By rssfeeds-admin 
The alert outlines technical details and indicators of compromise (IOCs) linked to the Ploutus malware family, which allows criminals to force ATMs to dispense cash without a bank card or customer account.
According to the FBI, more than 1,900 ATM jackpotting incidents have been reported since 2020. Over 700 of those incidents occurred in 2025 alone, resulting in losses exceeding $20 million.
The agency said threat actors are exploiting both physical and software weaknesses in ATMs to deploy malware directly onto the machines.
How Ploutus Malware Works
Ploutus targets the ATM itself rather than customer bank accounts. It exploits the eXtensions for Financial Services (XFS) software layer, which controls hardware functions such as cash dispensing.
Under normal conditions, ATM software sends instructions to XFS only after bank authorization. However, if attackers gain the ability to send their own commands to XFS, they can bypass bank approval and trigger unauthorized cash withdrawals.
The malware runs on Windows-based ATM systems and can work across different manufacturers with minimal code changes.
Once installed, it gives attackers direct control of the dispenser, enabling rapid “cash-out” operations that can empty an ATM within minutes.
Threat actors typically gain physical access by opening ATM cabinets with generic keys purchased online.
They then remove the hard drive and either copy malware onto it or replace it with a preloaded malicious drive. After rebooting the ATM, the malware activates.
Digital indicators observed on compromised machines include suspicious executables such as Newage.exe, Levantaito.exe, WinMonitor.exe, and Anydesk1.exe.
The FBI also identified abnormal registry autoruns, custom services with deceptive names like “ATM Service” or “Dispenser Service,” and unauthorized remote access tools such as TeamViewer and AnyDesk.
Security logs may reveal USB insertion events (Event IDs 6416 and 4663), unexpected process creation (Event ID 4688), or cleared audit logs (Event ID 1102).
Physical warning signs include ATM doors opened outside maintenance schedules, unauthorized USB devices, or machines suddenly going out of service.
Mitigation and Reporting Guidance
The FBI recommends a layered defense strategy. Physical controls should include upgraded locks, vibration and temperature sensors, internal keypads, and improved camera coverage.
Hardware protections such as disk encryption, firmware integrity checks using Trusted Platform Modules, device allowlisting, and memory integrity features should also be enabled.
On the software side, institutions should deploy targeted audit policies, enable monitoring of removable storage, log process creation, and validate file hashes against a trusted “gold image” baseline. Unexpected executables or unsigned binaries should be treated as a potential compromise.
Financial institutions are urged to report suspicious activity to their local FBI field office or through the Internet Crime Complaint Center (IC3). The FBI stressed that early detection and strict physical security controls remain critical to preventing further ATM jackpotting losses.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post FBI Warns Of Ploutus Malware Draining U.S. ATMs Without Cards appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.