Malware

BlackPOS

BlackPOS, also known as Kaptoxa, is point-of-sale malware designed to be installed on Windows-based POS systems to scrape debit and credit card data from process memory. The content states it first surfaced in early 2013 and was used in major retail breaches, most notably the 2013 Target Corporation incident; Neiman Marcus is also cited as affected, and Australia, the United States, and Canada are mentioned as impacted geographies. BlackPOS infects Microsoft Windows computers with attached card readers, attaches to the pos.exe process, and scans memory for Track 1 and Track 2 payment card data. Stolen data is staged internally via SMB to a server within the victim environment, and a separate component then sends the data to the attacker via FTP. The malware is described as transmitting stolen information during business hours to reduce suspicion. The content attributes the original creation of BlackPOS to Rinat Shabayev and later development and underground sale to Sergey Taraspov, alias "ree4," including sale under the name "Dump Memory Grabber by Ree" for about $2,000. The name "BlackPOS" is noted as appearing in the malware's administration panel. BlackPOS is also explicitly referenced as an example of POS malware used to steal card data in the broader payment-card cybercrime ecosystem.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

MITRE ATT&CK

Techniques & procedures

8 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1190Exploit Public-Facing ApplicationEvidence1

"The hackers were able to get into Target's systems by compromising a company web server and uploading the BlackPOS software to Target's POS systems."

Privilege Escalation

1 technique

T1055Process InjectionEvidence1

"After installation, the program attaches to the pos.exe process and scans its memory for track 1 and track 2 payment card data."

Stealth

1 technique

T1055Process InjectionEvidence1

"After installation, the program attaches to the pos.exe process and scans its memory for track 1 and track 2 payment card data."

Credential Access

1 technique

T1056Input CaptureEvidence1

The class of malware identified by Krebs is often referred to as a memory scraper, because it monitors the computer memory of POS terminals used by retailers. The malware searches for credit card data before it has been encrypted and sent to remote payment processors. The malware then “scrapes” the plain-text entries and dumps them into a database. | The malware searches for credit card data before it has been encrypted and sent to remote payment processors. The malware then “scrapes” the plain-text entries and dumps them into a database.

Lateral Movement

2 techniques

T1021.002SMB/Windows Admin SharesEvidence1

"The data is then exfiltrated via SMB to a server within the company, where another component collects it..."

T1570Lateral Tool TransferEvidence1

From there, the attackers somehow managed to upload the POS malware to the checkout machines located at various stores.

Collection

1 technique

T1056Input CaptureEvidence1

Exfiltration

2 techniques

T1029Scheduled TransferEvidence1

"BlackPOS only sends stolen information during business hours, to avoid raising suspicion by generating network traffic at unusual times."

T1048.003Exfiltration Over Unencrypted Non-C2 ProtocolEvidence1

"...another component collects it and sends it to the attacker via FTP."

Other

1 technique

T1562Impair DefensesEvidence1

At the time this POS malware was installed in Target’s environment ... none of the 40-plus commercial antivirus tools used to scan malware at virustotal.com flagged the POS malware ... as malicious. “They were customized to avoid detection and for use in specific environments,” the source said.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

rapid7 blogNews

Feb 10, 2026

Carding-as-a-Service: The Underground Market of Stolen Cards

Point-of-sale (POS) malware used to compromise payment environments and steal payment card data from POS systems.

wikipedia cyber incidentsNews

Jul 27, 2016

CenterPOS Malware - Wikipedia

It was discovered in September 2015 along with other kinds of POS malware, such as NewPOSThings, BlackPOS, and Alina.

wikipedia cyber incidentsNews

Jul 27, 2016

CenterPOS - Wikipedia

It was discovered in September 2015 along with other kinds of POS malware, such as NewPOSThings, BlackPOS, and Alina.

wikipedia cyber incidentsNews

Jun 20, 2016

BlackPOS - Wikipedia

POS memory-scraping malware for Windows that attaches to the POS process (pos.exe), scans memory for payment card Track 1/Track 2 data, stages/exfiltrates stolen card data internally over SMB and then out to attackers via FTP, and times exfiltration to business hours to reduce suspicion.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping8

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.