Executive Summary

In December 2025, the United States Department of Justice announced the indictment of 54 individuals linked to a sophisticated ATM jackpotting campaign leveraging the Ploutus malware. This operation, orchestrated by the Venezuelan transnational criminal organization Tren de Aragua (TdA), resulted in over $40 million in losses and more than 1,500 confirmed ATM attacks across the United States since 2021. The campaign demonstrates the evolving threat landscape facing financial institutions, with attackers exploiting both physical and digital vulnerabilities in ATM infrastructure. This advisory provides a comprehensive technical analysis of the Ploutus malware, details on exploitation tactics, threat actor profiles, affected product versions, and actionable mitigation strategies for financial sector stakeholders.

Technical Information

Ploutus is a modular, highly obfuscated ATM malware family first identified in Mexico in 2013. Its evolution, particularly the Ploutus-D variant, has enabled support for a wide range of ATM vendors through the Kalignite Multivendor ATM Platform, making it a potent tool for large-scale, cross-vendor attacks. The malware is engineered to facilitate unauthorized cash dispensing (jackpotting) by bypassing standard authentication and transaction processes.

Capabilities and Architecture:Ploutus can be deployed as a Windows service or standalone executable. It is capable of direct interaction with ATM hardware, including cash dispensers, via the Kalignite platform’s abstraction layer. The malware supports command and control via external keyboard input (in Ploutus-D) and, in earlier variants, via SMS. Its anti-forensics features include log deletion, process obfuscation using .NET Reactor, and the ability to terminate security monitoring processes.

Persistence Mechanisms:Ploutus-D achieves persistence by modifying the Windows registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit, replacing the legitimate userinit process with its own launcher (Diebold.exe). This ensures the malware is executed upon system startup, even after reboots.

Installation and Execution Workflow: Attackers require physical access to the ATM, typically achieved through lockpicking or use of master keys. The malware is installed either by swapping the ATM’s hard drive with a pre-infected drive or by connecting a USB device containing the malware payload. Once installed, an external keyboard is attached to the ATM, and a unique activation code—generated per ATM and valid for 24 hours—is entered to unlock the malware’s cash dispensing functionality. The attackers then use keyboard commands to instruct the ATM to dispense cash, which is collected and laundered through the TdA network.

Indicators of Compromise (IOCs): Key IOCs associated with Ploutus-D include the presence of files such as AgilisConfigurationUtility.exe, Diebold.exe, Log.txt, Log2.txt, P.bin, and PDLL.bin. Registry modifications, particularly to the Userinit key, and the creation of mutexes like Ploutos, DIEBOLDPL, and KaligniteAPP are also indicative. The malware may install a service named DIEBOLDP and create or modify files in directories such as C:\Diebold\EDC\edclocal.dat. MD5 hashes for known samples include C04A7CB926CCBF829D0A36A91EBF91BD and 5AF1F92832378772A7E3B07A0CAD4FC5.

Obfuscation and Anti-Detection:Ploutus employs advanced obfuscation techniques, including code packing with .NET Reactor, to evade static analysis. It actively deletes logs and evidence of its presence, and can terminate processes associated with security monitoring or endpoint protection.

MITRE ATT&CK Techniques: The campaign leverages several MITRE ATT&CK techniques, including T1059 (Command and Scripting Interpreter) for keyboard command execution, T1204 (User Execution) for manual malware activation, T1078 (Valid Accounts) for physical access via keys or lockpicking, T1566 (Phishing) in some cases for initial access to ATM management networks, and T1499 (Endpoint Denial of Service) as the ATM is rendered inoperable for legitimate users during cash-out.

Exploitation in the Wild

Since 2021, over 1,500 ATM jackpotting incidents attributed to Ploutus have been confirmed in the United States, resulting in $40.73 million in losses. The Tren de Aragua group conducted extensive reconnaissance to identify vulnerable ATMs, focusing on those with weak physical security or outdated software. Attackers physically breached ATM enclosures, installed the malware, and executed cash-out operations, often in coordinated waves to maximize financial gain and minimize law enforcement response time.

