Skip to content

G1048 UNC3886

UNC3886 is a China-nexus cyberespionage group that has been active since at least 2022, targeting defense, technology, and telecommunication organizations located in the United States and the Asia-Pacific-Japan (APJ) regions. UNC3886 has displayed a deep understanding of edge devices and virtualization technologies through the exploitation of zero-day vulnerabilities and the use of novel malware families and utilities.21

Item Value
ID G1048
Associated Names
Version 1.0
Created 29 May 2025
Last Modified 24 October 2025
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism UNC3886 has used vSphere Installation Bundles (VIBs) that contained modified descriptor XML files with the acceptance-level set to partner which allowed for privilege escalation.3
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility UNC3886 has used Gzip and the Windows command makecab to compress files and stolen credentials from victim systems.34
enterprise T1560.003 Archive via Custom Method UNC3886 has XOR encrypted and Gzip compressed captured credentials.4
enterprise T1037 Boot or Logon Initialization Scripts UNC3886 has attempted to bypass digital signature verification checks at startup by adding a command to the startup config /etc/init.d/localnet within the rootfs.gz archive of both FortiManager and FortiAnalyzer devices.2
enterprise T1037.004 RC Scripts UNC3886 has placed a bash installation script into /etc/rc.local.d/ to establish persistence.3
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell UNC3886 has used a PowerShell script to search memory dumps for credentials.3
enterprise T1059.003 Windows Command Shell UNC3886 has executed Windows commands on guest virtual machines through vmtoolsd.exe.3
enterprise T1059.004 Unix Shell UNC3886 has used a bash script to install malicious vSphere Installation Bundles (VIBs).3
enterprise T1059.006 Python UNC3886 has used Python scripts to enumerate ESXi hosts and guest VMs.1
enterprise T1059.008 Network Device CLI During RedPenguin, UNC3886 accessed the Junos OS CLI on targeted devices.65
enterprise T1059.012 Hypervisor CLI UNC3886 has used the esxcli command line utility to modify firewall rules, install malware, and for artifact removal.31
enterprise T1554 Compromise Host Software Binary UNC3886 has trojanized Fortinet firmware and replaced the legitimate /usr/bin/tac_plus TACACS+ daemon for Linux with a malicious version containing credential logging functionality.42
enterprise T1555 Credentials from Password Stores -
enterprise T1555.005 Password Managers UNC3886 has targeted KeyPass password database files for credential access.3
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging
UNC3886 has staged captured credentials in var/log/ldapd<unique_keyword>.2.gz.4
enterprise T1140 Deobfuscate/Decode Files or Information During RedPenguin, UNC3886 used malware implants to deobfuscate incoming C2 messages and encoded archives.65
enterprise T1587 Develop Capabilities -
enterprise T1587.001 Malware UNC3886 has deployed custom malware families on Fortinet and VMware systems.2
enterprise T1587.004 Exploits UNC3886 has used zero-day vulnerabilities CVE-2022-41328 against FortiOS and CVE-2023-20867 and CVE-2023-34048 against VMware vCenter.142
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography During RedPenguin, UNC3886 malware used the RC4 cipher to encrypt outgoing C2 messages.5
enterprise T1675 ESXi Administration Command UNC3886 used vmtoolsd.exe to run commands on guest virtual machines from a compromised ESXi host.3142
enterprise T1041 Exfiltration Over C2 Channel During RedPenguin, UNC3886 uploaded specified files from compromised devices to a remote server. 6
enterprise T1190 Exploit Public-Facing Application UNC3886 has exploited CVE-2022-42475 in FortiOS SSL VPNs to obtain access.42
enterprise T1203 Exploitation for Client Execution UNC3886 has exoloited CVE-2023-34048 to enable command execution on vCenter servers and CVE-2023-20867 in VMware Tools to execute unauthenticated Guest Operations from ESXi hosts to guest VMs.4
enterprise T1212 Exploitation for Credential Access UNC3886 exploited CVE-2022-22948 in VMware vCenter to obtain encrypted credentials from the vCenter postgresDB.4
enterprise T1068 Exploitation for Privilege Escalation UNC3886 has exploited zero-day vulnerability CVE-2023-20867 to enable execution of privileged commands across Windows, Linux, and PhotonOS (vCenter) guest VMs.1
enterprise T1008 Fallback Channels UNC3886 has employed layers of redundancy to maintain access to compromised environments including network devices, hypervisors, and virtual machines.4
enterprise T1083 File and Directory Discovery UNC3886 has used vmtoolsd.exe to enumerate files on guest machines.31
enterprise T1564 Hide Artifacts -
enterprise T1564.011 Ignore Process Interrupts UNC3886 modified the startup file /etc/init.d/localnet to execute the line nohup /bin/support & so the script would run when the system was rebooted.2
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools UNC3886 has disabled OpenSSL digital signature verification of system files through corruption of boot files.2
