CenterPOS malware, also known as CenterPoint and Cerebrus, was initially discovered  by Trend Micro in September 2015 in a directory filled with other POS malware, including NewPoSThings, two Alina variants known as “Spark” and “Joker,” and BlackPOS. At the time, CenterPOS was primarily targeting small and medium-sized businesses (SMBs) in the United States. Trend Micro found similarities between CenterPOS and Alina, including file names and the process exception list. The version analyzed by Trend Micro had an internal version of 1.7, and was a memory scraper that iterates through running processes in order to extract payment card information. In January, FireEye reported on a second version of CenterPOS that uses a configuration file to store the command and control information. CenterPOS contains two modes for scraping memory and searching for credit card information, a “smart scan” mode and a “normal scan” mode. CenterPOS transfers payment card information to a command and control server via HTTP POST. Version 2 also contains functionality that allows cybercriminals to create a configuration file to update the command and control information if necessary.


  • Jan 2016: "CenterPOS – an Evolving POS Threat". (FireEye)
  • September 2015: TrendMicro discovered CenterPOS along with other PoS variants. (TrendLabs Security Blog)

Technical Details

  • FireEye provides technical analysis of CenterPOS version 2, available here.
  • Trend Micro provides technical analysis of CenterPOS version 1.7, available here.

One example of the CenterPOS malware. Image Source: FireEye