Full Build Leaked: Next Gen POS Memory Scraper with Active EMV Bypass
vSkimmer. It’s a piece of POS malware from the Russian underground, circa. a botnet built specifically to rip Track 2 data straight from Windows-based payment terminals’ memory. It scans processes, bypasses a whitelist, pattern-matches for card data, and ships it off Base64-encoded to a C2 server. If it’s offline, it just waits for a USB to dump the logs insider friendly design. It targets the in transaction flow, classic RAM-scraping before EMV became the hard standard. Legacy tech, but the logic is foundational
Core Capabilities
Memory Scanning Engine
Scans running process memory for Track 1 and Track 2 magnetic stripe data patterns per ISO/IEC 7813. Targets payment application heaps specifically. Whitelist filter bypasses Windows core processes and common AV service names. Scan interval adjustable from 100ms to 2000ms.
EMV Pre-Encryption Hook
Intercepts the transaction buffer between middleware and PIN pad driver. Hooks Winevent message pump and ReadFile operations on virtual COM ports. Data extracted during the 2-4ms window before DUKPT key exchange completes. Functional against Oracle MICROS 3700+, NCR Aloha 15.1+, Shift4 DOLLAR 6.x.
Offline Exfiltration
Monitors USB mount events. Volume triggers immediate Base64-encoded log dump to removable media. No network activity logged.
C2 Communication
HTTP POST with rotating browser User-Agent pool. Initial beacon transmits: hostname, OS build, installed POS software fingerprint, available COM ports, and enumerated payment drivers. All traffic XOR-encrypted with per-session rotating key.
Builder Configuration Options
| Field | Purpose |
|---|---|
| C2 Domain | Primary command server URL |
| Backup Domain | Failover URL if primary unreachable |
| Mutex Name | Global mutex to prevent duplicate execution |
| Install Directory | Payload drop location on target |
| USB Trigger Label | Custom string for offline dump activation |
| Scan Whitelist | Processes to exclude from memory scan |
| Heartbeat Interval | Beacon frequency in seconds |
| Persistence Type | Registry, Task, or Service |
| Packer Iterations | Obfuscation layers applied to final binary |
Panel Features
PHP 8.1+ dashboard with MySQL backend.
- Live bot count and geographic distribution
- Card data viewer with BIN/IIN lookup
- Search by NUM, expiry, hostname, or bot GUID
- Export to CSV, JSON, raw text
- Bot command interface for remote payload push
- Config push to update whitelist/blacklist on live bots
Technical Indicators
| Metric | Value |
|---|---|
| Payload Size | 132KB (post-packing) |
| Memory Footprint | Under 8MB resident |
| Scan Method | ReadProcessMemory with pattern matching |
| Data Encoding | Base64 (storage), XOR (transit), AES-128-CBC (panel export) |
| Supported OS | Windows 7 SP1 through Windows 11 IoT, Windows Embedded POSReady |
vSkimmer v4.1.0 “Phoenix” Leaked Build & Full Technical Specs
Builder Contents
The archive unpacks to a Visual Studio 2022 solution with preconfigured dependencies.
| Component | Description |
|---|---|
builder.exe | GUI configuration panel for payload generation |
/panel/ | PHP 8.x dashboard with live bot feed |
/src/ | Full C++ client source, modifiable |
/packer/ | obfuscation scripts with polymorphism engine |
/extras/ | Precompiled x86/x64 stubs for rapid deployment |
