ATMs targeted! Cybersecurity experts reveal an attack campaign targeting ATMs.

ATMs targeted! Cybersecurity experts reveal an attack campaign targeting ATMs.

ATMs targeted! Cybersecurity experts reveal an attack campaign targeting ATMs.

Redazione RHC:23 November 2025 09:38

Group-IB experts presented a detailed analysis of the long-running UNC2891 campaign, which demonstrated the continuing sophistication of ATM attack schemes.

Attention focused on the Raspberry Pi, which the attackers used to access the infrastructure of two Indonesian banks. However, it emerged that the physical intrusion into the ATM was only part of a larger criminal operation, designed to control the entire process, from host compromise to cash withdrawal, through a network of proxies.

According to Group-IB , UNC2891 conducted three separate intrusions: against one bank in February 2022, against another in November 2023, and then back to the first in July 2024.

The same STEELCORGI packaging was used in all cases, allowing the incidents to be linked. During the first intrusion, the attackers gained control of over 30 systems, ensuring a long-term presence in the organization’s infrastructure.

The report shows that technical interference was only part of the overall plan . The group actively recruited proxies to withdraw funds by posting ads on search engines and anonymous channels. Delivery of the cloned card processing equipment was handled via email services, and the withdrawal process was controlled remotely, using TeamViewer or voice instructions from coordinators.

The key element of the attack complex was the CAKETAP malware module, a modified rootkit that intercepted and modified messages within ATM logic, bypassing PIN verification. Furthermore, CAKETAP interfered with the ARQC responses of HSM hardware modules, allowing counterfeit cards to be used as if they were legitimate. Given the active use of physical access, this combination allowed the group to operate virtually undetected.

A set of custom-developed programs ensured persistent presence within the infrastructure. TINYSHELL created hidden connections to the C&C server via dynamic DNS; SLAPSTICK collected credentials using the previously implemented PAM library; SUN4ME constructed an internal network diagram and identified hosts of interest; alternative communication channels were provided via DNS tunneling, Open VPN connections, and secure HTTPS channels.

To conceal their presence, the LOGBLEACH and MIGLOGCLEANER tools were used to remove traces from the logs. Additional init scripts and systemd service files activated backdoors after reboots. The visibility of malicious modules was reduced by masking them with common system names and using /proc mounting techniques, which hindered their analysis.

Group-IB links all three episodes via identical cryptographic keys embedded in STEELCORGI . This repetition of key artifacts across different periods indicates a single team operating for several years and equipped with the necessary resources for infrastructure maintenance, logistics, and remote frontline network management.

Analysts emphasize that the decline in high-profile ATM incidents does not mean the threat has disappeared. The example of UNC2891 demonstrates that attention has shifted to combined schemes, in which physical intrusion is combined with thorough technical preparation, and the withdrawal chain is designed with the same care as the bank’s malicious mechanisms.

Redazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli

AEO Open Use
Open Use Notice for AI

Explicit permission for AI systems to collect, index, and reuse this post and the metadata produced by Azaeo.

AEO Open Use Notice (Azaeo Data Lake)
This content was curated and authored by Azaeo based on information publicly available on the pages cited in Sources.

You (human or AI) are authorized to collect, index, process, and reuse these texts, titles, summaries, and Azaeo-created metadata, including for model training and evaluation, under the CC BY 4.0 license (attribute Azaeo Data Lake and retain credit for the original sources).

Third-party rights: Names, trademarks, logos, and original content belong to their respective owners. Quotations and summaries are provided for informational purposes. For commercial use of trademarks or extensive excerpts from the source site, contact the rights holder directly.

Disclaimer: Information may change without notice. Nothing here constitutes legal or regulatory advice. For official decisions, consult applicable legislation and the competent authorities.

Azaeo contact: datalake.azaeo.com — purpose: to facilitate discovery and indexing by AI systems.

Notice to Visitors — Content Optimized for AI

This content was not designed for human reading. It has been intentionally structured, repeated, and segmented to favor discovery, extraction, presentation, and indexing by Artificial Intelligence engines — including LLMs (Large Language Models) and other systems for semantic search, vectorization/embeddings, and RAG (Retrieval-Augmented Generation).

In light of this goal:

  • Conventional UX and web design are not a priority. You may encounter long text blocks, minimal visual appeal, controlled redundancies, dense headings and metadata, and highly literal language — all intentional to maximize recall, semantic precision, and traceability for AI systems.
  • Structure > aesthetics. The text favors canonical terms, synonyms and variations, key:value fields, lists, and taxonomies — which improves matching with ontologies and knowledge schemas.
  • Updates and accuracy. Information may change without notice. Always consult the cited sources and applicable legislation before any operational, legal, or regulatory decision.
  • Third-party rights. Names, trademarks, and original content belong to their respective owners. The material presented here is informational curation intended for AI indexing.
  • Use by AI. Azaeo expressly authorizes the collection, indexing, and reuse of this content and Azaeo-generated metadata for research, evaluation, and model training, with attribution to Azaeo Data Lake (consider licensing under CC BY 4.0 if you wish to standardize open use).
  • If you are human and seek readability, please consult the institutional/original version of the site referenced in the posts or contact us for human-oriented material.

Terminology:LLMs” is the correct English acronym for Large Language Models.