Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers

SUMMARY :

China-nexus espionage group UNC3886 has been discovered deploying custom backdoors on Juniper Networks' Junos OS routers. The attackers used TINYSHELL-based backdoors with varying capabilities, including active and passive functions, and an embedded script to disable logging. The group demonstrated advanced knowledge of system internals and focused on maintaining long-term access while minimizing detection risk. UNC3886 targeted defense, technology, and telecommunication organizations in the US and Asia, leveraging legitimate credentials for initial access. The malware ecosystem included six distinct samples, each with unique features for bypassing security measures and maintaining persistence. The activity highlights the ongoing trend of targeting networking infrastructure for espionage purposes.

OPENCTI LABELS :

espionage,persistence,medusa,backdoors,routers,gobrat,china-nexus,pithook,tinyshell,network infrastructure,reptile,juniper,seaelf,busybox,ghosttown


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers