216.73.216.78

Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers

· Published 11/04/2025 15:42 · Modified 11/04/2025 16:14

Export JSON

Essential information

Published
11/04/2025 15:42
Modified
11/04/2025 16:14
Tags
2025-03-12 2025-04-11 CVE-2025-21590 backdoors busybox china china-nexus espionage ghosttown gobrat juniper medusa network infrastructure persistence pithook process injection reptile routers seaelf tinyshell
Related entities
3 vulnerabilities (cve), 14 observables, 1 intrusion sets (apt), 9 techniques (mitre), 6 malware, 3 others

Description

Mandiant discovered group UNC3886 deploying custom on Networks' Junos OS in mid-2024. The actor used -based with various capabilities, including active and passive functions and log disabling. UNC3886 demonstrated advanced system knowledge, bypassing Junos OS security measures and injecting malicious code into legitimate processes. The group focused on maintaining long-term network access, targeting defense, technology, and telecommunication organizations in the US and Asia. This activity highlights the ongoing threat of actors compromising networking infrastructure with sophisticated malware ecosystems.

External references