Chinese Cyber Espionage Group UNC3886 Targets End-of-Life Juniper MX Routers with Stealthy Backdoors

The China-linked cyber espionage group UNC3886 has been observed exploiting outdated Juniper Networks MX routers to deploy custom backdoors, emphasizing their focus on compromising internal network infrastructure.

  Asia Cyber affairs News   Mar 13, 2025  Add to Reading List
Chinese Cyber Espionage Group UNC3886 Targets End-of-Life Juniper MX Routers with Stealthy Backdoors

The China-linked cyber espionage group UNC3886 has been observed exploiting outdated Juniper Networks MX routers to deploy custom backdoors, emphasizing their focus on compromising internal network infrastructure.

UNC3886's Advanced Espionage Tactics

According to Google-owned Mandiant, these backdoors exhibit varied functionalities, including active and passive access, and contain embedded scripts designed to disable logging mechanisms on the target devices.

This campaign reflects an evolution in UNC3886’s tactics, as they have previously used zero-day vulnerabilities in Fortinet, Ivanti, and VMware devices to infiltrate networks, maintain persistence, and gain remote access.

First identified in September 2022, UNC3886 is regarded as highly sophisticated, with a strong capability to breach edge devices and virtualization technologies. Their attacks primarily target defense, technology, and telecommunications sectors in the United States and Asia.

Why Routing Devices?

Network perimeter devices such as routers often lack robust security monitoring, allowing threat actors to operate undetected for extended periods. This recent activity, detected in mid-2024, showcases UNC3886’s ability to maintain long-term access to critical routing infrastructure, raising concerns about potential future disruptions.

TinyShell-Based Backdoors & Malware Variants

Mandiant identified six distinct implants used by UNC3886, all based on TinyShell, a lightweight C-based backdoor previously employed by Chinese hacking groups Velvet Ant and Liminal Panda:

  1. appid (A Poorly Plagiarized Implant Daemon) – Supports file transfers, interactive shell access, SOCKS proxy, and configuration changes.
  2. to (TooObvious) – Similar to appid but with different hardcoded C2 servers.
  3. irad (Internet Remote Access Daemon) – A passive backdoor that sniffs ICMP packets for embedded commands.
  4. lmpad (Local Memory Patching Attack Daemon) – A stealthy tool that performs process injection into legitimate Junos OS processes to disable logging.
  5. jdosd (Junos Denial of Service Daemon) – Implements a UDP-based backdoor with remote shell and file transfer capabilities.
  6. oemd (Obscure Enigmatic Malware Daemon) – A passive TCP-based backdoor capable of executing TinyShell commands.

Bypassing Junos OS Protections

To execute malware on Junos OS routers, UNC3886 bypasses Junos OS' Verified Exec (veriexec) security feature, which normally blocks untrusted code. They accomplish this by:

  • Gaining privileged access using legitimate credentials from a terminal server managing network devices.
  • Injecting malicious payloads into the memory of a legitimate "cat" process, enabling lmpad execution despite veriexec protections.

Mandiant highlighted that one of the primary goals of this malware is to disable all logging before an operator interacts with the router and restore logs afterward, making detection significantly more challenging.

Additional Malware Tools Used by UNC3886

Beyond TinyShell-based implants, UNC3886 employs additional stealth and credential-harvesting tools, including:

  • Reptile & Medusa rootkits – Used for stealth and persistence.
  • PITHOOK – Captures SSH credentials by hijacking authentication processes.
  • GHOSTTOWN – Used for anti-forensic operations to cover tracks.

Juniper Networks’ Response & Security Patches

Juniper Networks launched Project RedPenguin in July 2024 to investigate these attacks. Their findings revealed that at least one security vulnerability (CVE-2025-21590, CVSS 6.7) contributed to successful breaches.

This vulnerability affects the kernel of Junos OS, allowing attackers with high privileges to inject arbitrary code. To mitigate this, Juniper has patched the flaw in multiple Junos OS versions, including:

  • 21.2R3-S9, 21.4R3-S10, 22.2R3-S6, 22.4R3-S6, 23.2R2-S3, 23.4R2-S4, 24.2R1-S2, 24.2R2, and 24.4R1.

Organizations are strongly advised to update their Juniper devices and use the Juniper Malware Removal Tool (JMRT) to detect and remove threats.

Comparing UNC3886 & UNC4841 Activity

A separate attack campaign, J-magic, targeting enterprise-grade Juniper routers, was recently attributed to UNC4841 by Lumen Black Lotus Labs.

Despite similar malware traits, there is no evidence linking UNC3886 to UNC4841, though overlapping techniques among China-linked espionage groups are common.

Conclusion: A Persistent & Evasive Threat

Mandiant’s analysis underscores that UNC3886 possesses deep expertise in Juniper Networks internals, prioritizing long-term persistence and stealth. Their use of passive backdoors, forensic tampering, and log manipulation makes them particularly difficult to detect.

As network perimeter router compromises become a growing trend in cyber espionage, organizations must proactively secure outdated network devices to prevent long-term infiltration and potential disruptions.