UNC2891 Bank Heist: Physical ATM Backdoor & Linux Forensic Evasion

**UNC2891 targeted banking infrastructure using a physical implant (Raspberry Pi) and a stealthy Linux bind-mount anti‑forensics technique to hide a TINYSHELL backdoor that beaconed to external C2 and attempted lateral access to ATM switching systems; investigators used network and memory forensics to detect the activity and disrupted the campaign before CAKETAP rootkit objectives were completed.** Recommendations include monitoring mount/umount syscalls, alerting on /proc bind mounts and binaries from /tmp or .snapd paths, securing physical network ports, and capturing memory during response.