- Also known as CAULDRON PANDA
- Suspected to be a China-nexus APT group per Mandiant attribution
Note
Mandiant has not identified any technical overlaps between activities by UNC3886 and those publicly reported by other parties as Volt Typhoon or Salt Typhoon
| ATT&CK ID | Activity Description | Observables |
|---|---|---|
| T1190: Exploit Public-Facing Application | The attacker has used exploits in Fortinet devices, such as FortiGate, FortiManager, and FortiAnalyzer as well as VMware vCenter servers. | CVE-2022-41328 (FortiOS), CVE-2023-34048 (VMware vCenter) |
| T1078: Valid Accounts | UNC3886 gained privileged access to a Juniper router from a terminal server used for managing network devices using legitimate credentials. | N/A |
| T1059.008: Command and Scripting Interpreter: Network Device CLI | UNC3886 entered the FreeBSD shell from the Junos OS CLI. | N/A |
| T1140: Deobfuscate/Decode Files or Information | UNC3886 used Base64 encoding to conceal a compressed archive containing malicious binaries, which was later decoded and extracted for execution. | A Base64-encoded file ldb.b64 was decoded into a compressed archive ldb.tar.gz, which was then decompressed and extracted to reveal malicious binaries. |
| T1055.009: Process Injection: Proc Memory | UNC3886 was able to circumvent the veriexec protection by injecting malicious code into the memory of a legitimate process (CVE-2025-21590). | UNC3886 injected malicious payloads into a newly spawned cat process. |
| T1036.005: Masquerading: Match Legitimate Name or Location | UNC3886 used a TINYSHELL-based active backdoor which mimicked a legitimate binaries. | This includes appidd (Application Identification Daemon), to (Table of Processes), irsd (Interface Replication and Synchronization Daemon), lmpd (Link Management Protocol Daemon), jddosd (Juniper DDOS protection Daemon), oamd (Operation, Administration and Maintenance Daemon) |
| T1059.004: Command and Scripting Interpreter: Unix Shell | TINYSHELL is able to perform remote file uploads and downloads and establish remote shell sessions. | tshd_get_file (Sends a file to the server), tshd_put_file (Downloads a file from the server), tshd_runshell (Launches an interactive /bin/sh shell session), tshd_setproxy (Establish a Socks proxy to a given IP+port number), tshd_config (Change Configuration Menu) |
| T1090: Proxy | UNC3886 added a custom command to TINYSHELL to establish a Socks proxy to a given IP+port number | tshd_setproxy |
| T1205.002: Traffic Signaling: Socket Filters | The custom irad version of the TINYSHELL-based passive backdoor acts as a libpcap-based packet sniffer and receives commands by inspecting packets on the wire looking for a magic-string that activates its backdoor capabilities |
The malware uses libpcap library to capture all network packets on the host. |
| T1095: Non-Application Layer Protocol | The irad malware captures all network packets on the host matching a specified BPF filter and reads data from the ICMP packet. The custom impad version of TINYSHELL launches an interactive /bin/csh session over the UDP connection |
The irad malware will spawn a listening server on TCP port 31234 (passive mode). The jdosd malware binds to UDP port 33512. |
| T1573: Encrypted Channel | The irad malware encrypts C2 communications using AES and HMAC. It uses a hardcoded key string to derive session keys. |
N/A |
| T1562.003: Impair Defenses: Impair Command History Logging | The custom impad version of TINYSHELL was designed to disable all possible logging before the operator connects to the router to perform hands-on activities and then later restore the logs after the operator disconnects. |
It redirects all logging to /dev/null and sends a a HUP (hangup) signal to the eventd daemon (which is responsible for logging). |
| T1563.001: Remote Service Session Hijacking: SSH Hijacking | UNC3886 deployed PITHOOK along with a custom SSH server based on the publicly available wzshiming/sshd project to hijack SSH authentications and capture SSH credentials. |
N/A |
| T1601: Modify System Image | Accessing Junos OS shell mode allows the attacker to perform system-level operations, which could include modifying configuration files or even replacing system images. | Mandiant observed the TACACS+ daemon binary replaced by a backdoored version of the binary with similar malicious functions for capturing credentials. |
- https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-targets-juniper-routers
- https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations
- https://cloud.google.com/blog/topics/threat-intelligence/esxi-hypervisors-malware-persistence
- https://cloud.google.com/blog/topics/threat-intelligence/fortinet-malware-ecosystem
- https://www.fortinet.com/blog/psirt-blogs/fg-ir-22-369-psirt-analysis
- https://github.com/creaktive/tsh
- https://github.com/wzshiming/sshd