UNC2891 ATM Fraud Network Reveals Large-Scale Financial Operation

A new Group-IB report reveals that the UNC2891 threat group has been conducting a multi-year ATM fraud operation targeting banks across Indonesia. The campaign encompasses physical ATM infiltration, cloned card distribution, mule recruitment, and manipulation of transaction verification systems. UNC2891’s tooling includes CAKETAP, a sophisticated rootkit designed to intercept and alter PIN verification flows, mapped to MITRE ATT&CK techniques T1056 (Input Capture), T1005 (Data from Local System), and T1499 (Endpoint Denial of Service). The group uses the STEELCORGI packing tool across multiple campaigns, demonstrating consistent development practices and operational maturity. Researchers discovered that the group compromised dozens of systems in Bank A and Bank B, leveraging TINYSHELL for covert C2 communication, SLAPSTICK for credential harvesting, and SUN4ME for reconnaissance and network mapping. UNC2891 also deployed LOGBLEACH and MIGLOGCLEANER to remove incident traces, preventing forensic reconstruction. Their fraud model relies on real-time coordination with money mules who withdraw funds using cloned cards through TeamViewer-assisted sessions or telephone guidance. The business impact for financial institutions is substantial. The compromise of ATM networks enables large-scale unauthorized cash withdrawals, bypassing HSM-backed verification controls and facilitating fraud across distributed ATM fleets. The attacks expose systemic weaknesses in ATM infrastructure, card verification logic, and monitoring of mule-based fraud patterns. Regulatory consequences may arise for affected banks under regional financial regulations and anti-money laundering frameworks. Mitigation requires banks to strengthen ATM endpoint security, deploy integrity monitoring for PIN verification modules, and enhance monitoring for cloned card activity. Financial institutions should implement multi-domain fraud detection tied to ATM telemetry, enforce credential rotation for critical services, and audit for unauthorized remote access tools within their infrastructure.