S0197: PUNCHTRACK
PUNCHTRACK is non-persistent point of sale (POS) system malware utilized by FIN8 to scrape payment card data. [1] [2]
Analyst context for executives and security teams
PUNCHTRACK matters because it is Windows point-of-sale malware associated in ATT&CK with payment card data scraping. For executives and security leaders, the key issue is not persistence; the object is described as non-persistent, which means a compromise may leave a narrower forensic window while still creating material payment-card, operational, and compliance risk. The practical question is whether POS environments generate enough endpoint, file, memory, and staging evidence for the SOC or incident responders to prove what happened before systems are rebuilt or rebooted.
Executive priority
Prioritize this as a payment-environment resilience and evidence-readiness issue. Leaders should ask whether POS systems are in scope for managed detection, whether card-data environments have logging sufficient for incident decisions, and whether response plans preserve volatile evidence from non-persistent malware. Because ATT&CK links PUNCHTRACK to FIN8 and to local data collection, obfuscation, and local data staging, control investment should focus on visibility, segmentation, least privilege, and rapid containment workflows around POS assets rather than assuming traditional persistence detections will be enough.
Technical view
ATT&CK lists PUNCHTRACK as Windows POS malware used by FIN8 to scrape payment card data, with relationships to Data from Local System, Obfuscated Files or Information, and Local Data Staging. SOC and IR teams should validate coverage on Windows POS endpoints for unusual processes accessing local sources or process memory, suspicious creation or modification of local staging files/directories, and indicators of packed, encoded, encrypted, or otherwise obfuscated executables or payloads. Because no official ATT&CK detection text is provided and tactics are not specified on the malware object, detections should be built from the related technique behaviors and tested against local POS baselines.
Likely telemetry
- Windows POS endpoint process execution and parent-child process telemetry
- File creation, modification, rename, and deletion events on POS systems
- Evidence of local data staging paths or temporary aggregation of collected data
- Endpoint security alerts for packed, encrypted, encoded, or otherwise obfuscated files
- Process access or memory-access telemetry where available, especially around applications handling payment data
Detection direction
- Do not rely only on persistence-oriented detections; ATT&CK describes PUNCHTRACK as non-persistent.
- Tune detections around the related behaviors: local data access, local staging, and obfuscated files or payloads on Windows POS systems.
- Baseline normal POS application behavior so alerts on file staging, unusual process access, or obfuscated binaries can be triaged without overwhelming false positives.
- Validate that POS endpoints actually forward logs before containment or reboot, since volatile or short-lived evidence may be lost.
- Use the FIN8 relationship as threat-intelligence context for prioritization, not as proof of attribution in any local incident.
Mitigation priorities
- Confirm POS asset inventory, ownership, and logging coverage before an incident occurs.
- Limit access and privileges on POS systems and restrict unnecessary local data access paths where operationally feasible.
- Segment POS environments and monitor traffic crossing POS boundaries to support investigation and containment.
- Harden endpoint controls to inspect or block suspicious obfuscated executables and unauthorized tooling, while allowing for POS application compatibility testing.
- Prepare IR procedures that preserve volatile evidence from Windows POS systems before reboot or rebuild when business conditions allow.
Analyst notes and limits
The object is most useful as a defensive prompt for POS visibility and incident readiness. Its relationship set points defenders toward collection from local systems, obfuscation, and local staging, which are practical detection engineering anchors even though the malware entry itself does not provide detection text. The FIN8 relationship raises prioritization for sectors with POS exposure, but local attribution should require independent evidence.
This take is based only on the supplied ATT&CK fields, references, and relationships. ATT&CK provides no official detection text, no explicit malware tactics on the object, no aliases beyond the listed external references, and no environment-specific indicators here. Coverage, risk, and response actions must be validated against the organization’s actual Windows POS architecture and telemetry.
PUNCHTRACK
PUNCHTRACK is non-persistent point of sale (POS) system malware utilized by FIN8 to scrape payment card data. [1] [2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1005 | Data from Local System | PUNCHTRACK scrapes memory for properly formatted payment card data.CitationFireEye Fin8 May 2016CitationFireEye Know Your Enemy FIN8 Aug 2016 |
| Enterprise | T1027 | Obfuscated Files or Information | PUNCHTRACK is loaded and executed by a highly obfuscated launcher.CitationFireEye Fin8 May 2016 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | PUNCHTRACK aggregates collected data in a tmp file.CitationFireEye Know Your Enemy FIN8 Aug 2016 |
Groups, software, and campaigns
G0061: FIN8
FIN8 is a financially motivated threat group that has been active since at least January 2016, and known for targeting organizations in the hospitality, retail, entertainment, insurance, technology, chemical, and financial sectors. In June 2021, security researchers detected FIN8 switching from targeting point-of-sale (POS) devices to distributing a number of ransomware variants.[1][2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | b2ad53a5b6b4… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye Fin8 May 2016
Kizhakkinan, D., et al. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.
Open source URL -
[2]
FireEye Know Your Enemy FIN8 Aug 2016
Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
Open source URL -
[3]
PSVC
(Citation: FireEye Know Your Enemy FIN8 Aug 2016)
-
[4]
PUNCHTRACK
(Citation: FireEye Fin8 May 2016) (Citation: FireEye Know Your Enemy FIN8 Aug 2016)
-
[5]
mitre-attack S0197Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.