A secretive cybercrime group called UNC2891 has been quietly draining ATMs across Southeast Asian banks for years, using an ingenious combination of custom malware and hidden hardware.
Recent research from Group-IB reveals how this financially motivated threat actor has maintained invisible access to dozens of banking systems since 2017, employing techniques that blend digital hacking with physical intrusion.
The most striking discovery was that attackers physically installed a Raspberry Pi device, a small, inexpensive computer, directly inside bank networks, placing it near ATM switches.
This hardware gateway, connected to a 4G modem, gave hackers a direct backdoor that completely bypassed traditional perimeter security.
It’s a reminder that cybercrime isn’t always about sophisticated code; sometimes, the simplest tools prove most dangerous.
The Hidden Arsenal Behind Modern ATM Theft
UNC2891 leverages deep technical expertise in Linux and Unix systems, deploying six custom malware families to manipulate banking infrastructure.
Tools like CAKETAP, SLAPSTICK, and TINYSHELL work together to intercept and alter transactions in real time without triggering alarms or leaving evident traces.
The group’s sophistication extends beyond malware. They employed advanced anti-forensics techniques, including Linux bind mount abuse, to conceal their activities and ensure stealthy lateral movement across banking networks.
This level of operational security explains how they remained undetected for seven years.
What makes UNC2891 unique is their understanding that stealing money requires more than hacking it requires getting cash out.
Group-IB’s investigation uncovered a complete money-mule operation, with attackers recruiting accomplices through Telegram and Google Ads.
These money mules would receive instructions on which ATMs to visit, use compromised payment cards, and withdraw stolen funds on behalf of the criminal organization.
This hybrid approach, combining network compromise, custom malware deployment, and human recruitment, demonstrates how modern financial cybercrime operates as a complete ecosystem rather than isolated hacking attempts.
ATM networks are among the weakest links in global financial security. While banks have invested heavily in digital defenses, physical security, and network isolation, these measures often lag behind.
UNC2891’s tactics show that traditional defenses are no longer sufficient. The group’s success proves that determined attackers can combine technical expertise with creative problem-solving to reach even well-protected systems.
The discovery also highlights the importance of monitoring physical access to network infrastructure.
A small device, such as a Raspberry Pi, can compromise an entire banking operation if placed strategically.
Group-IB’s detailed analysis provides banks with a roadmap for defending against similar attacks.
Understanding UNC2891’s tactics, techniques, and procedures, along with their malware signatures and money-mule recruitment methods, gives financial institutions the information needed to detect and stop these operations before criminals steal millions in cash.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and set GBH as a Preferred Source in Google.