• Cyber Syrup
  • Posts
  • China-Linked UNC3886 Exploits End-of-Life Juniper MX Routers in Espionage Campaign

China-Linked UNC3886 Exploits End-of-Life Juniper MX Routers in Espionage Campaign

Cybersecurity researchers have uncovered an ongoing cyber espionage campaign orchestrated by the China-linked hacking group UNC3886

March 13, 2025

CYBER SYRUP
Delivering the sweetest insights on cybersecurity.

China-Linked UNC3886 Exploits End-of-Life Juniper MX Routers in Espionage Campaign

Cybersecurity researchers have uncovered an ongoing cyber espionage campaign orchestrated by the China-linked hacking group UNC3886. The group has been observed targeting end-of-life (EOL) MX routers from Juniper Networks to deploy custom backdoors, underscoring a strategic focus on internal networking infrastructure.

Targeting Network Devices for Stealthy Operations

According to Mandiant, a Google-owned threat intelligence firm, UNC3886 has evolved its attack methodologies to breach and maintain persistence within high-value targets. The group has a history of exploiting zero-day vulnerabilities in Fortinet, Ivanti, and VMware devices, allowing them to establish long-term access within compromised networks.

The attackers take advantage of network perimeter devices that often lack robust security monitoring and detection mechanisms, making them ideal for long-term stealth operations. By compromising these routing devices, UNC3886 gains sustained access to critical infrastructure, potentially paving the way for disruptive cyber operations.

"The compromise of routing devices is a recent trend in the tactics of espionage-motivated adversaries as it grants long-term, high-level access to crucial routing infrastructure," Mandiant stated.

TinyShell-Based Backdoors for Persistent Access

Mandiant has identified six distinct backdoors based on TinyShell, a C-based malware previously used by other Chinese state-sponsored groups such as Liminal Panda and Velvet Ant. Each backdoor has unique functionalities designed to evade detection and maintain persistent control over compromised routers:

  • appid – Supports file upload/download, interactive shell access, SOCKS proxy, and configuration modifications (e.g., C2 server, port numbers).

  • to – Similar to appid but with a different set of hardcoded Command-and-Control (C2) servers.

  • irad – A passive backdoor that functions as a packet sniffer, extracting commands from ICMP packets.

  • lmpad – A tool that can perform process injection into legitimate Junos OS processes to stall logging.

  • jdosd – Implements a UDP backdoor with remote shell capabilities and file transfer functions.

  • oemd – A TCP-based passive backdoor supporting TinyShell commands for executing shell commands and transferring files.

Bypassing Junos OS Security Protections

A crucial aspect of UNC3886’s tactics is its ability to bypass Junos OS’ Verified Exec (veriexec), a security feature that prevents unauthorized code execution. The group leverages legitimate credentials to access terminal servers used for managing Juniper devices, then injects its malicious payloads into memory, specifically into a legitimate cat process. This approach ensures execution even when veriexec protections remain enabled.

To evade detection, the lmpad backdoor disables logging before UNC3886 operatives interact with the compromised router. Once their operations are complete, they restore logging to avoid raising suspicion.

Additional Malicious Tools Used by UNC3886

In addition to the TinyShell-based backdoors, UNC3886 has deployed several advanced tools to maintain its foothold in compromised environments:

  • Reptile & Medusa – Rootkits used for stealthy access and privilege escalation.

  • PITHOOK – A tool designed to hijack SSH authentication and capture SSH credentials.

  • GHOSTTOWN – A forensics evasion tool that eliminates evidence of compromise.

Mitigation Recommendations

Organizations using Juniper MX routers—especially end-of-life models—are strongly advised to take immediate action:

  1. Upgrade to the latest Juniper firmware – Ensure all devices run the most recent security updates.

  2. Deploy Juniper Malware Removal Tool (JMRT) – Use updated security signatures to detect and remove malicious implants.

  3. Monitor network logs – Look for unusual traffic patterns, unexpected SSH connections, or unauthorized configuration changes.

  4. Implement robust access controls – Enforce multi-factor authentication (MFA) and limit SSH access to trusted sources.

UNC3886’s Growing Threat

This discovery follows Lumen Black Lotus Labs' recent findings on J-magic, a campaign leveraging Juniper enterprise routers to deploy a custom variant of the cd00r backdoor. Mandiant researchers emphasize that UNC3886 possesses deep knowledge of system internals, prioritizing long-term persistence while minimizing the risk of detection.

As network perimeter devices become a growing target for state-sponsored espionage, organizations must proactively secure their infrastructure to defend against persistent threats like UNC3886.