{
	"id": "449225b3-8386-4560-8dc4-738f92294282",
	"created_at": "2026-04-06T00:13:27.085702Z",
	"updated_at": "2026-04-10T03:22:13.489901Z",
	"deleted_at": null,
	"sha1_hash": "3ddb6ca9772f92c29e69ee7d2ae8b96f89e484e1",
	"title": "ATM malware is being sold on Darknet market",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1079235,
	"plain_text": "ATM malware is being sold on Darknet market\r\nBy Konstantin Zykov\r\nPublished: 2017-10-17 · Archived: 2026-04-05 14:06:38 UTC\r\nDisclaimer and warning\r\nATM systems appear to be very secure, but the money can be accessed fairly easily if you know what you are\r\ndoing. Criminals are exploiting hardware and software vulnerabilities to interact with ATMs, meaning they need to\r\nbe made more secure. This can be achieved with the help of additional security software, properly configured to\r\nstop the execution of non-allowlisted programs on ATMs.\r\nWorryingly, it is very easy to find detailed manuals of ATM malware. Anybody can simply buy them for around\r\n5000 USD on darknet markets.\r\nMore information about CutletMaker ATM malware is available to customers of Kaspersky Intelligence Reporting\r\nService. Contact: intelreports@kaspersky.com\r\nIntroduction\r\nIn May 2017, Kaspersky Lab researchers discovered a forum post advertising ATM malware that was targeting\r\nspecific vendor ATMs. The forum contained a short description of a crimeware kit designed to empty ATMs with\r\nthe help of a vendor specific API, without interacting with ATM users and their data. The post links to an offer that\r\nwas initially published on the AlphaBay Darknet marketplace, which was recently taken down by the FBI.\r\nhttps://securelist.com/atm-malware-is-being-sold-on-darknet-market/81871/\r\nPage 1 of 11\n\nAdvertisement post\r\nhttps://securelist.com/atm-malware-is-being-sold-on-darknet-market/81871/\r\nPage 2 of 11\n\nAn offer post on AlphaBay market\r\nThe price of the kit was 5000 USD at the time of research. The AlphaBay description includes details such as the\r\nrequired equipment, targeted ATMs models, as well as tips and tricks for the malware’s operation. And part of a\r\ndetailed manual for the toolkit was also provided.\r\nhttps://securelist.com/atm-malware-is-being-sold-on-darknet-market/81871/\r\nPage 3 of 11\n\nScreenshot of a description on AlphaBay market\r\nPreviously described ATM malware Tyupkin was also mentioned in this text. The manual “Wall ATM Read\r\nMe.txt” was distributed as a plain text file, written in poor English and with bad text formatting. The use of slang\r\nand grammatical mistakes suggests that this text was most likely written by a native Russian-speaker.\r\nhttps://securelist.com/atm-malware-is-being-sold-on-darknet-market/81871/\r\nPage 4 of 11\n\nApart of a manual with text formatting applied\r\nThe manual provides a detailed picture, though only a fragment of the complete manual is being shown. There is a\r\ndescription for each step of the dispense process:\r\nPrepare an all tools, all the programs should be placed on a flash disk.\r\nTools are wireless keyboard, usb hub, usb cable, usb adapter usb a female to b female, Windows 7 laptop or a\r\ntablet ( to run code generator) and a drill.\r\nFind an appropriate ATM\r\nOpen ATM door and plug into USB port.\r\nExecute Stimulator to see full information of all the ATM cassettes.\r\nExecute CUTLET MAKER to get it is code.\r\nExecute password generator on a tablet or on a laptop and paste CUTLET MAKER code to it, put the result\r\npassword to CUTLET MAKER.\r\nDispense the money from chosen cassette.\r\nThe manual provides usage descriptions for all parts of the toolset. The list of crimeware from the kit consists of\r\nCUTLET MAKER ATM malware, the primary element, with a password generator included and a Stimulator – an\r\napplication to gather cash cassette statuses of a target ATM. The crimeware kit is a collection of programs possibly\r\nwritten by different authors, though CUTLET MAKER and Stimulator were protected in the same way, c0decalc is\r\na simple terminal-based application without any protection at all.