S0196: PUNCHBUGGY
PUNCHBUGGY is a backdoor malware used by FIN8 that has been observed targeting POS networks in the hospitality industry. [1][2] [3]
Analyst context for executives and security teams
PUNCHBUGGY matters because ATT&CK describes it as a Windows backdoor associated with FIN8 and observed against POS networks in hospitality. For leaders, the decision point is not simply “do we know this malware name,” but whether Windows POS and adjacent systems have enough endpoint, registry, script, DLL-loading, file, and web-traffic visibility to investigate a backdoor that may use common administrative-looking behaviors.
Executive priority
Prioritize this where payment environments, hospitality operations, or Windows POS networks are business-critical. Ask whether POS segmentation, Windows endpoint monitoring, egress visibility, and incident response evidence are strong enough to prove or disprove backdoor activity. Because ATT&CK provides no official detection guidance for this object, coverage should be validated through the related behaviors rather than relying on signature-based confidence.
Technical view
Validate coverage against the relationships ATT&CK provides for PUNCHBUGGY: PowerShell and Python execution, rundll32 and shared module execution, obfuscation/deobfuscation, file deletion, local data staging, archive creation, local account/system/security software discovery, ingress tool transfer, web-protocol command-and-control, AppCert DLL persistence, and Run Key or Startup Folder persistence. Focus on Windows hosts, especially POS-connected assets if present. Since the malware object has no ATT&CK detection text, detection engineering should map these behaviors to locally available telemetry and test whether normal POS administration creates similar patterns.
Likely telemetry
- Windows process creation and command-line telemetry for PowerShell, Python, rundll32, archiving utilities, and discovery commands
- Windows module/DLL load telemetry, especially shared module execution and rundll32-mediated loading
- Registry monitoring for Run Keys, Startup Folder references, and AppCertDLLs paths under Session Manager
- File creation, modification, deletion, staging directory, and archive creation events on POS and adjacent Windows systems
- Network telemetry for outbound HTTP/S or other web-protocol traffic from POS-network hosts
Detection direction
- Build detections around behavior chains rather than the PUNCHBUGGY name: script execution followed by DLL/rundll32 activity, persistence registry changes, discovery commands, staging or archive creation, file cleanup, and outbound web traffic.
- Tune for the POS environment: administrative software, payment applications, patching tools, and support workflows may legitimately use scripts, DLLs, archives, or web protocols, so baselines and allowlists need evidence-based review.
- Pay special attention to blind spots common in POS networks: limited endpoint agents, weak command-line logging, missing registry auditing, insufficient DLL-load visibility, and egress logs that do not identify the originating host.
- Correlate related ATT&CK behaviors with the FIN8 relationship as threat-intelligence context, but do not treat group attribution as confirmed without incident-specific evidence.
Mitigation priorities
- Confirm POS and payment-adjacent Windows assets are inventoried, segmented, and limited to required inbound and outbound communications.
- Ensure endpoint logging captures process command lines, registry persistence changes, file activity, module loading where feasible, and script interpreter use.
- Govern or restrict unnecessary PowerShell, Python, rundll32 proxy execution patterns, archive utilities, and unsigned or unexpected DLL loading on POS systems using approved administrative controls.
- Monitor and protect persistence locations such as Run Keys, Startup Folders, and AppCertDLLs; investigate unauthorized changes quickly.
- Prepare IR procedures for collecting volatile endpoint evidence, registry state, staged files, archives, deleted-file indicators, and web-traffic history from POS-network hosts.
Analyst notes and limits
The strongest business relevance is to hospitality and POS environments because that is explicitly stated in ATT&CK’s description. The related FIN8 object also notes financially motivated activity across several sectors and a later shift toward ransomware variants, but that should be used only as contextual threat intelligence, not as proof of current PUNCHBUGGY activity in any environment.
ATT&CK does not provide official detection text, aliases, labels, or malware-level tactics for this object. Several related technique descriptions list broad platforms, while the malware object itself is Windows; local validation should therefore focus on Windows telemetry unless separate evidence supports other platforms. No claim of active exploitation or customer exposure can be made from the supplied fields alone.
