Dexter was first discovered in December 2012 and continues to infect machines via phishing emails or by exploiting default system access credentials. This malware infects Windows operating system servers and scrapes credit card data as it is entered on the compromised machine. Additionally, after infecting the target PoS system, Dexter parses memory dumps for PoS processes containing Track 1 and Track 2 card data and blacklists processes unlikely to contain that data. It simultaneously monitors changes in the system and maintains persistence by injecting itself into the Windows Explorer executable file and preventing session termination. It also installs a keylogger to collect additional sensitive information such as login credentials and data from manually entered transactions. Dexter then communicates with a C2 server over HTTP (port 80) to transmit the stolen data back to the attacker. Variants of Dexter include ‘Stardust’, ‘Millenium’, and ‘Revelation’.


  • October 2015: British banks lose £20 million to Dexter malware. (Finextra)

Technical Details

  • Fortinet provides technical information about Dexter, including IOCs, here.

One example of Dexter's decrypted code. Image Source: Trend Micro