FastPOS, discovered in June 2016, is distributed via file sharing, direct file transfer via Virtual Network Computing (VNC), or links directing victims to a compromised website. This variant transmits stolen data to the attacker’s C2 server quickly and in real time, instead of intermittently transmitting locally stored data. FastPOS contains a keylogger which operates similarly to that in the NewPOSThings variant, storing keystrokes in memory instead of in a file on the system. Once the “Enter” key is pressed on the infected machine by the victim, any sensitive data recorded by the keylogger is transmitted to the C2 server. FastPOS also contains a RAM scraper designed to target payment card information. This RAM scraper performs a verification check of the stolen cards’ service code to determine if and where the card number can be used, eliminating numbers of cards containing chips or those requiring PINs for transactions. All data collected by FastPOS is transmitted unencrypted over HTTP leaving it vulnerable to additional interception and theft.


  • October 2016: Trend Micro recently observed an updated version of FastPOS that stores stolen data in mailslots to evade detection and injects a keylogger component into explorer.exe’s process memory. Security researchers believe that the malware has been updated in preparation for the upcoming holiday shopping season. (TrendLabs Security Intelligence Blog)
  • June 2016: TrendMicro broke the story on FastPOS, and the concerning new capability to quickly and efficiently exfiltrate stolen data. (TrendLabs Security Intelligence Blog)

Technical Details

  • Trend Micro provides more information about FastPOS here.

Industries and countries of FastPOS victims. Image Source: Trend Micro