Hans Solo’s best buddy looks like he’s gone over to the Dark Side, with malware bearing the name “ChewBacca” having stolen data from more than 49,000 credit cards from 45 retailers in 11 different countries over the last two months.

ChewBacca is said to be a ‘point-of-sale’ malware that infects credit card terminals, stealing data from people’s cash cards and dumping them onto a server over the anonymous Tor network. The malware then uses regular expressions and other techniques to extract that data, and can also capture sensitive data via a generic ‘keylogger’, says security firm RSA, which first exposed the malicious software.

According to RSA, ChewBacca has so far recorded more than 24 million transaction details, the vast majority of which took place in the US, Canada, Australia and Russia. The malware gets its name from the image of an iconic ‘Wookie’ alien that’s plastered on the login page of the server, which was used by the hackers as a repository for the stolen data.

Yotam Gottesman, of RSA’s FirstWatch security team, explains in a blog post:

“The ChewBacca trojan appears to be a simple piece of malware that, despite its lack of sophistication and defense mechanisms, succeeded in stealing payment card information from several dozen retailers around the world in a little more than two months.”

The malware was first spotted in October last year, when researchers discovered it had been logging track 1 and 2 data from credit cards used in infected terminals.

Gottesman pointed out in his post that ChewBacca isn’t new. The existence of the malware was first revealed by Kaspersky Lab researchers in December, who likened it to the more infamous Dexter botnet that also targets point-of-sale terminals. Last December’s breach of the retailer Target, which saw the details of more than 40 million credit cards compromised, further renewed interest in this kind of malware, although there’s no indication that ChewBacca played any role in that particular attack.

RSA’s researchers said that following their initial investigation, they were able to access the main server that ChewBacca relayed its stolen data to. They found that communications were done over the Tor network, which makes it impossible to detect the server host’s real IP. In addition, by using Tor the hackers were able to ensure that the data theft remained undetected by network security software.

RSA can’t be sure who’s behind ChewBacca, but there are indications that they originate from Eastern Europe, as an administrator who logged into the main server was briefly spotted using an IP address from that region before Tor masked his activities. The researchers were unable to say how the malware was installed on infected terminals, but has at least reported its findings to law enforcement agencies in affected countries.