Caketap

Caketap is a rootkit for Oracle Solaris discovered in the wild in 2022. Caketap was discovered by Mandiant when investigating an intrusion cluster by actor UNC2891 also known as LightBasin.^[1]

History

While Caketap was discovered in by 16 March 2022, it rose to prominence when it was used in a Raspberry Pi mediated penetration of an ATM Network, discovered by Group-IB in late July 2025.^[2] Once again LightBasin were believed to be responsible.

Associated tools

UNC2891 utilises several supporting tools: TinyShell, Slapstick, Steelcorgi, Steelhound, Winghook, Wingcrack, Binbash, Wiperight, Miglogcleaner, and the Sun4Me toolkit.

References

^ "Have Your Cake and Eat it Too? An Overview of UNC2891 | Mandiant". Google Cloud Blog. 16 March 2022. Retrieved 2 August 2025.
^ "UNC2891 Bank Heist: Physical ATM Backdoor & Linux Forensic Evasion Evasion". 30 July 2025.

External links

Live off the Land? How About Bringing Your Own Island? An Overview of UNC1945 Google Cloud Threat Intelligence Blog, 2 November 2020

[1] "Have Your Cake and Eat it Too? An Overview of UNC2891 | Mandiant". Google Cloud Blog. 16 March 2022. Retrieved 2 August 2025.

[2] "UNC2891 Bank Heist: Physical ATM Backdoor & Linux Forensic Evasion Evasion". 30 July 2025.

[1]

[2]

History

Associated tools

See also

References

External links