LockPoS, discovered in June 2017, is delivered via the same botnets that were used to distribute the FlokiBot PoS malware variant. An Arbor Networks researcher observed new activity originating from a previously dormant C2 server and was able to obtain and analyze a sample of LockPoS. The analysis revealed that LockPoS uses both a first-stage and a second-stage dropper to deliver the final payload onto a targeted system. Once executed, LockPoS obfuscates certain strings to evade antivirus detection and maintains persistence by adding Registry Run keys. It then scans the infected system's memory for payment card data much like other PoS malware variants.


  • July 2017: New Point-of-Sale Malware LockPoS Hitches Ride with FlokiBot (Threatpost)
  • January 2018: LockPoS Malware Sneaks onto Kernel via New Injection Technique (Dark Reading)

Technical Details

  • July 2017: LockPoS Joins the Flock (Arbor Networks)
  • July 2017: VirusTotal Analysis of, and IoCs Associated with, LockPoS (VirusTotal)
  • January 2018: New LockPoS Malware Injection Technique (Cyberbit)