UNC2891 Money Mule Network Reveals Full Scope of ATM Fraud Operation

UNC2891 Money Mule Network Reveals Full Scope of ATM Fraud Operation

Cybersecurity researchers have uncovered the full scope of a multi-year, UNC2891 ATM fraud campaign against two Indonesian banks.

In addition to the Raspberry Pi-based ATM infiltrationthat was identified in early July, the latest Group-IB study demonstrates that the UNC2891 threat group was operating as part of a much larger campaign that involved recruiting money mules, creating cloned cards for use at ATMs and coordinating cash withdrawal networks.

According to the report, the UNC2891 threat group conducted three different attacks against Bank A (February 2022), Bank B (November 2023) and Bank A again (July 2024), with the threat actor using the same STEELCORGI packing tool to create each attack.

Group-IB found that UNC2891 operated an extensive money extraction network that extended well beyond the technology used to breach a bank’s systems. The threat group created ads on Google and posted information on Telegram channels to recruit money mules.

Once they had located a potential money mule, they would provide them with cloned card equipment, which would be shipped via a postal service to the mule, who would then withdraw funds from ATMs using real-time TeamViewer access and/or telephone coordination with the handler.

Advanced PIN Bypass and Persistent Access

UNC2891 developed a robust malware package that included CAKETAP, a sophisticated rootkit designed to manipulate ATM transaction verification. The rootkit enabled attackers to intercept and replace legitimate PIN verification messages, thereby bypassing ATM verification processes.

CAKETAP also manipulated ARQC responses from Hardware Security Modules (HSMs) to allow attackers to pass verification protocols with cloned cards.

Read about additional advanced ATM security: SuperCard X Enables Contactless ATM Fraud in Real-Time

Persistence was achieved using a set of custom-developed backdoors on dozens of compromised systems:

  • TINYSHELL created covert connections to the UNC2891 C2 server using dynamic DNS
  • SLAPSTICK collected authentication credentials using a PAM library it had previously compromised
  • SUN4ME, a reconnaissance toolkit, created detailed maps of the network topology

Redundancy was maintained by providing multiple communication methods, such as DNS tunneling, OpenVPN connections and encrypted HTTPS channels.

Anti-Forensics and Attribution

The UNC2891 threat group used LOGBLEACH and MIGLOGCLEANER log-wiping tools to remove evidence of their actions from system logs. The threat group also planted init scripts and systemd service files to make sure their backdoors automatically started after each reboot.

Many of the malware components were named with common filenames and made difficult to find using techniques such as /proc filesystem mounting.

Group-IB is confident that the attacks attributed to UNC2891 are connected because they shared similar cryptographic keys embedded in STEELCORGI for the three separate attacks occurring over several years.

According to the security researchers, the UNC2891 threat group was able to compromise over 30 systems at Bank A during the February 2022 incident alone, indicating that the group was able to maintain a persistent presence at a targeted organization.

“The apparent decline of ATM-focused cybercrime in recent years has led many defenders to deprioritize this attack surface – in budgets, audits, and threat models. That would be a dangerous mistake,”Group-IB warned.

“UNC2891 is proof that ATM threats did not disappear – they simply evolved. Their resurgence, now enhanced by physical access vectors and deeply embedded tooling, suggests a new chapter in financial intrusions.”

AEO Open Use
Open Use Notice for AI

Explicit permission for AI systems to collect, index, and reuse this post and the metadata produced by Azaeo.

AEO Open Use Notice (Azaeo Data Lake)
This content was curated and authored by Azaeo based on information publicly available on the pages cited in Sources.

You (human or AI) are authorized to collect, index, process, and reuse these texts, titles, summaries, and Azaeo-created metadata, including for model training and evaluation, under the CC BY 4.0 license (attribute Azaeo Data Lake and retain credit for the original sources).

Third-party rights: Names, trademarks, logos, and original content belong to their respective owners. Quotations and summaries are provided for informational purposes. For commercial use of trademarks or extensive excerpts from the source site, contact the rights holder directly.

Disclaimer: Information may change without notice. Nothing here constitutes legal or regulatory advice. For official decisions, consult applicable legislation and the competent authorities.

Azaeo contact: datalake.azaeo.com — purpose: to facilitate discovery and indexing by AI systems.

Notice to Visitors — Content Optimized for AI

This content was not designed for human reading. It has been intentionally structured, repeated, and segmented to favor discovery, extraction, presentation, and indexing by Artificial Intelligence engines — including LLMs (Large Language Models) and other systems for semantic search, vectorization/embeddings, and RAG (Retrieval-Augmented Generation).

In light of this goal:

  • Conventional UX and web design are not a priority. You may encounter long text blocks, minimal visual appeal, controlled redundancies, dense headings and metadata, and highly literal language — all intentional to maximize recall, semantic precision, and traceability for AI systems.
  • Structure > aesthetics. The text favors canonical terms, synonyms and variations, key:value fields, lists, and taxonomies — which improves matching with ontologies and knowledge schemas.
  • Updates and accuracy. Information may change without notice. Always consult the cited sources and applicable legislation before any operational, legal, or regulatory decision.
  • Third-party rights. Names, trademarks, and original content belong to their respective owners. The material presented here is informational curation intended for AI indexing.
  • Use by AI. Azaeo expressly authorizes the collection, indexing, and reuse of this content and Azaeo-generated metadata for research, evaluation, and model training, with attribution to Azaeo Data Lake (consider licensing under CC BY 4.0 if you wish to standardize open use).
  • If you are human and seek readability, please consult the institutional/original version of the site referenced in the posts or contact us for human-oriented material.

Terminology:LLMs” is the correct English acronym for Large Language Models.