Monday , July 13 2026

Hidden Backdoor “TINYSHELL” Found in ATM Network via Raspberry Pi

A covert attack on ATM systems has been detected, using a hidden Raspberry Pi to access internal bank networks. The intrusion involved physical access, a rarely seen anti-forensics technique and malware designed to avoid standard detection methods.

Source: group-ib

Attackers Gained Physical Access to ATM Network:

Ransomware Crisis in 2026: 5,064 Organizations Affected in 135 Countries

Global ransomware attacks stayed very high in the first seven months of 2026. There were 5,064 confirmed victims in 135...
Read More
Ransomware Crisis in 2026: 5,064 Organizations Affected in 135 Countries

Palo Alto Networks Addresses 13 Vulnerabilities

Palo Alto Networks shared warnings on Wednesday about over twelve security issues in its products. The new warnings include 13 security...
Read More
Palo Alto Networks Addresses 13 Vulnerabilities

Critical Dell BIOS & Zimbra Flaws Expose Enterprise Systems

A critical flaw with how Dell saves BIOS passwords lets anyone quickly recover these passwords from a flash dump without...
Read More
Critical Dell BIOS & Zimbra Flaws Expose Enterprise Systems

CoLoCity Launches New 1.0 MW Data Center Facility at Gulshan

CoLoCity is proud to launch a new Data Center in Gulshan-2. It is designed to meet the growing demand for...
Read More
CoLoCity Launches New 1.0 MW Data Center Facility at Gulshan

Daily Cyber security update for 10. 07. 2026

Cyberattacks are rising around the world, including ransomware, malware, data leaks, and hacked websites. These events show how complex and...
Read More
Daily Cyber security update for 10. 07. 2026

How Hacker Compromise AWS Cloud Environment Using AI in 72 Hours

A major AWS attack shows how attackers with AI can connect known cloud strategies to go from first access to...
Read More
How Hacker Compromise AWS Cloud Environment Using AI in 72 Hours

Mycelium Framework: First AI-as-a-Service Botnet

A new cybercrime ad is catching attention in the security world. It talks about a botnet that doesn't just get...
Read More
Mycelium Framework: First AI-as-a-Service Botnet

CrowdStrike Shows 5 New Prompt Injection Techniques for AI Agents

CrowdStrike has shared five new ways to inject prompts, showing the rising danger to AI agents as more organizations use...
Read More
CrowdStrike Shows 5 New Prompt Injection Techniques for AI Agents

Critical GCP Dialogflow Vulnerability Allows Malicious Code Injection

A critical flaw in Google Cloud Platform’s Dialogflow CX lets attackers add harmful code to a company's AI chatbot system....
Read More
Critical GCP Dialogflow Vulnerability Allows Malicious Code Injection

CIRT identified 153 publicly exposed FortiGate devices in Bangladesh

CIRT identified 153 publicly exposed FortiGate devices in Bangladesh. In an advisory CIRT said, the campaign has been observed globally,...
Read More
CIRT identified 153 publicly exposed FortiGate devices in Bangladesh

A group named UNC2891 connected a Raspberry Pi to a network switch shared with an ATM. With a 4G modem, the device enabled attackers to remotely access the bank’s internal network, avoiding perimeter firewalls.

Attackers used a backdoor named TINYSHELL to create outgoing connections through a dynamic DNS domain. This gave them continuous external access and enabled ongoing communication with command-and-control (C2) systems.

Forensic analysts at Group-IB noticed regular beaconing every 600 seconds, but no suspicious processes appeared during the initial assessment. This prompted a deeper look into system behavior during idle times.

Source: group-ib

Malware Masked as Legitimate System Process:

Deeper analysis revealed a stealthy malware component masquerading as a legitimate system process.

Two instances of a process named “lightdm” were found running from unusual locations, /tmp/lightdm and /var/snap/.snapd/lightdm. These backdoor processes appeared normal at a glance but were actually establishing connections to the Raspberry Pi and the bank’s internal mail server.

The malware used a technique called T1564.013 from MITRE ATT&CK. It exploited Linux bind mounts to hide the backdoor from process listings, evading most forensic tools.

ATM Switching Server and HSM Manipulation Aims:

UNC2891 aimed to hack the ATM switching server to install a rootkit called CAKETAP, designed to fake authorization responses from hardware security modules and enable fraudulent ATM withdrawals.

The attackers were stopped before achieving their goal, but the investigation uncovered important insights.

They kept access via the Raspberry Pi and the bank’s mail server, using a dynamic DNS to hide changes and prevent disruption.

The network monitoring server connected to almost every system in the data center, enabling lateral movement within the environment.

Source: group-ib

Detection and Response Recommendations

Group-IB advised organizations to:

Monitor mount and unmount syscalls with tools like auditd or eBPF

Alert on /proc/[pid] mounted to tmpfs or external filesystems

Block or monitor binaries executed from /tmp or .snapd directories

Secure all physical switch ports and ATM-connected infrastructure

Capture memory images in addition to disk during incident response

The case demonstrates how financially motivated attackers are adapting their methods. It reveals that physical access, along with hidden Linux features and memory-based malware, can compromise even secure systems.

Check Also

Nepal Unveils First “Hall of Fame” for Ethical Hackers

Nepal has started a ‘Hall of Fame’ program to honor cybersecurity researchers who safely report …