UNC3886 Cyber Espionage Group
The China-linked cyber espionage entity UNC3886 has been actively targeting end-of-life MX routers to deploy custom backdoors. This campaign underscores their ability to infiltrate internal networking infrastructure, utilizing backdoors with both active and passive capabilities. Some variants even contain embedded scripts designed to turn off logging mechanisms, allowing attackers to operate undetected.
Table of Contents
An Evolving Threat Group
UNC3886 has a history of leveraging zero-day vulnerabilities in Fortinet, Ivanti, and VMware devices to breach networks and establish long-term persistence. This latest operation represents an evolution of their techniques, focusing on networking hardware that often lacks security monitoring.
Since their first documented activity in September 2022, UNC3886 has demonstrated high proficiency in targeting edge devices and virtualization technologies, aiming at defense, technology, and telecommunications sectors in the U.S. and Asia.
Why Routing Devices?
Espionage-driven adversaries have recently shifted toward compromising routing devices. By gaining control over crucial infrastructure, attackers can maintain prolonged access while also having the potential to conduct disruptive activities in the future.
The TinyShell Connection: A Weapon of Choice
The latest activity, detected in mid-2024, involves implants based on TinyShell, a lightweight C-based backdoor favored by Chinese hacking groups such as Liminal Panda and Velvet Ant. TinyShell's open-source nature makes it a practical choice, offering ease of customization while complicating attribution.
Security researchers have identified six distinct backdoors based on TinyShell, each with its own functionality:
- appid (A Poorly Plagiarized Implant Daemon) – Provides file transfer, interactive shell, SOCKS proxy, and C2 configuration changes.
- to (TooObvious) – Similar to appid but with different hardcoded C2 servers.
- irad (Internet Remote Access Daemon) – Acts as a passive backdoor using packet sniffing via ICMP packets.
- lmpad (Local Memory Patching Attack Daemon) – Uses process injection to evade logging.
- jdosd (Junos Denial of Service Daemon) – A UDP backdoor with remote shell capabilities.
- oemd (Obscure Enigmatic Malware Daemon) – A passive backdoor using TCP to communicate with C2 servers.
Bypassing the Junos OS Security Protections
The attackers have developed methods to execute malware despite Junos OS' Verified Exec (veriexec) protections, which are designed to prevent unauthorized code execution. By obtaining privileged access via a terminal server, they inject malicious payloads into legitimate processes, ensuring persistence while evading detection.
More Tools in the Attack Arsenal
Besides TinyShell backdoors, UNC3886 deploys additional tools:
- Reptile & Medusa – Rootkits for stealthy persistence.
- PITHOOK – Used to hijack SSH authentication and capture credentials.
- GHOSTTOWN – Designed for anti-forensics purposes.
Organizations using Juniper devices are strongly advised to update them to the latest firmware versions to mitigate these threats.
Another Attack, Another Threat Actor?
Interestingly, a separate campaign, dubbed J-Magic, has targeted enterprise-grade Juniper routers using a backdoor variant known as cd00r. However, this activity is attributed to a different China-linked group, UNC4841, with no known ties to UNC3886's targeting of end-of-life Juniper routers.
Exploiting CVE-2025-21590 for Persistence
The Juniper Networks has confirmed that the recent infections exploited at least one vulnerability—CVE-2025-21590 (CVSS v4 score: 6.7). This flaw, found in the Junos OS kernel, allows high-privileged attackers to inject arbitrary code, ultimately compromising device integrity.
Patches have been released in Junos OS versions 21.2R3-S9, 21.4R3-S10, 22.2R3-S6, 22.4R3-S6, 23.2R2-S3, 23.4R2-S4, 24.2R1-S2, 24.2R2, and 24.4R1. Organizations must ensure they are running these updated versions.
UNC3886: Masters of Stealth and Persistence
UNC3886's expertise in advanced system internals is evident in its strategic use of passive backdoors, log tampering, and forensic evasion. Its primary goal remains long-term persistence while minimizing detection risks, which poses an ongoing and significant cybersecurity challenge.