\r\nhttps://securelist.com/atm-malware-is-being-sold-on-darknet-market/81871/\r\nPage 5 of 11\n\nDelicious cutlet ingredients: CUTLET MAKER, c0decalc and Stimulator\r\nThe first sample was named “CUTLET MAKER” by its authors and has been designed to operate the cash\r\ndispense process on specific vendor ATMs.\r\nTo answer the question of how a cook from the CUTLET MAKER interface and cutlets relate to stealing money\r\nfrom ATMs, we must explain the meaning of the word “Cutlet“. Originally, it means a meat dish, but as a Russian\r\nslang term “Cutlet” (котлета) means “a bundle of money”, suggesting that the criminals behind the malware\r\nmight be native Russian speakers.\r\nThe “Cutlet Maker” malware functionality suggests that two people are supposed to be involved in the theft – the\r\nroles are called “drop” and “drop master”. Access to the dispense mechanism of CUTLET MAKER is password\r\nprotected. Though there could be just one person with the c0decalc application needed to generate a password.\r\nEither network or physical access to an ATM is required to enter the code in the application text area and also to\r\ninteract with the user interface.\r\nStimulator was possibly developed by the same authors. Its purpose is to retrieve and show the status information\r\nof specific vendor ATM cash cassettes (such as currency, value and the amount of notes).\r\nCUTLET MAKER and c0decalc\r\nCUTLET MAKER is the main module responsible for dispensing money from the ATM. The sample analysed in\r\nthis research has the MD5 checksum “fac356509a156a8f11ce69f149198108” and the compilation timestamp Sat\r\nJul 30 20:17:08 2016 UTC.\r\nThe program is written in Delphi and was packed with VMProtect, however it is possible that multiple packers\r\nmight have been used.\r\nDifferent versions of the main component were found while researching this toolset. The first known submission\r\nof the first version sent to a public multiscanner service took place on June 22nd 2016. All submissions discovered\r\nby Kaspersky Lab were performed from different countries, with Ukraine being the chronological first country of\r\norigin.\r\nhttps://securelist.com/atm-malware-is-being-sold-on-darknet-market/81871/\r\nPage 6 of 11\n\nKnown CUTLET MAKER filenames (according to public multiscanner service information):\r\ncm.vmp.exe\r\ncm15.vmp.exe\r\ncm16F.exe\r\ncm17F.exe\r\nThe following version information was captured from the application’s window caption, followed after a\r\n“CUTLET MAKER” name. Known versions at the time of research were:\r\n1.0\r\n1.02\r\n1.0 F\r\nThe assumed development period is from 2016-06-22 to 2016-08-18, according to the first submission date of the\r\nearliest version and the last submission date of the latest version at the time of writing. The application requires a\r\nspecial library to operate, which is part of a proprietary ATM API, controlling the cash dispenser unit.\r\nWith all the dependencies in place, the interface shows a code.\r\nCUTLET MAKER challenge code marked with red rectangle\r\nIn order to unlock the application, a password from c0decalc generator needs to be entered, thereby answering the\r\ngiven challenge code. If the password is incorrect, the interface won’t react to any further input.\r\nhttps://securelist.com/atm-malware-is-being-sold-on-darknet-market/81871/\r\nPage 7 of 11\n\nEach “CHECK HEAT” and “start cooking!” button corresponds to a specific ATM cash cassette. Buttons labeled\r\n“CHECK HEAT” dispense one note, “start cooking!” dispenses 50 “cutlets” with 60 notes each.  The “Stop!”\r\nbutton stops an ongoing “start cooking!” process. “Reset” is intended to reset the dispense process.\r\nc0decalc a password generator for CUTLET MAKER\r\nThis tool is an unprotected command line application, written in Visual C. The purpose of this application is to\r\ngenerate a password for CUTLET MAKER’s graphical interface.