Overview

• The UNC2891 hacking group covertly installed a 4G-enabled Raspberry Pi on an ATM network switch to bypass perimeter defenses and gain internal access
• Attackers deployed the custom TinyShell backdoor on the device, leveraging dynamic DNS for outbound command-and-control connections over mobile data
• Malicious processes masqueraded as “lightdm” display manager instances and were concealed using Linux bind mounts to evade forensic tools
• Threat actors pivoted from the Raspberry Pi to the bank’s network monitoring and mail servers, beaconing every 600 seconds to maintain persistence
• Group-IB analysts stopped the CAKETAP rootkit deployment before any fraudulent withdrawals, and the bank is now adopting memory image captures and syscall monitoring