InfoSecBulletin Cybersecurity for mankind
A 19 February 2026 FBI FLASH (FLASH-20260219-001) alerts banks and ATM operators about an increase in “jackpotting,” where criminals use malware to steal cash from machines without actual transactions, becoming a widespread issue in the U.S.
The alert focuses on Ploutus, an ATM-targeting malware family that abuses eXtensions for Financial Services (XFS), the software layer that tells dispenser hardware what to do.
LastPass says hackers stole customer data via Klue, supply chain breach
New Apple Exploit Bypasses Boot Defenses, Possibly Affects Millions of iPhones Worldwide
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
In a typical withdrawal, the ATM app sends XFS commands for bank approval, but Ploutus allows intruders to send commands and skip authorization.
FBI analysts found that over 700 of about 1,900 jackpotting incidents since 2020 happened in 2025, resulting in losses of more than $20 million. Ploutus attacks ATMs directly, allowing it to dispense cash without needing a bank card or approval, enabling quick cash-outs.
Infection mechanism and on-box control:
After gaining physical access, attackers can remove the hard drive, connect it to another computer to copy the malware, and then reinstall it.
Many ATMs use Windows, allowing this method to be applied to various manufacturers with minimal code adjustments. The malicious program interacts directly with hardware via XFS, potentially functioning even when the ATM is offline and network alerts are inactive.
To stay in place and hide, responders should look for unexpected executables such as Newage.exe, NCRApp.exe, WinMonitor.exe, or sdelete.exe, new folders under paths like C:\Users\SSAuto1\AppData\Local\P, unauthorized remote tools like AnyDesk or TeamViewer, and registry autoruns or custom services with generic names like “ATM Service” and “Dispenser Service.”
The FBI suggests improving security with better locks, adding sensors and cameras, using disk encryption, and allowing only approved devices.
Validate each ATM using a trusted gold image and hash baseline. Enable targeted Windows auditing for USB insertions, file writes, process creation, and log clearing (Event IDs 6416, 4663, 4688, 1102) to help identify jackpotting and report findings to a local FBI office or IC3.
