UNC2891 Breaches ATM Network via 4G Raspberry Pi, Tries CAKETAP Rootkit for Fraud

Jul 31, 2025Ravie Lakshmanan

The financially motivated threat actor known as UNC2891 has been observed targeting Automatic Teller Machine (ATM) infrastructure using a 4G-equipped Raspberry Pi as part of a covert attack.

The cyber-physical attack involved the adversary leveraging their physical access to install the Raspberry Pi device and have it connected directly to the same network switch as the ATM, effectively placing it within the target bank’s network, Group-IB said. It’s currently not known how this access was obtained.

“The Raspberry Pi was equipped with a 4G modem, allowing remote access over mobile data,” security researcher Nam Le Phuong said in a Wednesday report.

“Using the TINYSHELL backdoor, the attacker established an outbound command-and-control (C2) channel via a Dynamic DNS domain. This setup enabled continuous external access to the ATM network, completely bypassing perimeter firewalls and traditional network defenses.”

UNC2891 was first documented by Google-owned Mandiant in March 2022, linking the group to attacks targeting ATM switching networks to carry out unauthorized cash withdrawals at different banks using fraudulent cards.

Central to the operation was a kernel module rootkit dubbed CAKETAP that’s designed to hide network connections, processes, and files, as well as intercept and spoof card and PIN verification messages from hardware security modules (HSMs) to enable financial fraud.

The hacking crew is assessed to share tactical overlaps with another threat actor called UNC1945 (aka LightBasin), which was previously identified compromising managed service providers and striking targets within the financial and professional consulting industries.

Describing the threat actor as possessing extensive knowledge of Linux and Unix-based systems, Group-IB said its analysis uncovered backdoors named “lightdm” on the victim’s network monitoring server that are designed to establish active connections to the Raspberry Pi and the internal Mail Server.

The attack is significant for the abuse of bind mounts to hide the presence of the backdoor from process listings and evade detection.

The end goal of the infection, as seen in the past, is to deploy the CAKETAP rootkit on the ATM switching server and facilitate fraudulent ATM cash withdrawals. However, the Singaporean company said the campaign was disrupted before the threat actor could inflict any serious damage.

“Even after the Raspberry Pi was discovered and removed, the attacker maintained internal access through a backdoor on the mail server,” Group-IB said. “The threat actor leveraged a Dynamic DNS domain for command-and-control.”

Upgrade your audio game with the Logitech for Creators Blue Yeti USB Microphone. With over 33,730 ratings and an impressive 4.6 out of 5 stars, it’s no wonder this is an Amazon’s Choice product. Recently, 5K+ units were purchased in the past month.

Available in five stunning colors: Teal, Silver, Pink Dawn, Midnight Blue, and Blackout, this microphone is perfect for creators looking to produce exceptional audio. Priced at only $84.99, it’s a deal you can’t afford to miss.

Elevate your recordings with clear broadcast-quality sound and explore your creativity with enhanced effects, advanced modulation, and HD audio samples. Order now for just $84.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!