PUNCHBUGGY
PUNCHBUGGY is a backdoor malware used by FIN8 that has been observed targeting POS networks in the hospitality industry. [1][2] [3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059.006 | Python Sub-technique | PUNCHBUGGY has used python scripts.CitationMorphisec ShellTea June 2019 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | PUNCHBUGGY can load a DLL using Rundll32.CitationFireEye Know Your Enemy FIN8 Aug 2016 |
| Enterprise | T1546.009 | AppCert DLLs Sub-technique | PUNCHBUGGY can establish using a AppCertDLLs Registry key.CitationFireEye Know Your Enemy FIN8 Aug 2016 |
| Enterprise | T1129 | Shared Modules | PUNCHBUGGY can load a DLL using the LoadLibrary API.CitationFireEye Know Your Enemy FIN8 Aug 2016 |
| Enterprise | T1087.001 | Local Account Sub-technique | PUNCHBUGGY can gather user names.CitationMorphisec ShellTea June 2019 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | PUNCHBUGGY can gather AVs registered in the system.CitationMorphisec ShellTea June 2019 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | PUNCHBUGGY has been observed using a Registry Run key.CitationFireEye Know Your Enemy FIN8 Aug 2016CitationMorphisec ShellTea June 2019 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | PUNCHBUGGY mimics filenames from %SYSTEM%\System32 to hide DLLs in %WINDIR% and/or %TEMP%.CitationFireEye Know Your Enemy FIN8 Aug 2016CitationMorphisec ShellTea June 2019 |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | PUNCHBUGGY has Gzipped information and saved it to a random temp file before exfil.CitationMorphisec ShellTea June 2019 |
| Enterprise | T1059.001 | PowerShell Sub-technique | PUNCHBUGGY has used PowerShell scripts.CitationMorphisec ShellTea June 2019 |
| Enterprise | T1105 | Ingress Tool Transfer | PUNCHBUGGY can download additional files and payloads to compromised hosts.CitationFireEye Know Your Enemy FIN8 Aug 2016CitationMorphisec ShellTea June 2019 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | PUNCHBUGGY has saved information to a random temp file before exfil.CitationMorphisec ShellTea June 2019 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | PUNCHBUGGY enables remote interaction and can obtain additional code over HTTPS GET and POST requests.CitationFireEye Fin8 May 2016CitationFireEye Know Your Enemy FIN8 Aug 2016CitationMorphisec ShellTea June 2019 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | PUNCHBUGGY has used PowerShell to decode base64-encoded assembly.CitationMorphisec ShellTea June 2019 |
| Enterprise | T1070.004 | File Deletion Sub-technique | PUNCHBUGGY can delete files written to disk.CitationFireEye Know Your Enemy FIN8 Aug 2016CitationMorphisec ShellTea June 2019 |
| Enterprise | T1027 | Obfuscated Files or Information | PUNCHBUGGY has hashed most its code's functions and encrypted payloads with base64 and XOR.CitationMorphisec ShellTea June 2019 |
| Enterprise | T1082 | System Information Discovery | PUNCHBUGGY can gather system information such as computer names.CitationMorphisec ShellTea June 2019 |
Groups, software, and campaigns
G0061: FIN8
FIN8 is a financially motivated threat group that has been active since at least January 2016, and known for targeting organizations in the hospitality, retail, entertainment, insurance, technology, chemical, and financial sectors. In June 2021, security researchers detected FIN8 switching from targeting point-of-sale (POS) devices to distributing a number of ransomware variants.[1][2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.1 | Current bundle | 84ee2f7c8f67… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Morphisec ShellTea June 2019
Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.
Open source URL -
[2]
FireEye Fin8 May 2016
Kizhakkinan, D., et al. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.
Open source URL -
[3]
FireEye Know Your Enemy FIN8 Aug 2016
Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
Open source URL -
[4]
PUNCHBUGGY
(Citation: FireEye Fin8 May 2016) (Citation: FireEye Know Your Enemy FIN8 Aug 2016)
-
[5]
ShellTea
(Citation: Morphisec ShellTea June 2019)
-
[6]
mitre-attack S0196Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.