UNC2891: Raspberry Pi, Custom Rootkit CAKETAP Fuel Sophisticated ATM Fraud Campaign
Specialists from Group-IB have released an in-depth analysis of the long-running UNC2891 campaign, which demonstrates how inventive modern attack schemes against ATM networks have become. At the center of the operation was a compact Raspberry Pi board that allowed the attackers to penetrate the infrastructure of two Indonesian banks. Yet physical access to the ATM proved to be only one element of a much broader criminal enterprise—one meticulously crafted to control every stage of the operation, from host compromise to the cash-out process carried out through a network of recruited mules.
According to Group-IB, UNC2891 executed three separate intrusions: the first against one bank in February 2022, the second against another in November 2023, and a third return to the original target in July 2024. All incidents involved the same STEELCORGI toolkit, which enabled investigators to link the attacks. During the first breach, the adversaries took control of more than 30 systems, establishing a durable foothold within the organization’s infrastructure.
The report shows that technical compromise was only part of the machinery. The group aggressively enlisted money mules by placing advertisements in search engines and anonymous channels. Hardware for working with cloned cards was shipped via postal services, while the cash-out phase was orchestrated remotely through TeamViewer sessions or voice instructions from coordinators.
The core of the attack framework was the CAKETAP module—a modified rootkit capable of intercepting and altering messages within the ATM’s internal logic, bypassing PIN verification. CAKETAP also manipulated ARQC responses originating from HSM hardware modules, effectively enabling forged cards to function as legitimate ones. Combined with physical access, this approach let the operators work with near-total invisibility.
Persistence inside the infrastructure was maintained through a suite of custom-built tools. TINYSHELL created covert connections to the command server using dynamic DNS; SLAPSTICK harvested credentials by leveraging a pre-installed PAM library; SUN4ME mapped the internal network and identified valuable hosts. Additional channels of communication were provided through DNS tunneling, OpenVPN links, and encrypted HTTPS sessions.
To conceal their footprint, the attackers deployed LOGBLEACH and MIGLOGCLEANER, tools designed to scrub evidence from system logs. Auxiliary init scripts and systemd service files ensured that backdoors relaunched after each reboot. Stealth was further enhanced by disguising malicious modules under common system names and employing techniques involving /proc mounts, complicating forensic analysis.
Group-IB links all three intrusions through identical cryptographic keys embedded in the STEELCORGI toolkit. The recurrence of these artifacts across multiple years points to a single, persistent team with the resources to maintain infrastructure, logistics, and remote coordination of its mule network.
Analysts emphasize that the decline in high-profile ATM incidents does not signify a diminishing threat. The UNC2891 case illustrates a shift toward hybrid operations, in which physical intervention is paired with deep technical sophistication, and where the cash-out chain is engineered with no less precision than the malicious code targeting the bank itself.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
