HOMETHREATSPILLOWMINT
APT / THREAT GROUP

PILLOWMINT

2
aliases
Last seen:Mar 17, 2026

Intelligence Profile

According to FireEye, PILLOWMINT is a Point-of-Sale malware tool used to scrape track 1 and track 2 payment card data from memory.

Scraped payment card data is encrypted and stored in the registry and as plaintext in a file (T1074: Data Staged)

Contains additional backdoor capabilities including:

Running processes

Downloading and executing files (T1105: Remote File Copy)

Downloading and injecting DLLs (T1055: Process Injection)

Communicates with a command and control (C2) server over HTTP using AES encrypted messages

(T1071: Standard Application Layer Protocol)

(T1032: Standard Cryptographic Protocol)

Threat Analysis

PILLOWMINT is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

External References

Quick Facts

TypeAPT / Threat Group
Aliases2

Also Known As

win.pillowmintPILLOWMINT

External Intelligence

Malpedia: win.pillowmint

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.
PILLOWMINT — APT / Threat Group | Threat Intelligence | CTIWATCH.COM