MalwareUsed by 1 actor

SLAPSTICK

SLAPSTICK is malware associated with the UNC2891 threat cluster and has been reported in operations targeting ATM switching and related infrastructure. The provided content identifies it as a PAM backdoor with a "magical password," indicating credential interception or authentication-bypass functionality via the Pluggable Authentication Modules stack on Unix-like systems. Detection content references SLAPSTICK as a Linux backdoor and specifically notes YARA rules designed to identify SLAPSTICK within ELF executables based on characteristic format string sequences. Group-IB reporting cited in the content places SLAPSTICK alongside other UNC2891 tooling including CAKETAP, TINYSHELL, WINGHOOK, and LOGBLEACH/MIGLOGCLEANER, with some compromises traced back to 2017. High-confidence details in the provided material are limited; no specific hashes, file paths, or additional indicators of compromise for SLAPSTICK are directly included beyond its association with UNC2891, ELF-based detection, and characterization as a PAM backdoor.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

UNC2891

UNC2891 deployed... SLAPSTICK (PAM backdoor with “magical password”)

via ctoatncsc substackctoatncsc.substack.com

MITRE ATT&CK

Techniques & procedures

1 distinct technique documented for this family, organized by ATT&CK tactic.

Stealth

1 technique

T1014RootkitEvidence1

"UNC2891 deployed a range of custom malware, including CAKETAP (a Solaris/Linux rootkit)... attackers maintained undetected access for years"

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

detections digest rulecheckNews

Feb 2, 2026

Detections Digest #20260202 - by RuleCheck.io

Linux/UNIX-targeting malware attributed in the content to UNC2891; detection described as matching specific format-string sequences in ELF binaries.

ctoatncsc substackNews

Nov 29, 2025

CTO at NCSC Summary: week ending November 30th

PAM backdoor providing covert authentication access ("magical password") used for persistence on Unix-like systems.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping1

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.