot payment card breaches of 2013 and 2014, respectively. BlackPOS continues to circulate and infect vulnerable PoS systems. It is designed to collect data from payment cards when they are swiped at infected PoS terminals running Microsoft Windows. BlackPOS was also originally known as and KAPTOXA “Dump Memory Grabber by Ree[4]." The source code for BlackPOS was leaked in 2012, prompting other cyber actors to copy and enhance the code. In 2014, a new variant of BlackPOS malware, dubbed BlackPOS ver2, was detected by Trend Micro. This version disguised itself as an installed service of a known antivirus vendor software to avoid detection. The malware also included a new custom search routine to check the RAM for track data (the information contained in the magnetic strip of payment cards), as well as an exclusion list to ignore certain processes where track data is not found.  


  • January 2016: BlackPOS malware was reportedly used to compromise and steal customer data from PoS terminals at Wendy’s fast food chain across the country. (Consumerist)
  • December 2015: BlackPOS malware was cited as the malware responsible for infecting multiple small-to-medium sized business networks around the world. (SC Magazine)
  • September 2014: BlackPOS was linked to the Target and Home Depot data breaches. (Krebs on Security)

Technical Details

  • IBM provides more information on BlackPOS/KAPTOXA, including IOCs, here

One example of the Target BlackPOS malware infection chain. Image Source: Security Intelligence