enterprise T1562.003 Impair Command History Logging UNC3886 has tampered with and disabled logging services on targeted systems.1
enterprise T1562.004 Disable or Modify System Firewall UNC3886 has used the TABLEFLIP traffic redirection utility and the esxcli command line to modify firewall rules.312
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion UNC3886 has used the the esxcli command line to remove files created by malicious vSphere Installation Bundles from disk.32
enterprise T1070.006 Timestomp UNC3886 has used scripts to timestomp ESXi hosts prior to installing malicious vSphere Installation Bundles (VIBs).1
enterprise T1070.007 Clear Network Connection History and Configurations UNC3886 has cleared specific events that contained the threat actor’s IP address from multiple log sources.2
enterprise T1105 Ingress Tool Transfer During RedPenguin, UNC3886 used backdoor malware capable of downloading files to compromised infrastructure.6
enterprise T1570 Lateral Tool Transfer UNC3886 has utilzed Python scripts to transfer files between ESXi hosts and guest VMs.1
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service UNC3886 has named a file ‘fgfm’ in an attempt to disguise it as the legitimate service ‘fgfmd’ which facilitates communication between FortiManager and the FortiGate firewall.2
enterprise T1036.005 Match Legitimate Resource Name or Location During RedPenguin, UNC3886 created multiple strains of malware using names to mimic legitimate binaries such as appid, to, irad, lmpad, jdosd, and oemd.6
enterprise T1104 Multi-Stage Channels During RedPenguin, UNC3886 used malware with separate channels to request and carry out tasks from C2.6
enterprise T1040 Network Sniffing UNC3886 has used the LOOKOVER sniffer to sniff TACACS+ authentication packets.4
enterprise T1095 Non-Application Layer Protocol UNC3886 has deployed backdoors that communicate over TCP to compromised network devices and over VMCI to ESXi hosts.142
enterprise T1571 Non-Standard Port During RedPenguin, UNC3886 used a backdoor that binds to port 45678 by default.6
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.005 Indicator Removal from Tools UNC3886 has replaced atomic indicators mentioned in threat intelligence publications, sometimes as quickly as under a week after release.1
enterprise T1027.013 Encrypted/Encoded File During RedPenguin, UNC3886 generated Base64-encoded files in the FreeBSD shell environment of targeted Juniper devices.65
enterprise T1588 Obtain Capabilities -
enterprise T1588.001 Malware UNC3886 has used the publicly available rootkits REPTILE and MEDUSA.4
enterprise T1588.004 Digital Certificates UNC3886 has deployed malware using the victim’s legitimate TLS certificate obtained from a compromised FortiGate device.4
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory UNC3886 has used MiniDump to dump process memory and search for cleartext credentials.3
enterprise T1057 Process Discovery UNC3886 has run scripts to list all running processes on a guest VM from an ESXi host.1
enterprise T1055 Process Injection During RedPenguin, UNC3886 exploited CVE-2025-21590 to enable malicious code injection into the memory of legitimate processes.65
enterprise T1090 Proxy During RedPenguin, UNC3886 used malware capable of establishing a SOCKS proxy connection to a specified IP and port.65
enterprise T1090.003 Multi-hop Proxy During RedPenguin, UNC3886 used infrastructure associated with operational relay box (ORB) networks.6
enterprise T1021 Remote Services -
enterprise T1021.004 SSH UNC3886 has established remote SSH access to targeted ESXi hosts.12
enterprise T1014 Rootkit UNC3886 has used the publicly available rootkits REPTILE and MEDUSA on targeted VMs.4
enterprise T1681 Search Threat Vendor Data UNC3886 has replaced indicators mentioned in open-source threat intelligence publications at times under a week after their release.1
enterprise T1505 Server Software Component -
enterprise T1505.006 vSphere Installation Bundles UNC3886 has used vSphere Installation Bundles (VIBs) to install malware and establish persistence across ESXi hypervisors.312
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 UNC3886 has used rundll32.exe to execute MiniDump for dumping LSASS process memory.3
enterprise T1016 System Network Configuration Discovery During RedPenguin, UNC3886 leveraged JunoOS CLI queries to obtain the interface index which contains system and network details.65
enterprise T1124 System Time Discovery UNC3886 has used installation scripts to collect the system time on targeted ESXi hosts.1
enterprise T1205 Traffic Signaling UNC3886 has used the TABLEFLIP traffic redirection utility to listen for specialized command packets on compromised FortiManager devices.2
enterprise T1205.001 Port Knocking UNC3886 maintained persistence on FortiGate Firewalls through ICMP port knocking.2
enterprise T1078 Valid Accounts UNC3886 has used tools to hijack valid SSH accounts.4
enterprise T1078.001 Default Accounts UNC3886 has harvested and used vCenter Server service accounts.1
enterprise T1673 Virtual Machine Discovery UNC3886 has used scripts to enumerate ESXi hypervisors and their guest VMs.1