The group’s operational sophistication is evident in their use of recruited mules for on-site operations, rapid cash collection, and efficient laundering of proceeds. The campaign’s scale and success were facilitated by the malware’s compatibility with the Kalignite platform, which supports over 40 ATM vendors globally, and by the attackers’ ability to adapt quickly to security countermeasures.

No remote exploitation of Ploutus-D has been confirmed; all known attacks required direct physical access to the ATM. However, the group’s willingness to exploit both digital and physical vectors underscores the need for a holistic security approach.

APT Groups using this vulnerability

The primary threat actor exploiting Ploutus in this campaign is the Tren de Aragua (TdA) criminal syndicate. While not a traditional nation-state Advanced Persistent Threat (APT), TdA operates with a level of organization, technical capability, and international reach comparable to many APT groups. The group is designated as a Foreign Terrorist Organization by the US State Department and is involved in a range of illicit activities, including drug trafficking, human smuggling, extortion, and money laundering.

TdA’s use of Ploutus demonstrates their ability to acquire, customize, and operationalize advanced malware for financial gain. The group’s structure includes technical specialists, physical operators (mules), and a robust logistics network for moving and laundering stolen funds. There is no public evidence of other APT groups using Ploutus in the current US campaign, but the malware’s modularity and vendor-agnostic design make it a potential tool for other organized crime groups or state-sponsored actors in the future.

Affected Product Versions

The primary targets in the current campaign are Diebold ATMs running the Kalignite Multivendor ATM Platform on Windows operating systems, specifically Windows XP, Windows 7, Windows 8, and Windows 10. Technical analysis indicates that any ATM vendor utilizing the Kalignite platform is potentially vulnerable, as the malware requires only minor code modifications to support additional vendors. While no confirmed attacks have been reported against non-Diebold ATMs in this campaign, the risk extends to all institutions deploying Kalignite-based systems.

The affected products are Diebold ATMs with Kalignite software on Windows XP, Windows 7, Windows 8, and Windows 10. Other ATM vendors using Kalignite are at risk, pending further technical adaptation by threat actors.

Workaround and Mitigation

Mitigating the threat posed by Ploutus requires a multi-layered approach that addresses both physical and digital attack vectors. Financial institutions and ATM operators should restrict and monitor physical access to ATMs using tamper-evident seals, robust locks, and real-time surveillance. Regular audits of ATM hardware and software for unauthorized changes or devices are essential, as is the monitoring of known IOCs, including suspicious files, registry modifications, services, mutexes, and hashes.

ATM operating systems and security controls must be kept up to date, with prompt application of vendor patches and security updates. Staff should be trained to recognize and respond to signs of physical tampering or suspicious activity around ATMs. Collaboration with law enforcement and industry threat intelligence groups is critical for timely sharing of indicators and response strategies.

Institutions should also consider implementing endpoint detection and response (EDR) solutions tailored for ATM environments, and ensure that all USB and external device ports are physically secured or disabled where possible. Regular penetration testing and red teaming exercises can help identify and remediate vulnerabilities before they are exploited by adversaries.

References

U.S. DOJ Charges 54 in ATM Jackpotting Scheme Using Ploutus Malware – The Hacker News: https://thehackernews.com/2025/12/us-doj-charges-54-in-atm-jackpotting.html

New Variant of Ploutus ATM Malware Observed in the Wild – Mandiant/Google Cloud: https://cloud.google.com/blog/topics/threat-intelligence/new-ploutus-variant

Symantec: Ploutus ATM Malware: https://www.symantec.com/blogs/threat-intelligence/ploutus-atm-malware

SecurityWeek: 54 Charged in US Over ATM Attacks Involving Ploutus Malware: https://www.securityweek.com/54-charged-in-us-over-atm-attacks-involving-ploutus-malware/

NJCCIC: Ploutus: https://www.cyber.nj.gov/threat-landscape/malware/atm-malware/ploutus

Rescana is here for you

Rescana empowers organizations to proactively manage third-party risk and strengthen their cybersecurity posture through our advanced TPRM platform. Our solutions provide continuous monitoring, actionable intelligence, and expert guidance to help you stay ahead of emerging threats. We are committed to supporting your security teams with the latest threat intelligence and best practices. If you have any questions or require further assistance, please contact us at ops@rescana.com.