Caketap

Last updated November 10, 2025

Caketap is a rootkit for Oracle Solaris discovered in the wild in 2022. Caketap was discovered by Mandiant when investigating an intrusion cluster by actor UNC2891 also known as LightBasin.^[1]

History

While Caketap was discovered in by 16 March 2022, it rose to prominence when it was used in a Raspberry Pi mediated penetration of an ATM Network, discovered by Group-IB in late July 2025.^[2] Once again LightBasin were believed to be responsible.

Associated tools

UNC2891 utilises several supporting tools: TinyShell, Slapstick, Steelcorgi, Steelhound, Winghook, Wingcrack, Binbash, Wiperight, Miglogcleaner, and the Sun4Me toolkit.

References

↑ "Have Your Cake and Eat it Too? An Overview of UNC2891 | Mandiant". Google Cloud Blog. 16 March 2022. Retrieved 2 August 2025.
↑ "UNC2891 Bank Heist: Physical ATM Backdoor & Linux Forensic Evasion Evasion". 30 July 2025.^{[ dead link ]}

External links

Live off the Land? How About Bringing Your Own Island? An Overview of UNC1945 Google Cloud Threat Intelligence Blog, 2 November 2020

This malware-related article is a stub. You can help Wikipedia by expanding it.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "Have Your Cake and Eat it Too? An Overview of UNC2891 | Mandiant". Google Cloud Blog. 16 March 2022. Retrieved 2 August 2025.

[2] "UNC2891 Bank Heist: Physical ATM Backdoor & Linux Forensic Evasion Evasion". 30 July 2025.^{[ dead link ]}

[1]

[2]

Caketap

Contents

History

Associated tools

See also

References

External links