S0517: Pillowmint
Pillowmint is a point-of-sale malware used by FIN7 designed to capture credit card information.[1]
Analyst context for executives and security teams
Pillowmint matters because it is Windows point-of-sale malware designed to capture credit card information. For executives and security leaders, the decision value is not just “malware exists,” but whether POS endpoints are treated as high-risk payment environments with sufficient endpoint, registry, PowerShell, process, and file-change visibility to support rapid containment and compliance evidence after a suspected card-data incident.
Executive priority
Prioritize Pillowmint as a payment-environment resilience and incident-readiness concern. The ATT&CK record links it to FIN7 and to behaviors involving local data collection, registry interaction, PowerShell execution, process discovery, obfuscation, fileless storage, compression, process injection, application shimming, and cleanup. Leaders should ask whether POS systems are segmented, monitored, and included in incident response playbooks; whether cardholder-data controls can be evidenced; and whether teams can quickly determine scope if malware is found on a Windows POS host.
Technical view
SOC, detection engineering, and IR teams should validate Windows POS coverage against the related behaviors rather than relying on a single malware signature. Key validation areas include registry query and modification, application shim artifacts, PowerShell activity, process discovery, native API/process-injection indicators such as APC-related behavior, compressed or obfuscated payloads, fileless storage patterns, local data access, archive creation, file deletion, and removal of persistence artifacts. Because the official ATT&CK object does not provide a detection section, detections should be built from the mapped techniques and then tested against local POS baselines to reduce false positives from legitimate payment software, maintenance tooling, and application compatibility components.
Likely telemetry
- Windows endpoint detection and response telemetry from POS systems
- Process creation and command-line telemetry, including PowerShell activity
- Windows Registry query and modification events
- Application compatibility shim and persistence-related artifacts
- File creation, compression/archive activity, and file deletion events
Detection direction
- Confirm POS endpoints are actually onboarded to endpoint logging and monitoring; many gaps come from treating POS devices as appliances rather than monitored Windows systems.
- Build behavior-based detection coverage around the ATT&CK relationships: registry activity, PowerShell execution, application shimming, APC-style process injection, obfuscation/compression, local data access, archiving, and cleanup behaviors.
- Tune detections against known payment applications, support scripts, software deployment tools, and legitimate application compatibility shims to manage false positives.
- Correlate cleanup behaviors such as file deletion or clearing persistence with earlier execution, registry, or process-injection signals; isolated deletion events may be noisy.
- Use FIN7 relationship context for threat-informed prioritization, but do not assume attribution from technique overlap alone.
Mitigation priorities
- Start with asset ownership and segmentation for Windows POS systems so teams know which hosts are in the payment environment and can isolate them quickly during an incident.
- Harden and monitor PowerShell, registry modification, application shimming, and unnecessary administrative access on POS hosts according to business need.
- Maintain endpoint protection and centralized logging on POS systems, with retention sufficient to investigate file deletion and persistence cleanup.
- Restrict software execution and unauthorized tooling where operationally feasible for POS workloads.
- Prepare IR procedures for suspected payment-card malware: host isolation, memory/forensic preservation where appropriate, scoping, cardholder-data impact assessment, and compliance notification workflows.
Analyst notes and limits
The supplied ATT&CK object identifies Pillowmint as POS malware used by FIN7 and designed to capture credit card information. Its relationship set provides useful defensive focus areas across Windows execution, discovery, collection, persistence/privilege escalation, and stealth behaviors. The group relationship should inform threat modeling and prioritization, but attribution requires additional case evidence beyond this object.
Official detection content is not provided. The object lists Windows as the malware platform, while some related techniques have broader platform metadata; this take applies platform guidance conservatively to Windows POS environments because that is what the Pillowmint object supports. Local telemetry, POS architecture, payment application behavior, and incident evidence are required to determine actual exposure or detection coverage.
Pillowmint
Pillowmint is a point-of-sale malware used by FIN7 designed to capture credit card information.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1546.011 | Application Shimming Sub-technique | Pillowmint has used a malicious shim database to maintain persistence.CitationTrustwave Pillowmint June 2020 |
| Enterprise | T1055.004 | Asynchronous Procedure Call Sub-technique | Pillowmint has used the NtQueueApcThread syscall to inject code into svchost.exe.CitationTrustwave Pillowmint June 2020 |
| Enterprise | T1112 | Modify Registry | Pillowmint has modified the Registry key |
| Enterprise | T1012 | Query Registry | Pillowmint has used shellcode which reads code stored in the registry keys |
| Enterprise | T1027 | Obfuscated Files or Information | Pillowmint has obfuscated the AES key used for encryption.CitationTrustwave Pillowmint June 2020 |
| Enterprise | T1027.015 | Compression Sub-technique | Pillowmint has been compressed and stored within a registry key.CitationTrustwave Pillowmint June 2020 |
| Enterprise | T1027.011 | Fileless Storage Sub-technique | Pillowmint has stored a compressed payload in the Registry key |
| Enterprise | T1070.009 | Clear Persistence Sub-technique | Pillowmint can uninstall the malicious service from an infected machine.CitationTrustwave Pillowmint June 2020 |
| Enterprise | T1057 | Process Discovery | Pillowmint can iterate through running processes every six seconds collecting a list of processes to capture from later.CitationTrustwave Pillowmint June 2020 |
| Enterprise | T1106 | Native API | Pillowmint has used multiple native Windows APIs to execute and conduct process injections.CitationTrustwave Pillowmint June 2020 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Pillowmint has used a PowerShell script to install a shim database.CitationTrustwave Pillowmint June 2020 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Pillowmint has been decompressed by included shellcode prior to being launched.CitationTrustwave Pillowmint June 2020 |
| Enterprise | T1005 | Data from Local System | Pillowmint has collected credit card data using native API functions.CitationTrustwave Pillowmint June 2020 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Pillowmint has deleted the filepath |
| Enterprise | T1560 | Archive Collected Data | Pillowmint has encrypted stolen credit card information with AES and further encoded it with Base64.CitationTrustwave Pillowmint June 2020 |
Groups, software, and campaigns
G0046: FIN7
FIN7 is a financially-motivated threat group that has been active since 2013. FIN7 has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, pharmaceutical, and utilities industries in the United States. A portion of FIN7 was operated out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, FIN7 shifted operations to big game hunting (BGH), including use of REvil ransomware and their own Ransomware-as-a-Service (RaaS), Darkside. FIN7 may be linked to the Carbanak Group, but multiple threat groups have been observed using Carbanak, leading these groups to be tracked separately.[1][2][3][4][5][6][7]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 3021c38c7bd3… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Trustwave Pillowmint June 2020
Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020.
Open source URL -
[2]
mitre-attack S0517Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.