1. Home
  2. Groups
  3. UNC3886

UNC3886

UNC3886 is a China-nexus cyberespionage group that has been active since at least 2022, targeting defense, technology, and telecommunication organizations located in the United States and the Asia-Pacific-Japan (APJ) regions. UNC3886 has displayed a deep understanding of edge devices and virtualization technologies through the exploitation of zero-day vulnerabilities and the use of novel malware families and utilities.[1][2]

ID: G1048
Version: 1.0
Created: 29 May 2025
Last Modified: 24 October 2025
Version Permalink

Campaigns

ID Name First Seen Last Seen References Techniques
C0056 RedPenguin July 2024 [3][4] March 2025 [3][4]

In mid-2024 Mandiant identified custom TINYSHELL-based backdoors deployed on Juniper Networks’ Junos OS routers. Mandiant attributed these backdoors to the China-nexus espionage group UNC3886.[4]

 Command and Scripting Interpreter: Network Device CLI, Command and Scripting Interpreter: Unix Shell, Compromise Host Software Binary, Deobfuscate/Decode Files or Information, Develop Capabilities: Malware, Encrypted Channel: Symmetric Cryptography, Exfiltration Over C2 Channel, Exploitation for Client Execution, Impair Defenses: Impair Command History Logging, Indicator Removal: Clear Network Connection History and Configurations, Indicator Removal: File Deletion, Ingress Tool Transfer, Masquerading: Match Legitimate Resource Name or Location, Multi-Stage Channels, Network Sniffing, Non-Application Layer Protocol, Non-Standard Port, Obfuscated Files or Information: Encrypted/Encoded File, Process Discovery, Process Injection, Proxy, Proxy: Multi-hop Proxy, Rootkit, System Network Configuration Discovery, Traffic Signaling, Valid Accounts
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1548 Abuse Elevation Control Mechanism

UNC3886 has used vSphere Installation Bundles (VIBs) that contained modified descriptor XML files with the acceptance-level set to partner which allowed for privilege escalation.[5]
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

UNC3886 has used Gzip and the Windows command makecab to compress files and stolen credentials from victim systems.[5][6]
.003 Archive Collected Data: Archive via Custom Method

UNC3886 has XOR encrypted and Gzip compressed captured credentials.[6]
Enterprise T1037 Boot or Logon Initialization Scripts

UNC3886 has attempted to bypass digital signature verification checks at startup by adding a command to the startup config /etc/init.d/localnet within the rootfs.gz archive of both FortiManager and FortiAnalyzer devices.[1]
.004 RC Scripts

UNC3886 has placed a bash installation script into /etc/rc.local.d/ to establish persistence.[5]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

UNC3886 has used a PowerShell script to search memory dumps for credentials.[5]
.003 Command and Scripting Interpreter: Windows Command Shell

UNC3886 has executed Windows commands on guest virtual machines through vmtoolsd.exe.[5]
.004 Command and Scripting Interpreter: Unix Shell

UNC3886 has used a bash script to install malicious vSphere Installation Bundles (VIBs).[5]

During RedPenguin, UNC3886 used malware capable of launching an interactive shell.[4][3]
.006 Command and Scripting Interpreter: Python

UNC3886 has used Python scripts to enumerate ESXi hosts and guest VMs.[2]
.008 Command and Scripting Interpreter: Network Device CLI

During RedPenguin, UNC3886 accessed the Junos OS CLI on targeted devices.[4][3]
.012 Command and Scripting Interpreter: Hypervisor CLI

UNC3886 has used the esxcli command line utility to modify firewall rules, install malware, and for artifact removal.[5][2]
Enterprise T1554 Compromise Host Software Binary

UNC3886 has trojanized Fortinet firmware and replaced the legitimate /usr/bin/tac_plus TACACS+ daemon for Linux with a malicious version containing credential logging functionality.[6][1]

During RedPenguin, UNC3886 peformed a local memory patching attack to modify the snmpd and mgd Junos OS daemons.[3]
Enterprise T1555 .005 Credentials from Password Stores: Password Managers

UNC3886 has targeted KeyPass password database files for credential access.[5]
Enterprise T1074 .001 Data Staged: Local Data Staging

