Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers

SUMMARY :

Mandiant discovered China-nexus espionage group UNC3886 deploying custom backdoors on Juniper Networks' Junos OS routers in mid-2024. The actor used TINYSHELL-based backdoors with various capabilities, including active and passive functions and log disabling. UNC3886 demonstrated advanced system knowledge, bypassing Junos OS security measures and injecting malicious code into legitimate processes. The group focused on maintaining long-term network access, targeting defense, technology, and telecommunication organizations in the US and Asia. This activity highlights the ongoing threat of China-nexus actors compromising networking infrastructure with sophisticated malware ecosystems.

OPENCTI LABELS :

china,espionage,process injection,medusa,backdoors,routers,pithook,tinyshell,network infrastructure,reptile,juniper,seaelf,ghosttown,cve-2025-21590


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers