1. Home
  2. Campaigns
  3. RedPenguin

RedPenguin

The RedPenguin project was launched by Juniper in July 2024 to investigate reported malware infections of Juniper MX Series routers. RedPenguin activity was separately attributed to UNC3886 and included the deployment of multiple custom versions of the publicly-available TINYSHELL backdoor on Juniper routers.[1][2]

ID: C0056
First Seen:  July 2024 [1][2]
Last Seen:  March 2025 [1][2]
Version: 1.0
Created: 24 June 2025
Last Modified: 24 October 2025
Version Permalink

Groups

ID Name Description
G1048 UNC3886

In mid-2024 Mandiant identified custom TINYSHELL-based backdoors deployed on Juniper Networks’ Junos OS routers. Mandiant attributed these backdoors to the China-nexus espionage group UNC3886.[2]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1059 .004 Command and Scripting Interpreter: Unix Shell

During RedPenguin, UNC3886 used malware capable of launching an interactive shell.[2][1]
.008 Command and Scripting Interpreter: Network Device CLI

During RedPenguin, UNC3886 accessed the Junos OS CLI on targeted devices.[2][1]
Enterprise T1554 Compromise Host Software Binary

During RedPenguin, UNC3886 peformed a local memory patching attack to modify the snmpd and mgd Junos OS daemons.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

During RedPenguin, UNC3886 used malware implants to deobfuscate incoming C2 messages and encoded archives.[2][1]
Enterprise T1587 .001 Develop Capabilities: Malware

During RedPenguin, UNC3886 deployed custom malware based on the publicly-available TINYSHELL backdoor.[2][3]
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

During RedPenguin, UNC3886 malware used the RC4 cipher to encrypt outgoing C2 messages.[1]
Enterprise T1041 Exfiltration Over C2 Channel

During RedPenguin, UNC3886 uploaded specified files from compromised devices to a remote server. [2]
Enterprise T1203 Exploitation for Client Execution

During RedPenguin, UNC3886 exploited CVE-2025-21590 to bypass Veriexec protections in Junos OS designed to prevent unauthorized binary execution.[2][1]
Enterprise T1562 .003 Impair Defenses: Impair Command History Logging

During RedPenguin, UNC3886 used malware to clear the HISTFILE environmental vaiable and to inject into Junos OS processes to inhibit logging.[2][1]
Enterprise T1070 .004 Indicator Removal: File Deletion

During RedPenguin, UNC3886 used malware capaple of removing scripts after execution.[2]
.007 Indicator Removal: Clear Network Connection History and Configurations

During RedPenguin, UNC3886 used an implant to delete logs associated with unauthorized access to targeted Junos OS devices.[1]
Enterprise T1105 Ingress Tool Transfer

During RedPenguin, UNC3886 used backdoor malware capable of downloading files to compromised infrastructure.[2]
Enterprise T1036 .005 Masquerading: Match Legitimate Resource Name or Location

During RedPenguin, UNC3886 created multiple strains of malware using names to mimic legitimate binaries such as appid, to, irad, lmpad, jdosd, and oemd.[2]
Enterprise T1104 Multi-Stage Channels

During RedPenguin, UNC3886 used malware with separate channels to request and carry out tasks from C2.[2]
Enterprise T1040 Network Sniffing

During RedPenguin, UNC3886 used a passive backdoor to act as a libpcap-based packet sniffer.[2]
Enterprise T1095 Non-Application Layer Protocol

During RedPenguin, UNC3886 leveraged malware that used UDP and TCP sockets for C2.[2][3][1]
Enterprise T1571 Non-Standard Port

During RedPenguin, UNC3886 used a backdoor that binds to port 45678 by default.[2]
Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

During RedPenguin, UNC3886 generated Base64-encoded files in the FreeBSD shell environment of targeted Juniper devices.[2][1]
Enterprise T1057 Process Discovery

During RedPenguin, UNC3886 used malware capable of reading the PID for the Junos OS snmpd daemon.[1]
Enterprise T1055 Process Injection

During RedPenguin, UNC3886 exploited CVE-2025-21590 to enable malicious code injection into the memory of legitimate processes.[2][1]
Enterprise T1090 Proxy

During RedPenguin, UNC3886 used malware capable of establishing a SOCKS proxy connection to a specified IP and port.[2][1]
.003 Multi-hop Proxy

During RedPenguin, UNC3886 used infrastructure associated with operational relay box (ORB) networks.[2]
Enterprise T1014 Rootkit

During RedPenguin, UNC3886 used rootkits such as REPTILE and MEDUSA.[2]
Enterprise T1016 System Network Configuration Discovery

During RedPenguin, UNC3886 leveraged JunoOS CLI queries to obtain the interface index which contains system and network details.[2][1]
Enterprise T1205 Traffic Signaling

During RedPenguin, UNC3886 leveraged malware capable of inpecting packets for a magic-string to activate backdoor functionalities.[2]
Enterprise T1078 Valid Accounts

During RedPenguin, UNC3886 used legitimate credentials to gain priviliged access to Juniper routers.[2][3]

Software

ID Name Description
S1220 MEDUSA

MEDUSA was used for command execution and persistence during RedPenguin.[2]
S1219 REPTILE

REPTILE was used for command execution and persistence during RedPenguin.[2]

References

  1. Juniper Networks, Cybersecurity R&D. (2025, March 11). The RedPenguin Malware Incident. Retrieved June 24, 2025.
  2. Lamparski, L. et al. (2025, March 11). Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers. Retrieved June 24, 2025.
  1. Censys Research Team. (2025, March 14). JunOS and RedPenguin. Retrieved June 24, 2025.