{
	"id": "f5d3e6a4-dce3-49e5-952d-bcbdacd6267e",
	"created_at": "2026-04-06T00:10:38.384024Z",
	"updated_at": "2026-04-10T03:23:51.991161Z",
	"deleted_at": null,
	"sha1_hash": "8c036e2f635e4bd906ae0f65149a37d84d552d90",
	"title": "Can the ATM industry stop Tyupkin in its tracks?",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 134733,
	"plain_text": "Can the ATM industry stop Tyupkin in its tracks?\r\nBy Suzanne Cluckey\r\nPublished: 2014-10-10 · Archived: 2026-04-05 20:38:02 UTC\r\nArticle\r\nATM Marketplace checked in with security experts around the industry to learn how operators can protect\r\nthemselves from the latest 'jackpotting' scheme, Tyupkin malware.\r\nOctober 10, 2014 by Suzanne Cluckey — Owner, Suzanne Cluckey Communications\r\nThis week Kaspersky Lab revealed that, at the request of an as-yet-unnamed European financial institution, the\r\nsecurity tech firm had performed a forensic investigation into cybercriminal attacks targeting ATMs around the\r\nworld.\r\nWhat Kaspersky experts discovered was unsettling — a new type of malware identified as\r\nBackdoor.MSIL.Tyupkin, affects machines from \"a major ATM manufacturer running Microsoft Windows 32 bit,\"\r\nKaspersky reported. Once uploaded, the program allows attackers to remove money by \"direct manipulation\" (i.e.,\r\ninformation entry on the keypad), stealing millions of dollars — otherwise known as jackpotting.\r\nAs yet, total losses are unknown — and it appears that the malware is still spreading. According to information\r\npublished by Kaspersky Lab on Oct. 7:\r\nhttps://www.atmmarketplace.com/articles/can-the-atm-industry-stop-tyupkin-in-its-tracks/\r\nPage 1 of 5\n\nAt the time of the investigation, the malware was active on more than 50 ATMs at banking institutions in Eastern\r\nEurope. Based on submissions to VirusTotal, we believe that the malware has spread to several other countries,\r\nincluding the U.S., India and China.\r\nInterpol has alerted the affected member countries and is assisting ongoing investigations, Kaspersky said.\r\nHow does it work?\r\nKaspersky described the attack methodology this week in a news release:\r\nThe criminals work in two stages. First, they gain physical access to the ATMs and insert a bootable CD to install\r\nthe Tyupkin malware. After they reboot the system, the infected ATM is now under their control and the malware\r\nruns in an infinite loop waiting for a command. To make the scam harder to spot, the Tyupkin malware only\r\naccepts commands at specific times on Sunday and Monday nights. During those hours, the attackers are able to\r\nsteal money from the infected machine.\r\nGaining physical access to the interior of an ATM is not the obstacle one might expect, either. According to Scott\r\nHarroff, chief information security architect at Diebold, \"Depending on circumstances, it can take less than a\r\nminute to gain physical access.\"\r\nDave O'Reilly, chief technologist at Fraud Technology Research Solutions, said that the practicalities of operating\r\nan ATM network — for instance, the need to allow service engineers access to the PC core at times — means that\r\nall ATMs might be fitted with the same lock. \"Another relevant scenario is the case of a complicit merchant who\r\ngrants someone access to the ATM on their premises,\" he said.\r\nThe larger question the industry should be asking is whether core access is even needed to carry out a malware\r\nattack. \"Can attack scenarios be identified that do not need the attacker to have physical access to the PC core?\"\r\nO'Reilly asked. \"The criminals have once again taken the lead and we, as an industry, need to move to prevent not\r\nonly the current attack methods but future variations that can be envisioned based on what we already know.\"\r\nKaspersky provided video from security cameras at infected ATMs showing how attackers gained access to cash.\r\nEach session was conducted using a unique, randomly generated digit combination — ensuring that no\r\none outside the gang could profit from the fraud. (NOTE: This means that the Kaspersky video cannot be used to\r\nstage an attack.)\r\nhttps://www.atmmarketplace.com/articles/can-the-atm-industry-stop-tyupkin-in-its-tracks/\r\nPage 2 of 5\n\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nThe operator receives instructions by phone from another gang member who knows the algorithm and is able to\r\ngenerate a session key based on the number shown. This ensures that mules collecting the cash do not try to go it\r\nalone. \r\nWhen the key is entered, the ATM displays details of how much money is available in each cash cassette, inviting\r\nthe operator to choose which cassette to rob. The ATM dispenses 40 banknotes at a time from the chosen cassette.\r\nHow widespread is the threat?\r\nThe malware identified and named by Kaspersky Lab as Backdoor.MSIL.Tyupkin, has so far been detected on\r\nATMs in Latin America, Europe and Asia, the security provider said. However as previously mentioned,\r\nKaspersky believes that it might also have spread to major ATM markets that include China, India and the\r\nU.S. Indeed, Diebold's Harroff confirmed that the Tyupkin malware is in the U.S. market already.\r\n\"It’s important to point out that this is not a new form of attack,\" said NCR director of security marketing Owen\r\nWild. \"The malware that is referenced in the report as Tyupkin is the same as PADPIN/ulssm which is a variant of\r\nthe malware identified in previous ATM attacks that we saw in the U.K. and Russia last year.