Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers
April 11, 2025, 4:14 p.m.
Description
Mandiant discovered China-nexus espionage group UNC3886 deploying custom backdoors on Juniper Networks' Junos OS routers in mid-2024. The actor used TINYSHELL-based backdoors with various capabilities, including active and passive functions and log disabling. UNC3886 demonstrated advanced system knowledge, bypassing Junos OS security measures and injecting malicious code into legitimate processes. The group focused on maintaining long-term network access, targeting defense, technology, and telecommunication organizations in the US and Asia. This activity highlights the ongoing threat of China-nexus actors compromising networking infrastructure with sophisticated malware ecosystems.
Tags
Date
- Created: April 11, 2025, 3:42 p.m.
- Published: April 11, 2025, 3:42 p.m.
- Modified: April 11, 2025, 4:14 p.m.
Indicators
- e1de05a2832437ab70d36c4c05b43c4a57f856289224bbd41182deea978400ed
- c0ec15e08b4fb3730c5695fb7b4a6b85f7fe341282ad469e4e141c40ead310c3
- 98380ec6bf4e03d3ff490cdc6c48c37714450930e4adf82e6e14d244d8373888
- 905b18d5df58dd6c16930e318d9574a2ad793ec993ad2f68bca813574e3d854b
- 7ae38a27494dd6c1bc9ab3c02c3709282e0ebcf1e5fcf59a57dc3ae56cfd13b4
- 5bef7608d66112315eefff354dae42f49178b7498f994a728ae6203a8a59f5a2
- 5995aaff5a047565c0d7fe3c80fa354c40e7e8c3e7d4df292316c8472d4ac67a
- 3751997cfcb038e6b658e9180bc7cce28a3c25dbb892b661bcd1065723f11f7e
- 223.25.78.136
- 158.140.135.244
- 129.126.109.50
- 118.189.188.122
- 116.88.34.184
- 101.100.182.122
Attack Patterns
- GHOSTTOWN
- PITHOOK
- SEAELF
- MEDUSA
- TINYSHELL
- REPTILE
- UNC3886
Additional Informations
- Technology
- Defense
- Telecommunications