13 malware families

UNC2891

Also known asunc2891

UNC2891 is a financially motivated threat cluster active since at least 2017 that primarily targets banking infrastructure, especially ATM and ATM switching environments. Reporting in the provided content attributes to UNC2891 a covert intrusion in which operators physically implanted a 4G-enabled Raspberry Pi on the same network switch as a targeted ATM to gain remote access into a bank’s internal network, bypass perimeter defenses, and facilitate fraudulent cash withdrawals. The group used the TINYSHELL backdoor with Dynamic DNS-based command and control, maintained persistence through a backdoor on an internet-connected mail server, and used Linux bind mounts to hide malicious processes masquerading as LightDM; this anti-forensic technique is referenced as MITRE ATT&CK T1564.013. The content states UNC2891’s apparent objective was to reach the ATM switching server and deploy CAKETAP, a rootkit described as manipulating HSM responses and spoofing authorization messages to enable unauthorized ATM withdrawals. Additional malware and tooling directly associated with UNC2891 in the content include CAKETAP, SLAPSTICK, TINYSHELL, WINGHOOK, WINGCRACK, STEELCORGI, STEELHOUND, BINBASH, WIPERIGHT, and LOGBLEACH/MIGLOGCLEANER. The content also describes UNC2891 as demonstrating expertise across Linux, Unix, and Oracle Solaris environments. Mandiant is cited in the content as associating UNC2891 with UNC1945, also known as LightBasin, though the content also notes overlaps with other reported groups and activity clusters.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Banks

MITRE ATT&CK

Tradecraft

43 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

11 of 15 tactics66 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

2 techniques

T1133×3

External Remote Services

T1200×4

Hardware Additions

TA0002

Execution

2 techniques

T1059

Command and Scripting Interpreter

T1059.004

Unix Shell

T1574

Hijack Execution Flow

T1574.013

KernelCallbackTable

TA0003

Persistence

4 techniques

T1133×3

External Remote Services

T1543

Create or Modify System Process

T1543.002

Systemd Service

T1547

Boot or Logon Autostart Execution

T1547.006

Kernel Modules and Extensions

T1556

Modify Authentication Process

T1556.003

Pluggable Authentication Modules

TA0004

Privilege Escalation

3 techniques

T1543

Create or Modify System Process

T1543.002

Systemd Service

T1547

Boot or Logon Autostart Execution

T1547.006

Kernel Modules and Extensions

T1548

Abuse Elevation Control Mechanism

T1548.001

Setuid and Setgid

TA0005

Stealth

9 techniques

T1014×6

Rootkit

T1027

Obfuscated Files or Information

T1036×3

Masquerading

T1070

Indicator Removal

T1070.002

Clear Linux or Mac System Logs

T1070.004

File Deletion

T1070.006×2

Timestomp

T1140

Deobfuscate/Decode Files or Information

T1480

Execution Guardrails

T1480.001

Environmental Keying

T1564

Hide Artifacts

T1564.001

Hidden Files and Directories

T1564.009

Resource Forking

T1564.013×3

Bind Mounts

T1574

Hijack Execution Flow

T1574.013

KernelCallbackTable

T1620

Reflective Code Loading

TA0112

Defense Impairment

1 technique

T1556

Modify Authentication Process

T1556.003

Pluggable Authentication Modules

TA0006

Credential Access

4 techniques

T1003

OS Credential Dumping

T1003.008

/etc/passwd and /etc/shadow

T1056

Input Capture

T1056.001

Keylogging

T1552

Unsecured Credentials

T1552.003

Shell History

T1552.004

Private Keys

T1556

Modify Authentication Process

T1556.003

Pluggable Authentication Modules

TA0007

Discovery

6 techniques

T1016

System Network Configuration Discovery

T1018

Remote System Discovery

T1049

System Network Connections Discovery

T1082

System Information Discovery

T1083

File and Directory Discovery

T1135

Network Share Discovery

TA0008

Lateral Movement

1 technique

T1021

Remote Services

T1021.004

SSH

TA0009

Collection

2 techniques

T1056

Input Capture

T1056.001

Keylogging

T1560

Archive Collected Data

TA0011

Command and Control

7 techniques

T1071×2

Application Layer Protocol

T1090

Proxy

T1095

Non-Application Layer Protocol

T1105

Ingress Tool Transfer

T1568×4

Dynamic Resolution

T1572

Protocol Tunneling

T1573

Encrypted Channel

T1573.001

Symmetric Cryptography

ARSENAL

Associated malware families

13 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

CAKETAPCentral to the operation was a kernel module rootkit dubbed CAKETAP that's designed to hide network connections, processes, and files, as well as intercept and spoof card and PIN verification messages from hardware security modules (HSMs) to enable financial fraud.9May 31, 2026

TINYSHELLUsing the TINYSHELL backdoor, the attacker established an outbound command-and-control (C2) channel via a Dynamic DNS domain.6May 31, 2026

MIGLOGCLEANERMIGLOGCLEANER is another ELF utility that wipes logs or remove certain strings from logs on Linux and Unix based systems.2Mar 8, 2026

WINGHOOKUNC2891 deployed... WINGHOOK (keylogger)2Mar 8, 2026

BINBASHBINBASH is a simple ELF utility that executes a shell after setting the group ID and user ID to either "root" or specified values.1Mar 8, 2026

8 additional families tracked in Mallory.

ACTIVITY FEED

Recent activity

17 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

17 SOURCESView more in app

group ibNews

Mar 27, 2026

UNC2891 Bank Heist: Physical ATM Backdoor & Linux Forensic Evasion | Group-IB Blog

Financially motivated intrusion set targeting banking infrastructure, using physical access via a Raspberry Pi implanted in the ATM network, stealthy Linux anti-forensics with bind mounts, hidden backdoors on internal servers, and multi-pivot access to reach an ATM switching server for fraudulent cash-out operations.

cloudatg insightsNews

Feb 13, 2026

AI Development & Software Engineering | CloudATG

Financially motivated actor targeting ATM networks via on-site hardware implantation (4G Raspberry Pi) and attempting deployment of CAKETAP rootkit for fraud.

detections digest rulecheckNews

Feb 2, 2026

Detections Digest #20260202 - by RuleCheck.io

Referenced as the source/attribution for the SLAPSTICK Linux/UNIX malware family; the content does not describe operations beyond this attribution.

ctoatncsc substackNews

Nov 29, 2025

CTO at NCSC Summary: week ending November 30th

Financially motivated, long-dwell intrusion set targeting ATM switching and related infrastructure using custom Linux/Solaris malware, backdoors, keylogging, and log wiping to maintain stealth over multi-year periods.

+12 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping43

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal13

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.