(picussecurity.com) UNC2891: Anatomy of a Sophisticated Bank Heist Using CAKETAP Rootkit and Raspberry Pi-Based Attacks
UNC2891, a financially motivated threat group active since 2017, has executed sophisticated attacks on banking infrastructure using custom malware and physical access vectors. Their latest campaign in Q1 2025 involved planting a 4G-enabled Raspberry Pi on a bank’s network switch to bypass perimeter defenses, enabling ATM fraud via Payment HSM manipulation.
In brief - UNC2891 targets financial institutions with advanced Linux/Solaris malware, including the CAKETAP rootkit, to authorize fraudulent ATM withdrawals. A recent attack used a Raspberry Pi for initial access, highlighting evolving physical and digital threats to banking systems.
Technically - UNC2891 employs CAKETAP (Solaris kernel rootkit) to hook system calls like `mkdirat` and `ipcl_get_next_conn`, enabling stealthy C2 and network manipulation. SLAPSTICK (PAM backdoor) captures credentials, while TINYSHELL (backdoor) communicates over raw TCP (ports 53/443). Tools like WINGHOOK (keylogger) and STEELHOUND (in-memory dropper) facilitate credential harvesting and payload execution. The CAKETAP variant on ATM switches bypasses card/PIN verification by replaying HSM responses.
Source: https://www.picussecurity.com/resource/blog/unc2891-bank-heist-explained-caketap-rootkit-and-raspberry-pi-attack
#Cybersecurity #ThreatIntel
O RLY CYBER
npub1sh…0kwr0
2026-05-22 13:10:04 UTC
Author Public Key
npub1shlut8mwdmfevu2nt294apayu7e0mxs5mrpfyq8v5ru4ymscg9ysx0kwr0Seen on
wss://relay.momostr.pinkPublished at
2026-05-22 13:10:04 UTCEvent JSON
{
"id": "32570d4f57fd127839a49803ab465b3f261d871b62c236550c09f7d2169c4c2b",
"pubkey": "85ffc59f6e6ed39671535a8b5e87a4e7b2fd9a14d8c29200eca0f9526e184149",
"created_at": 1779455404,
"kind": 1,
"tags": [
[
"proxy",
"https://swecyb.com/@orlysec/116618389406124679",
"web"
],
[
"t",
"threatintel"
],
[
"t",
"cybersecurity"
],
[
"proxy",
"https://swecyb.com/ap/users/116080658609901341/statuses/116618389406124679",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://swecyb.com/ap/users/116080658609901341/statuses/116618389406124679",
"pink.momostr"
],
[
"-"
]
],
"content": "(picussecurity.com) UNC2891: Anatomy of a Sophisticated Bank Heist Using CAKETAP Rootkit and Raspberry Pi-Based Attacks\n\nUNC2891, a financially motivated threat group active since 2017, has executed sophisticated attacks on banking infrastructure using custom malware and physical access vectors. Their latest campaign in Q1 2025 involved planting a 4G-enabled Raspberry Pi on a bank’s network switch to bypass perimeter defenses, enabling ATM fraud via Payment HSM manipulation.\n\nIn brief - UNC2891 targets financial institutions with advanced Linux/Solaris malware, including the CAKETAP rootkit, to authorize fraudulent ATM withdrawals. A recent attack used a Raspberry Pi for initial access, highlighting evolving physical and digital threats to banking systems.\n\nTechnically - UNC2891 employs CAKETAP (Solaris kernel rootkit) to hook system calls like `mkdirat` and `ipcl_get_next_conn`, enabling stealthy C2 and network manipulation. SLAPSTICK (PAM backdoor) captures credentials, while TINYSHELL (backdoor) communicates over raw TCP (ports 53/443). Tools like WINGHOOK (keylogger) and STEELHOUND (in-memory dropper) facilitate credential harvesting and payload execution. The CAKETAP variant on ATM switches bypasses card/PIN verification by replaying HSM responses.\n\nSource: https://www.picussecurity.com/resource/blog/unc2891-bank-heist-explained-caketap-rootkit-and-raspberry-pi-attack\n\n#Cybersecurity #ThreatIntel",
"sig": "d867b3952f304777a5911cd91dcccf46e64f33442ccf42a7625f438beea635010d5384c30ef643fcae737b5082c44bac17cf4ee0221ed8b3da3bc01c26542040"
}