Transaction terminal malicious software is detected by monitoring calls of a first process to identify attempts by the first process to read memory used by a second process. The first and second processes are different from each other and are executed by at least one data processor forming part of a transaction terminal system having at least one transaction terminal. Thereafter, it is determined that the memory used by the second process comprises patterns indicative of sensitive financial or identification information. In response, at least one corrective action is initiated to prevent use of the financial or identification information. Related apparatus, systems, techniques and articles are also described.