UNC3886 has staged captured credentials in var/log/ldapd<unique_keyword>.2.gz.[6]
Enterprise T1140 Deobfuscate/Decode Files or Information

During RedPenguin, UNC3886 used malware implants to deobfuscate incoming C2 messages and encoded archives.[4][3]
Enterprise T1587 .001 Develop Capabilities: Malware

UNC3886 has deployed custom malware families on Fortinet and VMware systems.[1]

During RedPenguin, UNC3886 deployed custom malware based on the publicly-available TINYSHELL backdoor.[4][7]
.004 Develop Capabilities: Exploits

UNC3886 has used zero-day vulnerabilities CVE-2022-41328 against FortiOS and CVE-2023-20867 and CVE-2023-34048 against VMware vCenter.[2][6][1]
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

During RedPenguin, UNC3886 malware used the RC4 cipher to encrypt outgoing C2 messages.[3]
Enterprise T1675 ESXi Administration Command

UNC3886 used vmtoolsd.exe to run commands on guest virtual machines from a compromised ESXi host.[5][2][6][1]
Enterprise T1041 Exfiltration Over C2 Channel

During RedPenguin, UNC3886 uploaded specified files from compromised devices to a remote server. [4]
Enterprise T1190 Exploit Public-Facing Application

UNC3886 has exploited CVE-2022-42475 in FortiOS SSL VPNs to obtain access.[6][1]
Enterprise T1203 Exploitation for Client Execution

UNC3886 has exoloited CVE-2023-34048 to enable command execution on vCenter servers and CVE-2023-20867 in VMware Tools to execute unauthenticated Guest Operations from ESXi hosts to guest VMs.[6]

During RedPenguin, UNC3886 exploited CVE-2025-21590 to bypass Veriexec protections in Junos OS designed to prevent unauthorized binary execution.[4][3]
Enterprise T1212 Exploitation for Credential Access

UNC3886 exploited CVE-2022-22948 in VMware vCenter to obtain encrypted credentials from the vCenter postgresDB.[6]
Enterprise T1068 Exploitation for Privilege Escalation

UNC3886 has exploited zero-day vulnerability CVE-2023-20867 to enable execution of privileged commands across Windows, Linux, and PhotonOS (vCenter) guest VMs.[2]
Enterprise T1008 Fallback Channels

UNC3886 has employed layers of redundancy to maintain access to compromised environments including network devices, hypervisors, and virtual machines.[6]
Enterprise T1083 File and Directory Discovery

UNC3886 has used vmtoolsd.exe to enumerate files on guest machines.[5][2]
Enterprise T1564 .011 Hide Artifacts: Ignore Process Interrupts

UNC3886 modified the startup file /etc/init.d/localnet to execute the line nohup /bin/support & so the script would run when the system was rebooted.[1]
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

UNC3886 has disabled OpenSSL digital signature verification of system files through corruption of boot files.[1]
.003 Impair Defenses: Impair Command History Logging

UNC3886 has tampered with and disabled logging services on targeted systems.[2]

During RedPenguin, UNC3886 used malware to clear the HISTFILE environmental vaiable and to inject into Junos OS processes to inhibit logging.[4][3]
.004 Impair Defenses: Disable or Modify System Firewall

UNC3886 has used the TABLEFLIP traffic redirection utility and the esxcli command line to modify firewall rules.[5][2][1]
Enterprise T1070 .004 Indicator Removal: File Deletion

UNC3886 has used the the esxcli command line to remove files created by malicious vSphere Installation Bundles from disk.[5][1]

During RedPenguin, UNC3886 used malware capaple of removing scripts after execution.[4]
.006 Indicator Removal: Timestomp

UNC3886 has used scripts to timestomp ESXi hosts prior to installing malicious vSphere Installation Bundles (VIBs).[2]
.007 Indicator Removal: Clear Network Connection History and Configurations

UNC3886 has cleared specific events that contained the threat actor’s IP address from multiple log sources.[1]

During RedPenguin, UNC3886 used an implant to delete logs associated with unauthorized access to targeted Junos OS devices.[3]
Enterprise T1105 Ingress Tool Transfer

During RedPenguin, UNC3886 used backdoor malware capable of downloading files to compromised infrastructure.[4]
Enterprise T1570 Lateral Tool Transfer

