Caketap is a rootkit for Oracle Solaris discovered in the wild in 2022. Caketap was discovered by Mandiant when investigating an intrusion cluster by actor UNC2891 also known as LightBasin.1
History
While Caketap was discovered in by 16 March 2022, it rose to prominence when it was used in a Raspberry Pi mediated penetration of an ATM Network, discovered by Group-IB in late July 2025.2 Once again LightBasin were believed to be responsible.
Associated tools
UNC2891 utilises several supporting tools: TinyShell, Slapstick, Steelcorgi, Steelhound, Winghook, Wingcrack, Binbash, Wiperight, Miglogcleaner, and the Sun4Me toolkit.
References
References
- "Have Your Cake and Eat it Too? An Overview of UNC2891 | Mandiant". Google Cloud Blog. 16 March 2022. Retrieved 2 August 2025.
- "UNC2891 Bank Heist: Physical ATM Backdoor & Linux Forensic Evasion Evasion". 30 July 2025.
External links
External links
- Live off the Land? How About Bringing Your Own Island? An Overview of UNC1945 Google Cloud Threat Intelligence Blog, 2 November 2020