Breaches

Venezuelan Nationals Convicted in ATM Jackpotting Scheme Using Ploutus Malware

Zero Day Wire

1 min read
Venezuelan Nationals Convicted in ATM Jackpotting Scheme Using Ploutus Malware

Two Venezuelan nationals have been convicted for their roles in an ATM jackpotting scheme that used Ploutus malware to empty cash machines across the southeastern United States.

Luz Granados, 34, and Johan Gonzalez-Jimenez, 40, pleaded guilty to conspiracy and computer crimes for targeting older ATM models in South Carolina, Georgia, North Carolina, and Virginia. All stolen funds came directly from the banks rather than individual customer accounts.

Attack Methodology

The attackers approached ATMs at night, removed the outer casing, and connected laptops to install malware that bypassed security protocols. Once deployed, the malware forced the machines to dispense cash until completely emptied.

According to the Justice Department, the defendants deployed Ploutus malware variants through multiple methods—removing the ATM's hard drive and installing it directly, using external devices like thumb drives, or replacing the hard drive with one already infected. The malware also deleted evidence to conceal attacks from bank employees.

Sentencing and Deportation

U.S. District Judge Mary Geiger Lewis sentenced Gonzalez-Jimenez to 18 months in federal prison and ordered him to pay $285,100 in restitution before deportation. Granados received time served and was ordered to pay $126,340, and remains in custody awaiting deportation.

Five other Venezuelan nationals were also sentenced or pleaded guilty last month for involvement in ATM jackpotting thefts across multiple states and face immediate deportation.

Broader Conspiracy

Evidence from the South Carolina investigation was shared with Nebraska authorities, leading to a federal grand jury indicting 54 individuals in a related ATM jackpotting conspiracy allegedly responsible for stealing millions from ATMs nationwide.

The Nebraska indictments include Jimena Romina Araya Navarro, an alleged leader of the Tren de Aragua Venezuelan gang, who was sanctioned by the Treasury Department's Office of Foreign Assets Control in December.

Read more

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

Elastic Security Labs has disclosed a new ClickFix campaign that leverages compromised legitimate websites as delivery infrastructure to deploy a previously undocumented remote access trojan dubbed MIMICRAT (also tracked as AstarionRAT). The campaign, discovered earlier this month, demonstrates significant operational sophistication — from multi-stage PowerShell chains that bypass Windows security controls

By Zero Day Wire
ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse

ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse

A new wave of attacks is combining voice phishing (vishing) with OAuth 2.0 device authorization abuse to compromise Microsoft Entra accounts at technology, manufacturing, and financial organizations — bypassing traditional phishing infrastructure entirely. Sources told BleepingComputer they believe the ShinyHunters extortion gang is behind the campaigns, which the threat actors

By Zero Day Wire