C0056 RedPenguin
The RedPenguin project was launched by Juniper in July 2024 to investigate reported malware infections of Juniper MX Series routers. RedPenguin activity was separately attributed to UNC3886 and included the deployment of multiple custom versions of the publicly-available TINYSHELL backdoor on Juniper routers.12
| Item | Value |
|---|---|
| ID | C0056 |
| Associated Names | |
| First Seen | July 2024 |
| Last Seen | March 2025 |
| Version | 1.0 |
| Created | 24 June 2025 |
| Last Modified | 24 October 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Groups
| ID | Name | References |
|---|---|---|
| G1048 | UNC3886 | In mid-2024 Mandiant identified custom TINYSHELL-based backdoors deployed on Juniper Networks’ Junos OS routers. Mandiant attributed these backdoors to the China-nexus espionage group UNC3886.2 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.004 | Unix Shell | During RedPenguin, UNC3886 used malware capable of launching an interactive shell.21 |
| enterprise | T1059.008 | Network Device CLI | During RedPenguin, UNC3886 accessed the Junos OS CLI on targeted devices.21 |
| enterprise | T1554 | Compromise Host Software Binary | During RedPenguin, UNC3886 peformed a local memory patching attack to modify the snmpd and mgd Junos OS daemons.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | During RedPenguin, UNC3886 used malware implants to deobfuscate incoming C2 messages and encoded archives.21 |
| enterprise | T1587 | Develop Capabilities | - |
| enterprise | T1587.001 | Malware | During RedPenguin, UNC3886 deployed custom malware based on the publicly-available TINYSHELL backdoor.23 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | During RedPenguin, UNC3886 malware used the RC4 cipher to encrypt outgoing C2 messages.1 |
| enterprise | T1041 | Exfiltration Over C2 Channel | During RedPenguin, UNC3886 uploaded specified files from compromised devices to a remote server. 2 |
| enterprise | T1203 | Exploitation for Client Execution | During RedPenguin, UNC3886 exploited CVE-2025-21590 to bypass Veriexec protections in Junos OS designed to prevent unauthorized binary execution.21 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.003 | Impair Command History Logging | During RedPenguin, UNC3886 used malware to clear the HISTFILE environmental vaiable and to inject into Junos OS processes to inhibit logging.21 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | During RedPenguin, UNC3886 used malware capaple of removing scripts after execution.2 |
| enterprise | T1070.007 | Clear Network Connection History and Configurations | During RedPenguin, UNC3886 used an implant to delete logs associated with unauthorized access to targeted Junos OS devices.1 |
| enterprise | T1105 | Ingress Tool Transfer | During RedPenguin, UNC3886 used backdoor malware capable of downloading files to compromised infrastructure.2 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Resource Name or Location | During RedPenguin, UNC3886 created multiple strains of malware using names to mimic legitimate binaries such as appid, to, irad, lmpad, jdosd, and oemd.2 |
| enterprise | T1104 | Multi-Stage Channels | During RedPenguin, UNC3886 used malware with separate channels to request and carry out tasks from C2.2 |
| enterprise | T1040 | Network Sniffing | During RedPenguin, UNC3886 used a passive backdoor to act as a libpcap-based packet sniffer.2 |
| enterprise | T1095 | Non-Application Layer Protocol | During RedPenguin, UNC3886 leveraged malware that used UDP and TCP sockets for C2.231 |
| enterprise | T1571 | Non-Standard Port | During RedPenguin, UNC3886 used a backdoor that binds to port 45678 by default.2 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.013 | Encrypted/Encoded File | During RedPenguin, UNC3886 generated Base64-encoded files in the FreeBSD shell environment of targeted Juniper devices.21 |
| enterprise | T1057 | Process Discovery | During RedPenguin, UNC3886 used malware capable of reading the PID for the Junos OS snmpd daemon.1 |
| enterprise | T1055 | Process Injection | During RedPenguin, UNC3886 exploited CVE-2025-21590 to enable malicious code injection into the memory of legitimate processes.21 |
| enterprise | T1090 | Proxy | During RedPenguin, UNC3886 used malware capable of establishing a SOCKS proxy connection to a specified IP and port.21 |
| enterprise | T1090.003 | Multi-hop Proxy | During RedPenguin, UNC3886 used infrastructure associated with operational relay box (ORB) networks.2 |
| enterprise | T1014 | Rootkit | During RedPenguin, UNC3886 used rootkits such as REPTILE and MEDUSA.2 |
| enterprise | T1016 | System Network Configuration Discovery | During RedPenguin, UNC3886 leveraged JunoOS CLI queries to obtain the interface index which contains system and network details.21 |
| enterprise | T1205 | Traffic Signaling | During RedPenguin, UNC3886 leveraged malware capable of inpecting packets for a magic-string to activate backdoor functionalities.2 |
| enterprise | T1078 | Valid Accounts | During RedPenguin, UNC3886 used legitimate credentials to gain priviliged access to Juniper routers.23 |
Software
| ID | Name | Description |
|---|---|---|
| S1220 | MEDUSA | MEDUSA was used for command execution and persistence during RedPenguin.2 |
References
-
Juniper Networks, Cybersecurity R&D. (2025, March 11). The RedPenguin Malware Incident. Retrieved June 24, 2025. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Lamparski, L. et al. (2025, March 11). Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers. Retrieved June 24, 2025. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Censys Research Team. (2025, March 14). JunOS and RedPenguin. Retrieved June 24, 2025. ↩↩↩