Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0107: Cherry Picker

Cherry Picker is a point of sale (PoS) memory scraper. [1]

EnterpriseS0107MalwareObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Cherry Picker is ATT&CK software S0107, described by MITRE as Windows point-of-sale memory-scraping malware. For leaders, the business relevance is not just “malware on a POS device”; it is the possibility that payment-processing endpoints may require specialized monitoring, rapid containment procedures, and defensible evidence for incident response and compliance review. ATT&CK links Cherry Picker to unencrypted exfiltration, file deletion, and Windows AppInit DLL persistence/privilege-escalation behavior, which makes visibility into endpoint changes and outbound traffic especially important.

Executive priority

Prioritize validation of POS endpoint monitoring and response readiness. Security leaders should ask whether Windows POS systems are inventoried, centrally logged, monitored for persistence changes, and segmented so that suspicious outbound unencrypted traffic can be investigated quickly. This object has no MITRE-provided detection text, so assurance should come from local control validation, not assumptions of tool coverage.

Technical view

For SOC, detection engineering, and IR teams, validate coverage around the related ATT&CK behaviors: T1546.010 AppInit DLL registry configuration on Windows, T1070.004 file deletion activity that may remove malware or artifacts, and T1048.003 exfiltration over unencrypted non-C2 protocols. Because the malware platform is Windows and the related persistence technique is Windows-specific, prioritize registry, process, file, and endpoint telemetry from POS hosts. Network teams should confirm whether outbound cleartext protocols from POS segments are visible and baselined.

Likely telemetry

  • Windows endpoint telemetry from POS systems
  • Windows Registry monitoring for AppInit_DLLs-related keys
  • Process execution and module/DLL load telemetry where available
  • File creation, modification, and deletion events on POS endpoints
  • Outbound network connection logs from POS network segments

Detection direction

  • Create or validate detections for unexpected changes to AppInit_DLLs registry values on Windows POS hosts.
  • Review file deletion patterns on POS systems, especially deletion of recently created executables, DLLs, scripts, logs, or temporary files; tune carefully because legitimate software maintenance can also delete files.
  • Baseline expected POS outbound destinations and protocols, then alert on unusual unencrypted egress consistent with T1048.003.
  • Correlate host persistence changes, file cleanup activity, and unusual outbound traffic rather than relying on any single signal.
  • Account for blind spots: MITRE provides no official detection guidance for Cherry Picker, so local telemetry quality and POS network visibility determine practical coverage.

Mitigation priorities

  • Maintain a current inventory of Windows POS endpoints and isolate them from general-purpose user and server networks where feasible.
  • Restrict and monitor outbound traffic from POS environments to approved destinations and protocols.
  • Harden Windows POS systems against unauthorized persistence changes, including registry locations associated with AppInit DLLs.
  • Ensure endpoint logging and centralized collection remain available on POS systems before an incident occurs.
  • Prepare IR playbooks for POS malware scenarios, including containment, evidence preservation, and compliance-supporting documentation.
Analyst notes and limits

The ATT&CK object is sparse: Cherry Picker is identified as a Windows PoS memory scraper, and the provided relationship context links it to exfiltration over unencrypted non-C2 protocol, file deletion, and AppInit DLLs. Those relationships are the strongest basis for defensive validation. The official ATT&CK object does not provide aliases, tactics on the malware object itself, or detection text.

This take uses only the supplied ATT&CK/STIX fields, external references, and relationships. It does not establish current activity, attribution, prevalence, victim exposure, or guaranteed detection coverage. Environment-specific validation is required to determine whether POS telemetry, segmentation, and controls are actually effective.

Official MITRE ATT&CK definition

Cherry Picker

Cherry Picker is a point of sale (PoS) memory scraper. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

3 rows
Domain ID Name Relationship / procedure
Enterprise T1070.004 File Deletion Sub-technique

Recent versions of Cherry Picker delete files and registry keys created by the malware.CitationTrustwave Cherry Picker
Enterprise T1546.010 AppInit DLLs Sub-technique

Some variants of Cherry Picker use AppInit_DLLs to achieve persistence by creating the following Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows "AppInit_DLLs"="pserver32.dll"CitationTrustwave Cherry Picker
Enterprise T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol Sub-technique

Cherry Picker exfiltrates files over FTP.CitationTrustwave Cherry Picker
Relationship explorer

All related ATT&CK context

uses · Technique T1070.004: File Deletion Enterprise uses · Technique T1546.010: AppInit DLLs Enterprise uses · Technique T1048.003: Exfiltration Over Unencrypted Non-C2 Protocol Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
815b99cf043fb7c7...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 815b99cf043f…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Trustwave Cherry Picker

    Merritt, E.. (2015, November 16). Shining the Spotlight on Cherry Picker PoS Malware. Retrieved April 20, 2016.

    Open source URL
  2. [2]
    mitre-attack S0107
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use