Cutlet Maker is a sophisticated ATM-specific malware kit designed for “jackpotting” attacks, where it forces automated teller machines (ATMs) to dispense all their cash without requiring a legitimate transaction.
The name “Cutlet” is Russian slang for a bundle of cash, hinting at its creators’ likely origins as Russian-speaking cybercriminals. it has been sold on dark web markets for around $5,000 (initial price, with monthly subscriptions doubling thereafter), making it accessible to non-experts.
Unlike remote hacking tools, Cutlet Maker relies heavily on physical access to the ATM, transforming complex operations into opportunistic thefts that require minimal technical skill just a few thousand dollars, basic tools, and a USB drive.
How Does Cutlet Maker Work?
The malware targets ATMs from specific vendors, primarily Wincor Nixdorf (now Diebold Nixdorf), but variants exist for others. It consists of three main components:
- Cutlet Maker Core: The primary module that interfaces with the ATM’s cash dispenser mechanism. Once loaded, it overrides the machine’s software to eject cash in bundles.
- Stimulator: A companion tool that queries the ATM’s cash cassettes for details like currency type, denomination, and note count, helping attackers maximize their haul.
- c0decalc: A password generator for accessing protected dispenser functions, often used by a “drop master” (coordinator) to authorize a “drop” (on-site thief).
Recent Activity: As of 2025, it’s still in use, with groups adapting it for new ATM models. This is the new variants reported in 2025,
