ATM hijacking malware dubbed WinPot turns the ATMs into a slot machine, which starts dispensing the cash based on SPIN button.
Security researchers from Kaspersky observed the emergence of the WinPot malware, the malware appeared first in the underground markets in March 2018.
Threat actors designed the malware to automatically dispense the cash automatically form the valuable cassettes, researchers call it as ATMPot.
Attackers designed a clear slot machine-like interface with cassette numbered between 1 to 4 and with a button named SPIN, as soon as the SPIN button is pressed the ATM starts dispensing cash associated with the cassette.
Along with the SPIN button, the interface contains another SCAN button that scans the ATM and update the slots. “We found WinPot to be an amusing and interesting ATM malware family, so we decided to keep a close eye on it”, reads secure list blog post.
The threat actors behind WinPot constantly updating the new samples with modification to evade detection and to track the ATM machines.
The malware also available in underground markets for sale and the price varies between 500 – 1000 USD. Another seller advertised WinPot v.3 along with demo videos and the unidentified called ShowMeMoney, researchers assume that is a new name of WinPot.
The ATM cash-out malware mechanism remains the same, but the cybercriminals bring many new modifications.
“We thus expect to see more modifications of the existing ATM malware. The preferred way of protecting the ATM from this sort of threat is to have device control and process whitelisting software running on it,” Kaspersky says.
Bank Software Cheif Jailed For Finding a Way to withdraw $1M Free Cash From ATM
Malicious Hackers Steal Money From ATM by Connecting Laptop with ATM Cash Dispenser
Kali Linux, the preferred distribution for security professionals, has launched its second major release of…
Arsen, the cybersecurity startup known for defending organizations against social engineering threats, has announced the…
The National Institute of Standards and Technology (NIST) has released groundbreaking guidance to help organizations…
A medium-severity reflected file download (RFD) vulnerability (CVE-2025-41234) in VMware's Spring Framework has been patched,…
A newly disclosed spoofing vulnerability (CVE-2025-26685) in Microsoft Defender for Identity (MDI) enables unauthenticated attackers…
A critical vulnerability (CVE-2025-6031) has been identified in Amazon Cloud Cam devices, which reached end-of-life…