Ploutus

Ploutus is an ATM jackpotting malware family first detected in Mexico in 2013. It targets Windows-based ATMs and abuses the eXtensions for Financial Services (XFS) software layer to issue unauthorized commands to cash-dispensing hardware, allowing attackers to bypass normal bank authorization, card authentication, customer accounts, and transaction validation and force machines to dispense cash directly. Public reporting in the provided content describes Ploutus as affecting multiple ATM manufacturers and cash dispensers, with later variants requiring little code adjustment across vendors because they leverage the underlying Windows environment.

The malware is typically deployed after attackers gain physical access to an ATM. Reported installation methods include opening the ATM with widely available generic service keys, removing the hard drive to copy malware onto it, replacing the drive with one preloaded with Ploutus, or using removable media such as USB devices; some reporting also mentions use of external keyboards, USB hubs, and in earlier campaigns CD-ROM-based installation. Once installed, Ploutus can interact directly with ATM hardware through XFS and enable rapid cash-out operations within minutes, often without immediate detection. Historical reporting in the content notes early variants that could be triggered with an external keyboard and eight-digit activation key, SMS-enabled variants such as Ploutus.B, and Ploutus-D, which was reported to work on KAL’s Kalignite multivendor ATM platform and to have targeted Diebold ATMs. A later version targeting Latin American ATMs reportedly added mouse support.

The malware has been used globally in organized criminal ATM cash-out schemes and is repeatedly associated in the content with rising jackpotting activity in the United States and Latin America. The FBI warned in 2026 of increased malware-enabled ATM jackpotting, reporting roughly 1,900 incidents since 2020, including more than 700 incidents in 2025 and over $20 million in losses that year. The content also states ATM malware attacks in Latin America and the Caribbean rose significantly in 2025. Multiple reports in the content link Ploutus-based ATM theft conspiracies in the United States to actors associated with the Venezuelan gang Tren de Aragua. Targeting described in the content is focused on financial institutions, ATM operators, banks, credit unions, and ATM fleets across regions including Mexico, the United States, and broader Latin America.

High-confidence indicators mentioned in the content include suspicious executables such as Newage.exe, NCRApp.exe, WinMonitor.exe, WinMonitorCheck.exe, Color.exe, Levantaito.exe, Promo.exe, sdelete.exe, and Anydesk1.exe; associated files and scripts including C.dat, Restaurar.bat, Restauraropteva.bat, Logcontrol.txt, Logc.txt, and Borrar_beta.txt; suspicious directories such as C:\Users\SSAuto1\AppData\Local\P\ and C:<ATM_Manufacture>\exe\p; unauthorized remote tools such as AnyDesk or TeamViewer; deceptive persistence entries such as services named "ATM Service" or "Dispenser Service"; and relevant Windows event IDs tied to removable media, file access, process creation, service installation, log clearing, and audit changes, including 6416, 4663, 4688, 4697, 1102, and 4719. Reported MD5 hashes associated with observed activity are 2C2D16658D8DA6B389934273EF8F8E22, 5F177B84F3D92AB5711BE446125FDBE3, 61EECEB5F9186A0BC01DC82798CD6C5F, FDA82030AE92313E94B9339EA1FC107C, and C04A7CB926CCBF829D0A36A91EBF91BD.