UNC3886 has utilzed Python scripts to transfer files between ESXi hosts and guest VMs.[2]
Enterprise T1036 .004 Masquerading: Masquerade Task or Service

UNC3886 has named a file ‘fgfm’ in an attempt to disguise it as the legitimate service ‘fgfmd’ which facilitates communication between FortiManager and the FortiGate firewall.[1]
.005 Masquerading: Match Legitimate Resource Name or Location

During RedPenguin, UNC3886 created multiple strains of malware using names to mimic legitimate binaries such as appid, to, irad, lmpad, jdosd, and oemd.[4]
Enterprise T1104 Multi-Stage Channels

During RedPenguin, UNC3886 used malware with separate channels to request and carry out tasks from C2.[4]
Enterprise T1040 Network Sniffing

UNC3886 has used the LOOKOVER sniffer to sniff TACACS+ authentication packets.[6]

During RedPenguin, UNC3886 used a passive backdoor to act as a libpcap-based packet sniffer.[4]
Enterprise T1095 Non-Application Layer Protocol

UNC3886 has deployed backdoors that communicate over TCP to compromised network devices and over VMCI to ESXi hosts.[2][6][1]

During RedPenguin, UNC3886 leveraged malware that used UDP and TCP sockets for C2.[4][7][3]
Enterprise T1571 Non-Standard Port

During RedPenguin, UNC3886 used a backdoor that binds to port 45678 by default.[4]
Enterprise T1027 .005 Obfuscated Files or Information: Indicator Removal from Tools

UNC3886 has replaced atomic indicators mentioned in threat intelligence publications, sometimes as quickly as under a week after release.[2]
.013 Obfuscated Files or Information: Encrypted/Encoded File

During RedPenguin, UNC3886 generated Base64-encoded files in the FreeBSD shell environment of targeted Juniper devices.[4][3]
Enterprise T1588 .001 Obtain Capabilities: Malware

UNC3886 has used the publicly available rootkits REPTILE and MEDUSA.[6]
.004 Obtain Capabilities: Digital Certificates

UNC3886 has deployed malware using the victim's legitimate TLS certificate obtained from a compromised FortiGate device.[6]
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

UNC3886 has used MiniDump to dump process memory and search for cleartext credentials.[5]
Enterprise T1057 Process Discovery

UNC3886 has run scripts to list all running processes on a guest VM from an ESXi host.[2]

During RedPenguin, UNC3886 used malware capable of reading the PID for the Junos OS snmpd daemon.[3]
Enterprise T1055 Process Injection

During RedPenguin, UNC3886 exploited CVE-2025-21590 to enable malicious code injection into the memory of legitimate processes.[4][3]
Enterprise T1090 Proxy

During RedPenguin, UNC3886 used malware capable of establishing a SOCKS proxy connection to a specified IP and port.[4][3]
.003 Multi-hop Proxy

During RedPenguin, UNC3886 used infrastructure associated with operational relay box (ORB) networks.[4]
Enterprise T1021 .004 Remote Services: SSH

UNC3886 has established remote SSH access to targeted ESXi hosts.[2][1]
Enterprise T1014 Rootkit

UNC3886 has used the publicly available rootkits REPTILE and MEDUSA on targeted VMs.[6]

During RedPenguin, UNC3886 used rootkits such as REPTILE and MEDUSA.[4]
Enterprise T1681 Search Threat Vendor Data

UNC3886 has replaced indicators mentioned in open-source threat intelligence publications at times under a week after their release.[2]
Enterprise T1505 .006 Server Software Component: vSphere Installation Bundles

UNC3886 has used vSphere Installation Bundles (VIBs) to install malware and establish persistence across ESXi hypervisors.[5][2][1]
Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

UNC3886 has used rundll32.exe to execute MiniDump for dumping LSASS process memory.[5]
Enterprise T1016 System Network Configuration Discovery

During RedPenguin, UNC3886 leveraged JunoOS CLI queries to obtain the interface index which contains system and network details.[4][3]
Enterprise T1124 System Time Discovery

UNC3886 has used installation scripts to collect the system time on targeted ESXi hosts.[2]
Enterprise T1205 Traffic Signaling

UNC3886 has used the TABLEFLIP traffic redirection utility to listen for specialized command packets on compromised FortiManager devices.[1]

