In mid-2024 Mandiant identified custom TINYSHELL-based backdoors deployed on Juniper Networks’ Junos OS routers. Mandiant attributed these backdoors to the China-nexus espionage groupUNC3886.^[4]

UNC3886 has used vSphere Installation Bundles (VIBs) that contained modified descriptor XML files with theacceptance-level set topartner which allowed for privilege escalation.^[5]

UNC3886 has used Gzip and the Windows commandmakecab to compress files and stolen credentials from victim systems.^[5][6]

UNC3886 has XOR encrypted and Gzip compressed captured credentials.^[6]

UNC3886 has attempted to bypass digital signature verification checks at startup by adding a command to the startup config/etc/init.d/localnet within the rootfs.gz archive of both FortiManager and FortiAnalyzer devices.^[1]

UNC3886 has placed a bash installation script into/etc/rc.local.d/ to establish persistence.^[5]

UNC3886 has used a PowerShell script to search memory dumps for credentials.^[5]

UNC3886 has executed Windows commands on guest virtual machines throughvmtoolsd.exe.^[5]

UNC3886 has used a bash script to install malicious vSphere Installation Bundles (VIBs).^[5]

DuringRedPenguin,UNC3886 used malware capable of launching an interactive shell.^[4][3]

UNC3886 has used Python scripts to enumerate ESXi hosts and guest VMs.^[2]

DuringRedPenguin,UNC3886 accessed the Junos OS CLI on targeted devices.^[4][3]

UNC3886 has used the esxcli command line utility to modify firewall rules, install malware, and for artifact removal.^[5][2]

UNC3886 has trojanized Fortinet firmware and replaced the legitimate/usr/bin/tac_plus TACACS+ daemon for Linux with a malicious version containing credential logging functionality.^[6][1]

DuringRedPenguin,UNC3886 peformed a local memory patching attack to modify the snmpd and mgd Junos OS daemons.^[3]

UNC3886 has targeted KeyPass password database files for credential access.^[5]

UNC3886 has staged captured credentials invar/log/ldapd<unique_keyword>.2.gz.^[6]

DuringRedPenguin,UNC3886 used malware implants to deobfuscate incoming C2 messages and encoded archives.^[4][3]

UNC3886 has deployed custom malware families on Fortinet and VMware systems.^[1]

DuringRedPenguin,UNC3886 deployed custom malware based on the publicly-available TINYSHELL backdoor.^[4][7]

UNC3886 has used zero-day vulnerabilities CVE-2022-41328 against FortiOS and CVE-2023-20867 and CVE-2023-34048 against VMware vCenter.^[2][6][1]

DuringRedPenguin,UNC3886 malware used the RC4 cipher to encrypt outgoing C2 messages.^[3]

UNC3886 usedvmtoolsd.exe to run commands on guest virtual machines from a compromised ESXi host.^[5][2][6][1]

DuringRedPenguin,UNC3886 uploaded specified files from compromised devices to a remote server.^[4]

UNC3886 has exploited CVE-2022-42475 in FortiOS SSL VPNs to obtain access.^[6][1]

UNC3886 has exoloited CVE-2023-34048 to enable command execution on vCenter servers and CVE-2023-20867 in VMware Tools to execute unauthenticated Guest Operations from ESXi hosts to guest VMs.^[6]

DuringRedPenguin,UNC3886 exploited CVE-2025-21590 to bypass Veriexec protections in Junos OS designed to prevent unauthorized binary execution.^[4][3]

UNC3886 exploited CVE-2022-22948 in VMware vCenter to obtain encrypted credentials from the vCenter postgresDB.^[6]

UNC3886 has exploited zero-day vulnerability CVE-2023-20867 to enable execution of privileged commands across Windows, Linux, and PhotonOS (vCenter) guest VMs.^[2]

UNC3886 has employed layers of redundancy to maintain access to compromised environments including network devices, hypervisors, and virtual machines.^[6]

UNC3886 has usedvmtoolsd.exe to enumerate files on guest machines.^[5][2]

UNC3886 modified the startup file/etc/init.d/localnet to execute the linenohup /bin/support & so the script would run when the system was rebooted.^[1]

UNC3886 has disabled OpenSSL digital signature verification of system files through corruption of boot files.^[1]

UNC3886 has tampered with and disabled logging services on targeted systems.^[2]

DuringRedPenguin,UNC3886 used malware to clear theHISTFILE environmental vaiable and to inject into Junos OS processes to inhibit logging.^[4][3]

UNC3886 has used the TABLEFLIP traffic redirection utility and the esxcli command line to modify firewall rules.^[5][2][1]

