NewPosThings was uncovered by Arbor Networks in September 2014, and has targeted both 32-bit and 64-bit Windows systems. It has RAM scraper capabilities along with key logging routines, virtual network computing (VNC) password dumping, and information gathering. This PoS malware can also disable security warnings on systems and use custom packers with added debugging methods. A new variant of NewPosThings was discovered in April, named Multigrain, that exfiltrates stolen payment card data from PoS systems via the domain name system (DNS), as opposed to HTTP or file transfer protocol (FTP). DNS is often overlooked by security professionals which could help Multigrain avoid detection. Multigrain specifically targets PoS systems that run the multi.exe process. Once executed, the malware scrapes the memory of the multi.exe process, searching for Track 2 magnetic stripe data that contains the payment card account number, expiration date, service code, and CVV/CVC number.  


  • December 2015: Operation Black Atlas group uses the NewPosThings malware against victims. (Softpedia)
  • April 2015: NewPosThings malware evolves; malicious traffic traced to airports. (SC Magazine)

Technical Details  

  • Arbor Networks provides additional technical details on NewPosThings, here.
  • FireEye provides additional technical details on the Multigrain PoS variant, here.     

To maintain persistence, NewPosThings registers itself as a start item “Java Update Manager”. Image Source: Trend Micro