Report an incident

Get 24/7 incident response assistance from our global team

Talk to sales

Just fill out the form, and our representative will contact you soon.

Join the Cybercrime Fighters Club

Please review the following rules before submitting your application:

1. Our main objective is to foster a community of like-minded individuals dedicated to combatting cybercrime and who have never engaged in Blackhat activities.

2. All applications must include research or a research draft. You can find content criteria in the blog. Please provide a link to your research or research draft using the form below.

UNC2891:
ATM Threats
Never Die

How a device small enough to fit in your pocket – a Raspberry Pi – became the key to infiltrating entire ATM networks

About the report
Group-IB’s latest research reveals how UNC2891 is rewriting the playbook of financial cybercrime.This secretive cybercrime group has been targeting banks in Southeast Asia for years, blurring the line between digital theft and physical intrusion.
Get the Report
Why does it matter?
ATM networks remain a weak link in global financial security. UNC2891’s tactics show how quickly criminals are innovating, and how traditional defenses are no longer enough. Learn how Group-IB researchers followed their digital footprints and revealed the hidden ecosystem behind modern ATM heists
Overview of compromises
Walkthrough of the general kill chain based on three real incident-response cases handled by Group-IB
Overview of compromises
Attacker TTPs
In-depth breakdown of the tactics, techniques, and procedures used across the incidents
Attacker TTPs
Malware & artifacts
Catalog of the malicious tools and artifacts observed, highlighting commonalities between attacks
Malware & artifacts
Money-mule operations
Inside look at how attackers recruit, instruct, and manage money mules to monetize campaigns
Money-mule operations
The new face of ATM heists
UNC2891 is a financially motivated threat actor believed to specialize in targeting banking infrastructure, with deep technical expertise in Linux and Unix-based systems.
Invisible for 7 years
Invisible for 7 years
UNC2891 maintained undetected access since 2017 across dozens of banking systems
Hardware meets cybercrime
Hardware meets cybercrime
A Raspberry Pi hidden behind ATMs opened a direct door into bank networks
6 custom malware families
6 custom malware families
Custom malware like CAKETAP, SLAPSTICK, and TINYSHELL manipulated transactions in real time without leaving traces
profile
UNC2891
First seen
1 November 2017
Industries targeted
Banking Industry
Motivation
Financially motivated
About
UNC2891 is a financially motivated threat actor active since at least November 2017, known for its advanced intrusions targeting banking infrastructure. The group possesses deep technical expertise in Linux, Unix, and Oracle Solaris environments, and employs a bespoke malware arsenal that includes tools like CAKETAP, TINYSHELL, and SLAPSTICK.
Group-IB was the first to uncover that UNC2891 had physically installed a Raspberry Pi device inside a bank’s internal network—connecting it to the same switch as an ATM — and used a 4G modem to establish remote access. This unprecedented tactic allowed the attackers to bypass perimeter defenses entirely. UNC2891 also leveraged anti-forensics techniques such as Linux bind mount abuse (MITRE ATT&CK T1564.013) to conceal their activity, enabling stealthy lateral movement and persistent access to critical systems, including ATM switching servers.

More details

arrow_drop_down
Skillset
Oracle Solaris
Linux
Unix
ATM
Raspberry Pi
Toolset
CAKETAP – Rootkit for HSM manipulation and transaction spoofing
TINYSHELL – Lightweight backdoor for remote access
SLAPSTICK – Credential logger
SUN4ME – Reconnaissance and exploitation toolkit
STEELCORGI – Custom encryption packer
WINGHOOK and WINGCRACK – Unix/Linux keylogger and decoder
MIGLOGCLEANER – Shell and log tampering utility
Inside the report

Gain exclusive insight into

Real case studies from APAC’s top financial institutions
Forensic breakdowns of custom malware families
Exclusive insight into money mule recruitment via Telegram and Google Ads
Step-by-step ATM cash-out playbooks revealed through TeamViewer sessions
Attribution analysis distinguishing UNC2891 from UNC1945
Detection guidance, YARA rules, and mitigation frameworks
They hid in plain sight.
Don’t let them hide
in yours.
This report serves as your blueprint for uncovering what others miss, and preventing multimillion-dollar ATM heists before they occur.
Access the full report now
Fill out the form below to download the UNC2891
Report for more valuable data and actionable insights.