During RedPenguin, UNC3886 leveraged malware capable of inpecting packets for a magic-string to activate backdoor functionalities.[4]
.001 Port Knocking

UNC3886 maintained persistence on FortiGate Firewalls through ICMP port knocking.[1]
Enterprise T1078 Valid Accounts

UNC3886 has used tools to hijack valid SSH accounts.[6]

During RedPenguin, UNC3886 used legitimate credentials to gain priviliged access to Juniper routers.[4][7]
.001 Default Accounts

UNC3886 has harvested and used vCenter Server service accounts.[2]
Enterprise T1673 Virtual Machine Discovery

UNC3886 has used scripts to enumerate ESXi hypervisors and their guest VMs.[2]

Software

ID Name References Techniques
S1224 CASTLETAP [1] Command and Scripting Interpreter: Unix Shell, Data from Local System, Deobfuscate/Decode Files or Information, Encrypted Channel: Asymmetric Cryptography, Encrypted Channel: Symmetric Cryptography, Ingress Tool Transfer, Network Sniffing, Traffic Signaling: Socket Filters
S1220 MEDUSA [6] Hijack Execution Flow: Dynamic Linker Hijacking, Obfuscated Files or Information: Encrypted/Encoded File, Remote Service Session Hijacking: SSH Hijacking, Rootkit
S1221 MOPSLED [6] Application Layer Protocol: Web Protocols, Deobfuscate/Decode Files or Information, Non-Application Layer Protocol, Obfuscated Files or Information: Encrypted/Encoded File, Web Service, Web Service: Dead Drop Resolver
S1219 REPTILE [6] Boot or Logon Autostart Execution: Kernel Modules and Extensions, Command and Scripting Interpreter: Unix Shell, Create or Modify System Process: Launch Daemon, Deobfuscate/Decode Files or Information, Encrypted Channel: Asymmetric Cryptography, Event Triggered Execution: Udev Rules, Hide Artifacts: Hidden Files and Directories, Non-Application Layer Protocol, Rootkit, Traffic Signaling: Port Knocking, Traffic Signaling
S1222 RIFLESPINE [6] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Unix Shell, Create or Modify System Process: Systemd Service, Data Staged: Local Data Staging, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Exfiltration Over Web Service: Exfiltration to Cloud Storage, Ingress Tool Transfer, System Information Discovery, Web Service: Bidirectional Communication
S1223 THINCRUST [1] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Python, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Impair Defenses: Disable or Modify System Firewall
S1218 VIRTUALPIE [5][2][6][1] Command and Scripting Interpreter: Python, Command and Scripting Interpreter: Hypervisor CLI, Encrypted Channel: Symmetric Cryptography, Lateral Tool Transfer, Non-Standard Port, Server Software Component: vSphere Installation Bundles
S1217 VIRTUALPITA [5][2][1] Boot or Logon Initialization Scripts, Command and Scripting Interpreter: Python, Command and Scripting Interpreter: Unix Shell, ESXi Administration Command, Impair Defenses: Impair Command History Logging, Ingress Tool Transfer, Lateral Tool Transfer, Masquerading: Masquerade Task or Service, Masquerading: Match Legitimate Resource Name or Location, Non-Standard Port, Service Stop, Virtual Machine Discovery

References

  1. Marvi, A. et al.. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved March 22, 2023.
  2. Alexander Marvi, Brad Slaybaugh, Ron Craft, and Rufus Brown. (2023, June 13). VMware ESXi Zero-Day Used by Chinese Espionage Actor to Perform Privileged Guest Operations on Compromised Hypervisors. Retrieved March 26, 2025.
  3. Juniper Networks, Cybersecurity R&D. (2025, March 11). The RedPenguin Malware Incident. Retrieved June 24, 2025.
  4. Lamparski, L. et al. (2025, March 11). Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers. Retrieved June 24, 2025.
  1. Alexander Marvi, Jeremy Koppen, Tufail Ahmed, and Jonathan Lepore. (2022, September 29). Bad VIB(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors. Retrieved March 26, 2025.
  2. Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert: Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024.
  3. Censys Research Team. (2025, March 14). JunOS and RedPenguin. Retrieved June 24, 2025.