UNC3886

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to intrusion sets

· Published 16/12/2025 19:39 · Modified 27/03/2026 01:13 · Source: The MITRE Corporation

Essential information

Confidence: 100/100
Published: 16/12/2025 19:39
Modified: 27/03/2026 01:13
Updated at: 27/03/2026 01:13
Revoked: No
Author / Source: The MITRE Corporation
Resource level: —
Primary motivation: —
Related entities: 2 reports, 76 attack patterns (mitre), 16 malware, 3 sectors, 12 indicators, 7 vulnerabilities (cve), 1 campaign

Description

[UNC3886](https://attack.mitre.org/groups/G1048) is a China-nexus cyberespionage group that has been active since at least 2022, targeting defense, technology, and telecommunication organizations located in the United States and the Asia-Pacific-Japan (APJ) regions. [UNC3886](https://attack.mitre.org/groups/G1048) has displayed a deep understanding of edge devices and virtualization technologies through the exploitation of zero-day vulnerabilities and the use of novel malware families and utilities.(Citation: Mandiant Fortinet Zero Day)(Citation: Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023)

Marking (TLP)

External references

Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023
Mandiant Fortinet Zero Day
mitre-attack (G1048)

Related entities

Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.

Reports (2)

Ghost in the Router: China-Nexus Espionage Actor UNC3886 …

3 CVEs 9 MITREs 6 Malwares 14 Observables 1 APT
Uncovering Espionage Operations

5 CVEs 14 MITREs 7 Malwares 39 Observables 1 APT

Attack patterns (MITRE) (76)

T1027.005 uses

Indicator Removal from Tools MITRE
T1027.001 uses

Binary Padding MITRE
T1570 uses

Lateral Tool Transfer MITRE
T1082 uses

System Information Discovery MITRE
T1552.004 uses

Private Keys MITRE
T1105 uses

Ingress Tool Transfer MITRE
T1068 uses

Exploitation for Privilege Escalation MITRE
Disable or Modify Tools uses

MITRE
T1136 uses

Create Account MITRE
T1555.005 uses

Password Managers MITRE
T1095 uses

Non-Application Layer Protocol MITRE
Prevent Command History Logging uses

MITRE

← Previous

Page / 7

13–24 of 76

THINCRUST uses
SEAELF uses

Family
VIRTUALSPHERE uses

Family
MOPSLED uses

Family
VIRTUALSHINE uses

Family
Medusa uses

The MITRE Corporation Confidence 100

[MEDUSA](https://attack.mitre.org/software/S1220) is an open-source rootkit that is capable of dynamic linker hijacking, command execution, and logging credentials.(Citation: Google Cloud Mandiant UNC3886 2024)

First seen 01/01/1970 · Last seen 16/11/5138 ·
RIFLESPINE uses

Family
VIRTUALPIE uses

Family The MITRE Corporation Confidence 100

[VIRTUALPIE](https://attack.mitre.org/software/S1218) is a lightweight backdoor written in Python that spawns an IPv6 listener on a VMware ESXi server and features command line execution, file transfer, and reverse shell…

First seen 01/01/1970 · Last seen 16/11/5138 ·
REPTILE uses

Family The MITRE Corporation Confidence 100

[REPTILE](https://attack.mitre.org/software/S1219) is an open-source Linux rootkit with multiple components that provides backdoor access and functionality.(Citation: Google Cloud Mandiant UNC3886 2024)

First seen 01/01/1970 · Last seen 16/11/5138 ·
VIRTUALPITA uses
PITHOOK uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
GobRAT uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 2

1–12 of 16

Technology targets
Defense targets
Telecommunications targets

Indicators (12)

cron.data indicates

stix 100/100 Revoked

· Valid until 20/04/2025 · Source: AlienVault
reptile.shell indicates

stix 100/100 Revoked

· Valid until 20/04/2025 · Source: AlienVault
7ae38a27494dd6c1bc9ab3c02c3709282e0ebcf1e5fcf59a57dc3ae56cfd13b4 indicates

stix 100/100 Revoked

· Valid until 08/03/2026 · Source: AlienVault
1893523f2a4d4e7905f1b688c5a81b069f06b3c3d8c0ff9d16620468d117edbb indicates

stix 100/100 Revoked

· Valid until 27/09/2025 · Source: AlienVault
e1de05a2832437ab70d36c4c05b43c4a57f856289224bbd41182deea978400ed indicates

stix 100/100 Revoked

· Valid until 08/03/2026 · Source: AlienVault
number.rs indicates

stix 100/100 Revoked

· Valid until 20/04/2025 · Source: AlienVault
905b18d5df58dd6c16930e318d9574a2ad793ec993ad2f68bca813574e3d854b indicates

stix 100/100 Revoked

· Valid until 08/03/2026 · Source: AlienVault
98380ec6bf4e03d3ff490cdc6c48c37714450930e4adf82e6e14d244d8373888 indicates

stix 100/100 Revoked

· Valid until 08/03/2026 · Source: AlienVault
c0ec15e08b4fb3730c5695fb7b4a6b85f7fe341282ad469e4e141c40ead310c3 indicates

stix 100/100 Revoked

· Valid until 08/03/2026 · Source: AlienVault
3751997cfcb038e6b658e9180bc7cce28a3c25dbb892b661bcd1065723f11f7e indicates

stix 100/100 Revoked

· Valid until 08/03/2026 · Source: AlienVault
5bef7608d66112315eefff354dae42f49178b7498f994a728ae6203a8a59f5a2 indicates

stix 100/100 Revoked

· Valid until 08/03/2026 · Source: AlienVault
5995aaff5a047565c0d7fe3c80fa354c40e7e8c3e7d4df292316c8472d4ac67a indicates

stix 100/100 Revoked

· Valid until 08/03/2026 · Source: AlienVault

Vulnerabilities (CVE) (7)

CVE-2022-42475 KEV targets

9.8 Critical

Multiple versions of Fortinet FortiOS SSL-VPN contain a heap-based buffer overflow vulnerability which can allow an unauthenticated, remote attacker to execute arbitrary …

Attack vector: Network
Published: 13/12/2022
Modified: 20/12/2025

CVE-2023-34048 KEV targets

9.8 Critical

VMware vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC protocol that allows an attacker to conduct remote …

Attack vector: Network
Published: 22/01/2024
Modified: 21/12/2025

CVE-2022-22948 KEV targets

VMware vCenter Server contains an incorrect default file permissions vulnerability that allows a remote, privileged attacker to gain access to sensitive information.

Published: 17/07/2024
Modified: 21/12/2025

CVE-2022-41328 KEV targets

6.7 Medium

Fortinet FortiOS contains a path traversal vulnerability that may allow a local privileged attacker to read and write files via crafted CLI …

Attack vector: Local
Published: 14/03/2023
Modified: 21/12/2025

CVE-2023-20867 KEV targets

3.9 Low

VMware Tools contains an authentication bypass vulnerability in the vgauth module. A fully compromised ESXi host can force VMware Tools to fail …

Attack vector: Local
Published: 23/06/2023
Modified: 21/12/2025

CVE-2025-21590 KEV targets

4.4 Medium

An Improper Isolation or Compartmentalization vulnerability in the kernel of Juniper Networks Junos OS allows a local attacker with high privileges to …

Attack vector: Local
Published: 13/03/2025
Modified: 21/12/2025

Awaiting Analysis

CVE-2025-22457 KEV targets

9.0 Critical

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before …

Attack vector: Network
Published: 04/04/2025
Modified: 21/12/2025

Received

Campaign (1)

RedPenguin attributed-to

Contact About Legal notice Privacy policy Terms of use