\r\nThe compilation timestamp for this specific sample is Sun Nov 13 11:35:25 2016 UTC and was first uploaded to a\r\npublic multiscanner service on December 7th 2016.\r\nExample output for “12345678” input\r\nKaspersky Lab researchers checked the algorithm during the analysis and found “CUTLET MAKER” working\r\nwith the passwords generated by “c0decalc”.\r\nStimulator\r\nThe Stimulator sample analysed in this research has the MD5 hash “27640bb7908ca7303d13d50c14ccf669”. This\r\nsample is also written in Delphi and packed the same way as “CUTLET MAKER”. The compilation timestamp is\r\nSat Jul 16 18:34:47 2016 UTC.\r\nThe application is designed to work on specific vendor ATMs and also uses proprietary API calls.\r\nSome additional symbols were found in the memory dump of a “Stimulator” process, pointing to an interesting\r\npart of the application. After execution and pressing the “STIMULATE ME!” button, the proprietary API function\r\nis used to fetch an ATM’s cassette status. The following cassette state results are used:\r\nhttps://securelist.com/atm-malware-is-being-sold-on-darknet-market/81871/\r\nPage 8 of 11\n\n1CUR\r\n2CUR\r\n3CUR\r\n4CUR\r\n1VAL\r\n2VAL\r\n3VAL\r\n4VAL\r\n1NDV\r\n2NDV\r\n3NDV\r\n4NDV\r\n1ACT\r\n2ACT\r\n3ACT\r\n4ACT\r\nEach preceding number is mapped to an ATM cassette. The three character states are interpreted as follows:\r\nnCUR cassette n currency (like “USD”, “RUB”)\r\nnVAL cassette n note value (like 00000005, 00000020 )\r\nnACT cassette n counter for specific notes in a cassette (value from 0 to 3000)\r\nnNDV number of notes in the ATM for cassette n (value from 0 to 3000)\r\nhttps://securelist.com/atm-malware-is-being-sold-on-darknet-market/81871/\r\nPage 9 of 11\n\nThe result of “STIMULATE ME!” button press in proper environment\r\nEach column, shown in the picture above, describes the state of one corresponding ATM cassette.\r\nThe background picture used in the application interface turns out to be quite unique, the original photo was\r\nposted on a DIY blog:\r\nhttps://www.oldtownhome.com/2011/8/4/Knock-Knock-Whos-There-Merv-the-Perv/\r\nOriginal picture as used in “Stimulator” application (photo by Alex Santantonio)\r\nConclusion\r\nThis type of malware does not affect bank customers directly, it is intended for the theft of cash from specific\r\nvendor ATMs. CUTLET MAKER and Stimulator show how criminals are using legitimate proprietary libraries\r\nand a small piece of code to dispense money from an ATM. Examples of appropriate countermeasures against\r\nsuch attacks include default-deny policies and device control. The first measure prevents criminals from running\r\ntheir own code on the ATM’s internal PC. It is likely that ATMs in these attacks were infected through physical\r\naccess to the PC, which means criminals were using USB drives to install malware onto the machine. In such a\r\nhttps://securelist.com/atm-malware-is-being-sold-on-darknet-market/81871/\r\nPage 10 of 11\n\ncase, device control software would prevent them from connecting new devices, such as USB sticks. Kaspersky\r\nEmbedded Systems Security will help to extend the security level of ATMs.\r\nKaspersky Lab products detects this threats as Backdoor.Win32.ATMletcut, Backdoor.Win32.ATMulator,\r\nTrojan.Win32.Agent.ikmo\r\nSource: https://securelist.com/atm-malware-is-being-sold-on-darknet-market/81871/\r\nhttps://securelist.com/atm-malware-is-being-sold-on-darknet-market/81871/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://securelist.com/atm-malware-is-being-sold-on-darknet-market/81871/"
	],
	"report_names": [
		"81871"
	],
	"threat_actors": [],
	"ts_created_at": 1775434407,
	"ts_updated_at": 1775791333,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3ddb6ca9772f92c29e69ee7d2ae8b96f89e484e1.pdf",
		"text": "https://archive.orkl.eu/3ddb6ca9772f92c29e69ee7d2ae8b96f89e484e1.txt",
		"img": "https://archive.orkl.eu/3ddb6ca9772f92c29e69ee7d2ae8b96f89e484e1.jpg"
	}
}