UNC3886 has used the the esxcli command line to remove files created by malicious vSphere Installation Bundles from disk.^[5][1]

DuringRedPenguin,UNC3886 used malware capaple of removing scripts after execution.^[4]

UNC3886 has used scripts to timestomp ESXi hosts prior to installing malicious vSphere Installation Bundles (VIBs).^[2]

UNC3886 has cleared specific events that contained the threat actor’s IP address from multiple log sources.^[1]

DuringRedPenguin,UNC3886 used an implant to delete logs associated with unauthorized access to targeted Junos OS devices.^[3]

DuringRedPenguin,UNC3886 used backdoor malware capable of downloading files to compromised infrastructure.^[4]

UNC3886 has utilzed Python scripts to transfer files between ESXi hosts and guest VMs.^[2]

UNC3886 has named a file ‘fgfm’ in an attempt to disguise it as the legitimate service ‘fgfmd’ which facilitates communication between FortiManager and the FortiGate firewall.^[1]

DuringRedPenguin,UNC3886 created multiple strains of malware using names to mimic legitimate binaries such as appid, to, irad, lmpad, jdosd, and oemd.^[4]

DuringRedPenguin,UNC3886 used malware with separate channels to request and carry out tasks from C2.^[4]

UNC3886 has used the LOOKOVER sniffer to sniff TACACS+ authentication packets.^[6]

DuringRedPenguin,UNC3886 used a passive backdoor to act as a libpcap-based packet sniffer.^[4]

UNC3886 has deployed backdoors that communicate over TCP to compromised network devices and over VMCI to ESXi hosts.^[2][6][1]

DuringRedPenguin,UNC3886 leveraged malware that used UDP and TCP sockets for C2.^[4][7][3]

DuringRedPenguin,UNC3886 used a backdoor that binds to port 45678 by default.^[4]

UNC3886 has replaced atomic indicators mentioned in threat intelligence publications, sometimes as quickly as under a week after release.^[2]

DuringRedPenguin,UNC3886 generated Base64-encoded files in the FreeBSD shell environment of targeted Juniper devices.^[4][3]

UNC3886 has used the publicly available rootkitsREPTILE andMEDUSA.^[6]

UNC3886 has deployed malware using the victim's legitimate TLS certificate obtained from a compromised FortiGate device.^[6]

UNC3886 has used MiniDump to dump process memory and search for cleartext credentials.^[5]

UNC3886 has run scripts to list all running processes on a guest VM from an ESXi host.^[2]

DuringRedPenguin,UNC3886 used malware capable of reading the PID for the Junos OS snmpd daemon.^[3]

DuringRedPenguin,UNC3886 exploited CVE-2025-21590 to enable malicious code injection into the memory of legitimate processes.^[4][3]

DuringRedPenguin,UNC3886 used malware capable of establishing a SOCKS proxy connection to a specified IP and port.^[4][3]

DuringRedPenguin,UNC3886 used infrastructure associated with operational relay box (ORB) networks.^[4]

UNC3886 has established remote SSH access to targeted ESXi hosts.^[2][1]

UNC3886 has used the publicly available rootkitsREPTILE andMEDUSA on targeted VMs.^[6]

DuringRedPenguin,UNC3886 used rootkits such asREPTILE andMEDUSA.^[4]

UNC3886 has replaced indicators mentioned in open-source threat intelligence publications at times under a week after their release.^[2]

UNC3886 has used vSphere Installation Bundles (VIBs) to install malware and establish persistence across ESXi hypervisors.^[5][2][1]

UNC3886 has used rundll32.exe to execute MiniDump for dumping LSASS process memory.^[5]

DuringRedPenguin,UNC3886 leveraged JunoOS CLI queries to obtain the interface index which contains system and network details.^[4][3]

UNC3886 has used installation scripts to collect the system time on targeted ESXi hosts.^[2]

UNC3886 has used the TABLEFLIP traffic redirection utility to listen for specialized command packets on compromised FortiManager devices.^[1]

DuringRedPenguin,UNC3886 leveraged malware capable of inpecting packets for a magic-string to activate backdoor functionalities.^[4]

UNC3886 maintained persistence on FortiGate Firewalls through ICMP port knocking.^[1]

UNC3886 has used tools to hijack valid SSH accounts.^[6]

DuringRedPenguin,UNC3886 used legitimate credentials to gain priviliged access to Juniper routers.^[4][7]

UNC3886 has harvested and used vCenter Server service accounts.^[2]

UNC3886 has used scripts to enumerate ESXi hypervisors and their guest VMs.^[2]