Symantec details Lazarus/Hidden Cobra FASTCash attacks against banks in Asia and Africa, where attackers breached financial networks and compromised switch application servers that process ATM transactions. The key malware, Trojan.Fastcash, is an AIX executable injected into a legitimate process on the transaction network to inspect ISO 8583 messages, intercept attacker-generated withdrawal requests, and return fake approval responses. The report says FASTCash activity had been observed since at least 2016, including incidents where cash was withdrawn from ATMs in more than 30 countries in 2017 and 23 countries in 2018. Its tailored response logic and targeting of unsupported AIX switch servers show how Lazarus converted server compromise into large-scale fraudulent ATM cash-outs worth tens of millions of dollars.