Introduction
UNC3886 is a China-nexus cyberespionage group that has been active since at least 2022, targeting defense, technology, and telecommunication organizations located in the United States and the Asia-Pacific-Japan (APJ) regions. UNC3886 has displayed a deep understanding of edge devices and virtualization technologies through the exploitation of zero-day vulnerabilities and the use of novel malware families and utilities. Mandiant Fortinet Zero Day Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023
Activities and Tactics
Country of Origin: 🇨🇳 China
Notable Campaigns
- RedPenguin (C0056): The RedPenguin project was launched by Juniper in July 2024 to investigate reported malware infections of Juniper MX Series routers. RedPenguin activity was separately attributed to UNC3886 and included the deployment of multiple custom versions of the publicly-available TINYSHELL backdoor on Juniper routers.(Citation: Juniper RedPenguin MAR 2025)(Citation: Mandiant UNC3886 Juniper Routers MAR 2025)
Tactics, Techniques, and Procedures (TTPs)
- T1027.005 Indicator Removal from Tools
- T1681 Search Threat Vendor Data
- T1059.012 Hypervisor CLI
- T1083 File and Directory Discovery
- T1078.001 Default Accounts
- T1554 Compromise Host Software Binary
- T1068 Exploitation for Privilege Escalation
- T1673 Virtual Machine Discovery
- T1564.011 Ignore Process Interrupts
- T1587.001 Malware
- T1212 Exploitation for Credential Access
- T1675 ESXi Administration Command
- T1218.011 Rundll32
- T1074.001 Local Data Staging
- T1070.007 Clear Network Connection History and Configurations
- T1059.006 Python
- T1548 Abuse Elevation Control Mechanism
- T1070.006 Timestomp
- T1690 Prevent Command History Logging
- T1560.003 Archive via Custom Method
- T1203 Exploitation for Client Execution
- T1037.004 RC Scripts
- T1685 Disable or Modify Tools
- T1070.004 File Deletion
- T1588.004 Digital Certificates
- T1555.005 Password Managers
- T1587.004 Exploits
- T1505.006 vSphere Installation Bundles
- T1560.001 Archive via Utility
- T1003.001 LSASS Memory
- T1057 Process Discovery
- T1570 Lateral Tool Transfer
- T1588.001 Malware
- T1059.003 Windows Command Shell
- T1036.004 Masquerade Task or Service
- T1037 Boot or Logon Initialization Scripts
- T1014 Rootkit
- T1059.001 PowerShell
- T1040 Network Sniffing
- T1124 System Time Discovery
- T1078 Valid Accounts
- T1205.001 Port Knocking
- T1190 Exploit Public-Facing Application
- T1095 Non-Application Layer Protocol
- T1686 Disable or Modify System Firewall
- T1059.004 Unix Shell
- T1205 Traffic Signaling
- T1021.004 SSH
- T1008 Fallback Channels
ATT&CK technique IDs (denormalized)
- T1003.001
- T1008
- T1014
- T1021.004
- T1027.005
- T1036.004
- T1037
- T1037.004
- T1040
- T1057
- T1059.001
- T1059.003
- T1059.004
- T1059.006
- T1059.012
- T1068
- T1070.004
- T1070.006
- T1070.007
- T1074.001
- T1078
- T1078.001
- T1083
- T1095
- T1124
- T1190
- T1203
- T1205
- T1205.001
- T1212
- T1218.011
- T1505.006
- T1548
- T1554
- T1555.005
- T1560.001
- T1560.003
- T1564.011
- T1570
- T1587.001
- T1587.004
- T1588.001
- T1588.004
- T1673
- T1675
- T1681
- T1685
- T1686
- T1690
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
- CyberGate
- Cyber Eye RAT
- Xploit
- Deeper RAT
MITRE ATT&CK Software
- MOPSLED (S1221) — malware
- VIRTUALPIE (S1218) — malware
- CASTLETAP (S1224) — malware
- THINCRUST (S1223) — malware
- VIRTUALPITA (S1217) — malware
- REPTILE (S1219) — malware
- MEDUSA (S1220) — malware
- RIFLESPINE (S1222) — malware
Attribution and Evidence
Country of Origin: China Additional attribution information pending cataloguing.
References
[1] mitre-attack [2] Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023 Alexander Marvi, Brad Slaybaugh, Ron Craft, and Rufus Brown. (2023, June 13). VMware ESXi Zero-Day Used by Chinese Espionage Actor to Perform Privileged Guest Operations on Compromised Hypervisors. Retrieved March 26, 2025. [3] Mandiant Fortinet Zero Day Marvi, A. et al.. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved March 22, 2023.