The underground just got a massive dump. The latest build of Treasure Hunter POS Malware including the admin panel, GUI builder, and a newly customized v3.0 build has been released. This isn’t some rehashed relic; this is a modernized, production-ready variant compiled for today’s POS environments.
What Is Treasure Hunter?Treasure Hunter is Point-of-Sale (POS) malware designed to do one thing: scrape Track 1 and Track 2 card data from the RAM of infected payment terminals . It targets the unencrypted data buffer during the split second a transaction is processed.
Core Functionality:
The “v3.0 Custom Build” What’s New?The leaked package (timestamped 2025) includes the original source plus a custom build that upgrades the old alpha version. Here’s the changelog included in the leak:
1. Enhanced Stealth & Anti-Analysis
2. Extended Target ListThe new config.h includes an updated list of target processes covering modern POS systems used in 2025, not just the legacy ones from 2014.
3. Refined Communication Logic
Why This Leak Matters NowThe original 2018 leak lowered the bar for entry. This custom build raises the bar for defenders because it means the code is now:
Download
What Is Treasure Hunter?Treasure Hunter is Point-of-Sale (POS) malware designed to do one thing: scrape Track 1 and Track 2 card data from the RAM of infected payment terminals . It targets the unencrypted data buffer during the split second a transaction is processed.
Core Functionality:
- Process Enumeration: Scans running processes for POS software (Aloha, Micros, etc.) .
- RAM Scraping: Dumps memory regions of target processes to extract card numbers.
- Data Exfiltration: Sends stolen dumps to a C2 via HTTP/HTTPS (RC4 encrypted) .
- Persistence: Installs itself via Registry (HKLM\...\Run\jucheck) or WMI events .
The “v3.0 Custom Build” What’s New?The leaked package (timestamped 2025) includes the original source plus a custom build that upgrades the old alpha version. Here’s the changelog included in the leak:
1. Enhanced Stealth & Anti-Analysis
- String Obfuscation: All config strings are now encrypted at rest .
- Improved Anti-Debug: Patched the old debugging hooks that got previous versions caught .
- Process Blacklisting: Ignores sandbox processes and analysis tools .
2. Extended Target ListThe new config.h includes an updated list of target processes covering modern POS systems used in 2025, not just the legacy ones from 2014.
3. Refined Communication Logic
- Dual-stack C2 support (Domain + IP fallback).
- Improved RC4 key rotation to avoid signature detection .
- The panel now supports real-time log streaming and better dump organization.
- Customize the mutex name (old versions used predictable patterns like )TREASUREHUNT([0-9] which got flagged by SANS) .
- Set custom installation directories (default was %APPDATA%).
- Compile fresh binaries with unique hashes to evade AV.
Why This Leak Matters NowThe original 2018 leak lowered the bar for entry. This custom build raises the bar for defenders because it means the code is now:
- Updated for modern POS environments.
- Cleaner (old placeholder strings removed) .
- Production-ready (compiled and tested).
Download