China-Linked Cyber Espionage Group UNC3886 Exploits Juniper MX Routers to Deploy Custom Backdoors
The China-affiliated cyber espionage group UNC3886 has been observed targeting outdated Juniper Networks MX routers to deploy sophisticated backdoors, demonstrating its focus on infiltrating internal network infrastructure.
According to a report by Google-owned Mandiant, these backdoors possess a range of capabilities, including both active and passive access methods, along with an embedded script designed to disable logging on compromised devices. This development marks an evolution in UNC3886's tactics, as the group has previously exploited zero-day vulnerabilities in Fortinet, Ivanti, and VMware devices to establish persistent remote access.
First documented in September 2022, UNC3886 is considered highly skilled in targeting edge devices and virtualization technologies, primarily aiming at defense, technology, and telecommunications sectors in the U.S. and Asia. These attacks often exploit security blind spots in network perimeter devices, allowing adversaries to operate undetected for extended periods.
Mandiant warns that the compromise of network routers represents a growing trend among espionage-driven hackers, as it grants long-term, high-level access to critical infrastructure with the potential for disruptive actions. The latest attack campaign, identified in mid-2024, employs implants based on TinyShell—a C-based backdoor previously used by Chinese hacking groups like Liminal Panda and Velvet Ant.
Mandiant discovered six distinct TinyShell-based backdoors, each with unique functionalities:
- appid – Supports file transfer, interactive shell, SOCKS proxy, and configuration changes
- to – Similar to appid but with a different set of hardcoded command-and-control (C2) servers
- irad – A passive backdoor using libpcap-based packet sniffing to extract commands from ICMP packets
- lmpad – A utility and passive backdoor that injects processes into legitimate Junos OS functions to bypass logging
- jdosd – Implements a UDP-based backdoor with remote shell and file transfer capabilities
- oemd – Communicates with C2 servers via TCP and executes standard TinyShell commands
To execute the malware while evading Junos OS' Verified Exec (veriexec) protections, UNC3886 gains privileged access to the router via a terminal server using legitimate credentials. The attackers then inject malicious payloads into the memory of a legitimate cat process, ensuring the execution of the lmpad backdoor while keeping veriexec active. This allows them to disable logging before carrying out operations and later restore logs to minimize forensic traces.
In addition to backdoors, UNC3886 has deployed rootkits such as Reptile and Medusa, as well as tools like PITHOOK to hijack SSH authentication and GHOSTTOWN for anti-forensic measures.
To mitigate risks, organizations are advised to update their Juniper devices to the latest firmware, which includes security patches and enhanced malware detection through the Juniper Malware Removal Tool (JMRT).
This discovery follows a recent report from Lumen Black Lotus Labs, which uncovered a campaign dubbed J-magic targeting enterprise-grade Juniper routers with a variant of the cd00r backdoor.
Mandiant researchers emphasize that UNC3886 has demonstrated deep expertise in system internals and remains focused on stealth, leveraging passive backdoors and forensic tampering techniques to ensure long-term persistence while evading detection.