Software

ID Name References Techniques
S1224 CASTLETAP 2 Unix Shell:Command and Scripting Interpreter Data from Local System Deobfuscate/Decode Files or Information Asymmetric Cryptography:Encrypted Channel Symmetric Cryptography:Encrypted Channel Ingress Tool Transfer Network Sniffing Socket Filters:Traffic Signaling
S1220 MEDUSA 4
Dynamic Linker Hijacking:Hijack Execution Flow Encrypted/Encoded File:Obfuscated Files or Information SSH Hijacking:Remote Service Session Hijacking Rootkit
S1221 MOPSLED 4 Web Protocols:Application Layer Protocol Deobfuscate/Decode Files or Information Non-Application Layer Protocol Encrypted/Encoded File:Obfuscated Files or Information Web Service Dead Drop Resolver:Web Service
S1219 REPTILE 4 Kernel Modules and Extensions:Boot or Logon Autostart Execution Unix Shell:Command and Scripting Interpreter Launch Daemon:Create or Modify System Process Deobfuscate/Decode Files or Information Asymmetric Cryptography:Encrypted Channel Udev Rules:Event Triggered Execution Hidden Files and Directories:Hide Artifacts Non-Application Layer Protocol Rootkit Port Knocking:Traffic Signaling Traffic Signaling
S1222 RIFLESPINE 4 Web Protocols:Application Layer Protocol Unix Shell:Command and Scripting Interpreter Systemd Service:Create or Modify System Process Local Data Staging:Data Staged Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Exfiltration to Cloud Storage:Exfiltration Over Web Service Ingress Tool Transfer System Information Discovery Bidirectional Communication:Web Service
S1223 THINCRUST 2 Web Protocols:Application Layer Protocol Python:Command and Scripting Interpreter Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Disable or Modify System Firewall:Impair Defenses
S1218 VIRTUALPIE 3142 Python:Command and Scripting Interpreter Hypervisor CLI:Command and Scripting Interpreter Symmetric Cryptography:Encrypted Channel Lateral Tool Transfer Non-Standard Port vSphere Installation Bundles:Server Software Component
S1217 VIRTUALPITA 312 Boot or Logon Initialization Scripts Python:Command and Scripting Interpreter Unix Shell:Command and Scripting Interpreter ESXi Administration Command Impair Command History Logging:Impair Defenses Ingress Tool Transfer Lateral Tool Transfer Masquerade Task or Service:Masquerading Match Legitimate Resource Name or Location:Masquerading Non-Standard Port Service Stop Virtual Machine Discovery

References

  1. Alexander Marvi, Brad Slaybaugh, Ron Craft, and Rufus Brown. (2023, June 13). VMware ESXi Zero-Day Used by Chinese Espionage Actor to Perform Privileged Guest Operations on Compromised Hypervisors. Retrieved March 26, 2025. 

  2. Marvi, A. et al.. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved March 22, 2023. 

  3. Alexander Marvi, Jeremy Koppen, Tufail Ahmed, and Jonathan Lepore. (2022, September 29). Bad VIB(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors. Retrieved March 26, 2025. 

  4. Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert: Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024. 

  5. Juniper Networks, Cybersecurity R&D. (2025, March 11). The RedPenguin Malware Incident. Retrieved June 24, 2025. 

  6. Lamparski, L. et al. (2025, March 11). Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers. Retrieved June 24, 2025. 

  7. Censys Research Team. (2025, March 14). JunOS and RedPenguin. Retrieved June 24, 2025.