\"\r\nVarious media reports have asserted that Tyupkin is a variant of Ploutus, malware that was discovered on ATMs in\r\nMexico last year. Shortly afterward, evidence indicated that the code had been rewritten in English and that\r\nattacks in the U.S. and Europe might follow. And now, it seems, they have.\r\nAccording to Vicente Diaz, principal security researcher at Kaspersky, the firm's security team has have observed\r\na major upswing in ATM attacks using skimming devices and malicious software over the past few years. \r\n\"Now we are seeing the natural evolution of this threat with cybercriminals moving up the chain and targeting\r\nfinancial institutions directly,\" he said in the Kaspersky release. \"This is done by infecting ATMs themselves or\r\nlaunching direct APT-style attacks against banks. The Tyupkin malware is an example of the attackers taking\r\nadvantage of weaknesses in the ATM infrastructure.\"\r\nhttps://www.atmmarketplace.com/articles/can-the-atm-industry-stop-tyupkin-in-its-tracks/\r\nPage 3 of 5\n\nInterpol digital crime center director Sanjay Virmani concurred. “Offenders are constantly identifying new ways to\r\nevolve their methodologies to commit crimes, and it is essential that we keep law enforcement in our member\r\ncountries involved and informed about current trends and modus operandi.\"\r\nAn ounce of prevention ...\r\nHarroff said that operators should use existing physical security sensors in the ATM to detect unauthorized access\r\nto the computer. Additionally, he advised, \"Leverage integrated services to provide software updates and\r\ninformation security controls to prevent malware from being added to the ATM.\"\r\nKaspersky offered these additional recommendations:\r\nReview the physical security of all ATMs and consider investing in quality security solutions.\r\nReplace all locks and master keys on the upper hood of the ATM machines and ditch the defaults provided\r\nby the manufacturer.\r\nInstall an alarm and ensure it is in good working order. The cyber-criminals behind Tyupkin only infected\r\nATMs that had no security alarm installed.\r\nChange the default BIOS password.\r\nEnsure the machines have up-to-date antivirus protection\r\nContact Kaspersky directly for advice on how to verify that your ATMs are not infected.\r\nTo make a full scan of the ATM’s system and delete the backdoor, use the free Kaspersky Virus Removal\r\nTool.\r\nAnd NCR's Wild recommended steps particularly for operators of NCR ATMs:\r\n1. Deploy the \"stinger\" provided by NCR software security team. This program can be distributed over the\r\nnetwork and will detect and clean this specific malware if present. \r\n2. Modify the ATM BIOS such that the ATM will only boot from the primary hard disk and nothing else.\r\nThen, protect the configuration with the BIOS password. This is the most important change ATM operators\r\nmust make, and is the most effective method to prevent malware infection on the ATM.\r\n3. Upgrade to Solidcore Suite for APTRA. Solidcore for APTRA will prevent runtime and network attacks,\r\nbut Solidcore Suite for APTRA also will detect if Solidcore is disabled. In many of these attacks, the\r\nmalware is disabling all whitelisting and anti-virus protection. Solidcore Suite for APTRA could have\r\nalerted that the ATM was unprotected before the cash out took place the following day. However, please\r\nnote that if the criminal decides to cash out at the same time as malware deployment, and if the criminal\r\ndisconnects the network cable, then Solidcore Suite for APTRA will only be able to warn of an offline\r\nATM.\r\n4. Consider the physical environment of the ATM deployment. Lobby ATMs should not be deployed in 24/7\r\nunattended environments without compensating physical security controls. A through-the-wall ATM might\r\nbe more suitable for these locations. Stronger, UL-rated, pick resistant top box locks are available for\r\nSelfServ ATMs as a configuration option or upgrade kit.\r\nUltimately, \"each operator must select a solution that best fits their requirements,\" O'Reilly said. He said that FTR\r\nsolutions regularly helps FIs to map out a range of appropriate tactics that can be applied fleetwide or at machines\r\nhttps://www.atmmarketplace.com/articles/can-the-atm-industry-stop-tyupkin-in-its-tracks/\r\nPage 4 of 5\n\ndeemed to be most at risk. \"These can include appropriate physical access controls, secure BIOS settings, disk\r\nencryption, application whitelisting, etc.\"\r\nThe critical point is to move quickly — because a pound of cure could come at a very high cost.\r\nAbout Suzanne Cluckey\r\nSuzanne’s editorial career has spanned three decades and encompassed all B2B and B2C communications formats.\r\nHer award-winning work has appeared in trade and consumer media in the United States and internationally.\r\nSource: https://www.atmmarketplace.com/articles/can-the-atm-industry-stop-tyupkin-in-its-tracks/\r\nhttps://www.atmmarketplace.com/articles/can-the-atm-industry-stop-tyupkin-in-its-tracks/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.atmmarketplace.com/articles/can-the-atm-industry-stop-tyupkin-in-its-tracks/"
	],
	"report_names": [
		"can-the-atm-industry-stop-tyupkin-in-its-tracks"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434238,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8c036e2f635e4bd906ae0f65149a37d84d552d90.pdf",
		"text": "https://archive.orkl.eu/8c036e2f635e4bd906ae0f65149a37d84d552d90.txt",
		"img": "https://archive.orkl.eu/8c036e2f635e4bd906ae0f65149a37d84d552d90.jpg"
	}
}