Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers
March 12, 2025, 4:27 p.m.
Description
China-nexus espionage group UNC3886 has been discovered deploying custom backdoors on Juniper Networks' Junos OS routers. The attackers used TINYSHELL-based backdoors with varying capabilities, including active and passive functions, and an embedded script to disable logging. The group demonstrated advanced knowledge of system internals and focused on maintaining long-term access while minimizing detection risk. UNC3886 targeted defense, technology, and telecommunication organizations in the US and Asia, leveraging legitimate credentials for initial access. The malware ecosystem included six distinct samples, each with unique features for bypassing security measures and maintaining persistence. The activity highlights the ongoing trend of targeting networking infrastructure for espionage purposes.
Tags
Date
- Created: March 12, 2025, 2:52 p.m.
- Published: March 12, 2025, 2:52 p.m.
- Modified: March 12, 2025, 4:27 p.m.
Indicators
- e1de05a2832437ab70d36c4c05b43c4a57f856289224bbd41182deea978400ed
- c0ec15e08b4fb3730c5695fb7b4a6b85f7fe341282ad469e4e141c40ead310c3
- 98380ec6bf4e03d3ff490cdc6c48c37714450930e4adf82e6e14d244d8373888
- 905b18d5df58dd6c16930e318d9574a2ad793ec993ad2f68bca813574e3d854b
- 7ae38a27494dd6c1bc9ab3c02c3709282e0ebcf1e5fcf59a57dc3ae56cfd13b4
- 5bef7608d66112315eefff354dae42f49178b7498f994a728ae6203a8a59f5a2
- 5995aaff5a047565c0d7fe3c80fa354c40e7e8c3e7d4df292316c8472d4ac67a
- 3751997cfcb038e6b658e9180bc7cce28a3c25dbb892b661bcd1065723f11f7e
- 158.140.135.244
- 129.126.109.50
- 118.189.188.122
- 116.88.34.184
- 101.100.182.122
Attack Patterns
- GHOSTTOWN
- PITHOOK
- BUSYBOX
- SEAELF
- MEDUSA
- GOBRAT
- TINYSHELL
- REPTILE
- UNC3886
- T1021.004
- T1505.003
- T1070.002
- T1018
- T1136
- T1571
- T1014
- T1555
- T1070.004
- T1562.001
- T1005
- T1082
- T1105
- T1083
- T1055
- T1190
- T1133
- T1078
- T1003
- CVE-2022-41328
Additional Informations
- Technology
- Defense
- Telecommunications