MalwareUsed by 1 actor

FrameworkPOS

Also known asTrinity

FrameworkPOS is point-of-sale malware used to steal payment card track data from infected systems. The provided content states that it can collect credit card data elements from process memory, identify payment card track data on the victim, and copy the harvested data to a local file in a subdirectory of C:\Windows. It is associated with FIN6, which CrowdStrike tracks as SKELETON SPIDER, and was described in incident response reporting as being used to steal credit card track data from PoS devices. The content also notes that FIN6 has used scheduled tasks to establish persistence for FrameworkPOS and that FrameworkPOS has been used alongside Cobalt Strike. High-confidence behaviors directly mentioned include memory scraping for card data, local staging of stolen track data under C:\Windows, and use in financially motivated intrusions targeting PoS environments.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

FIN6

FIN6 has used scheduled tasks to establish persistence for various malware it uses, including downloaders known as HARDTACK and SHIPBREAD and FrameworkPOS.

via mitre attack websiteattack.mitre.org

MITRE ATT&CK

Techniques & procedures

14 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

4 techniques

T1047Windows Management InstrumentationEvidence1

MITRE ATT&CK Mapping ... Adbhoney (ADB attacks): ... T1047 — Process Execution. ... Dionaea (malware capture): ... T1047 — Process Execution.

T1053Scheduled Task/JobEvidence1

“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”

T1053.005Scheduled TaskEvidence2

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

T1059Command and Scripting InterpreterEvidence1

MITRE ATT&CK Mapping ... Adbhoney (ADB attacks): ... T1059 — Command Execution. ... The captured chain of commands looked like: pm path com.ufo.miner ... chmod 0755 /data/local/tmp/trinity /data/local/tmp/nohup su -c /data/local/tmp/trinity

Persistence

2 techniques

T1053Scheduled Task/JobEvidence1

T1053.005Scheduled TaskEvidence2

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

Privilege Escalation

2 techniques

T1053Scheduled Task/JobEvidence1

T1053.005Scheduled TaskEvidence2

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

Stealth

1 technique

T1070.004File DeletionEvidence1

MITRE ATT&CK Mapping ... Adbhoney (ADB attacks): ... T1070.004 — File Deletion. ... Removes the temporary file to reduce artifacts. ... rm /data/local/tmp/ufo.apk rm -rf /data/local/tmp*

Credential Access

1 technique

T1003OS Credential DumpingEvidence1

The content references collection of credential material from local systems, including "Bumblebee can capture and compress stolen credentials from the Registry and volume shadow copies," "GALLIUM collected ... password hashes from the SAM hive in the Registry," and "Windigo has used a script to gather credentials in files left on disk by OpenSSH backdoors."

Discovery

1 technique

T1057Process DiscoveryEvidence3

The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.

Collection

4 techniques

T1005Data from Local SystemEvidence3

The content repeatedly describes threat actors and malware collecting, stealing, identifying, copying, or staging files, documents, credentials, logs, databases, and other information from compromised hosts or local systems.

T1074Data StagedEvidence1

The content repeatedly describes adversaries and malware storing collected data, command output, credentials, archives, or files in local temporary folders, working directories, hidden directories, registry locations, recycle bins, or specific files prior to exfiltration.

T1074.001Local Data StagingEvidence1

T1560.003Archive via Custom MethodEvidence1

Command and Control

1 technique

T1105Ingress Tool TransferEvidence1

Adbhoney (ADB attacks): T1105 — Ingress Tool Transfer (downloading APKs and binaries). ... Some commonly used command patterns included: Use of curl and wget to pull binaries or scripts from remote servers.

Exfiltration

1 technique

T1048Exfiltration Over Alternative ProtocolEvidence1

Impact

1 technique

T1498Network Denial of ServiceEvidence1

This type of attack is called a Distributed DoS , or DDoS attack. DoS attacks attempt to exhaust the victim's resources. These resources can be network bandwidth, computing power, or operating system data structures.

ACTIVITY FEED

Recent activity

12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

12 SOURCESView more in app

osint team blogNews

May 7, 2026

I Deployed T-Pot Honeypots Twice and Here‘s What Attackers Did Next | by Abhang Mandwale | May, 2026 | OSINT Team

Android/IoT cryptomining malware that installs and launches an APK and helper binaries to mine cryptocurrency on compromised devices, effectively enrolling them into a botnet.

the hacker newsNews

Mar 27, 2026

Bearlyfy Hits 70+ Russian Firms with Custom GenieLocker Ransomware

A ransomware family cited as inspiration for GenieLocker's encryption scheme.

habrNews

Mar 25, 2026

Bearlyfy выпустили джинна: F6 проанализировала свежие атаки группы / Хабр

Referenced as a ransomware family whose cryptographic scheme and approaches were borrowed by GenieLocker.

norfolkinfosec blogNews

Dec 31, 2019

Fuel Pumps II - PoSlurp.B - One Night in Norfolk

Point-of-sale malware that indiscriminately scraped all processes on a device for payment card data, contrasted in the content with the more targeted PoSlurp.B approach.

+8 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping14

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.