Caketap

Caketap is a rootkit for Oracle Solaris discovered in the wild in 2022. Caketap was discovered by Mandiant when investigating an intrusion cluster by actor UNC2891 also known as LightBasin.

History

While Caketap was discovered in by 16 March 2022, it rose to prominence when it was used in a Raspberry Pi mediated penetration of an ATM Network, discovered by Group-IB in late July 2025. Once again LightBasin were believed to be responsible.

Associated tools

UNC2891 utilises several supporting tools: TinyShell, Slapstick, Steelcorgi, Steelhound, Winghook, Wingcrack, Binbash, Wiperight, Miglogcleaner, and the Sun4Me toolkit.