Mar 12, 2025Ravie LakshmananCyber Espionage / Vulnerability

The China-nexus cyber espionage group tracked as UNC3886 has been observed targeting end-of-life MX routers from Juniper Networks as part of a campaign designed to deploy custom backdoors, highlighting their ability to focus on internal networking infrastructure.

“The backdoors had varying custom capabilities, including active and passive backdoor functions, as well as an embedded script that disables logging mechanisms on the target device,” Google-owned Mandiant said in a report shared with The Hacker News.

The threat intelligence firm described the development as an evolution of the adversary’s tradecraft, which has historically leveraged zero-day vulnerabilities in Fortinet, Ivanti, and VMware devices to breach networks of interest and establish persistence for remote access.

First documented in September 2022, the hacking crew is assessed to be “highly adept” and capable of targeting edge devices and virtualization technologies with the ultimate goal of breaching defense, technology, and telecommunication organizations located in the United States and Asia.

These attacks typically take advantage of the fact that such network perimeter devices lack security monitoring and detection solutions, thereby allowing them to operate unimpeded and without attracting attention.

“The compromise of routing devices is a recent trend in the tactics of espionage-motivated adversaries as it grants the capability for a long-term, high-level access to the crucial routing infrastructure, with a potential for more disruptive actions in the future,” Mandiant said.

The latest activity, spotted in mid-2024, involves the use of implants that are based on TinyShell, a C-based backdoor that has been put to use by various Chinese hacking groups like Liminal Panda and Velvet Ant in the past.

Mandiant said it identified six distinct TinyShell-based backdoors, each carrying a unique capability –

• appid, which supports file upload/download, interactive shell, SOCKS proxy, and configuration changes (e.g., command-and-control server, port number, network interface, etc.)
• to, which is same as appid but with a different set of hard-coded C2 servers
• irad, a passive backdoor that acts as a libpcap-based packet sniffer to extract commands to be executed on the device from ICMP packets
• lmpad, a utility and a passive backdoor that can launch an external script to perform process injection into legitimate Junos OS processes to stall logging
• jdosd, which implements a UDP backdoor with file transfer and remote shell capabilities
• oemd, a passive backdoor that communicates with the C2 server via TCP and supports standard TinyShell commands to upload/download files and execute a shell command

It’s also notable for taking steps to execute the malware by circumventing Junos OS’ Verified Exec (veriexec) protections, which prevent untrusted code from being executed. This is accomplished by gaining privileged access to a router from a terminal server used for managing network devices using legitimate credentials.

The elevated permissions are then used to inject the malicious payloads into the memory of a legitimate cat process, resulting in the execution of the lmpad backdoor while veriexec is enabled.

“The main purpose of this malware is to disable all possible logging before the operator connects to the router to perform hands-on activities and then later restore the logs after the operator disconnects,” Mandiant noted.

Some of the other tools deployed by UNC3886 include rootkits like Reptile and Medusa; PITHOOK to hijack SSH authentications and capture SSH credentials; and GHOSTTOWN for anti-forensics purposes.

Organizations are recommended to upgrade their Juniper devices to the latest images released by Juniper Networks, which includes mitigations and updated signatures for the Juniper Malware Removal Tool (JMRT).

The development comes a little over a month after Lumen Black Lotus Labs revealed that enterprise-grade Juniper Networks routers have become the target of a custom backdoor as part of a campaign dubbed J-magic that delivers a variant of a known backdoor named cd00r.

“The malware deployed on Juniper Networks’ Junos OS routers demonstrates that UNC3886 has in-depth knowledge of advanced system internals,” Mandiant researchers said.

“Furthermore, UNC3886 continues to prioritize stealth in its operations through the use of passive backdoors, together with log and forensics artifact tampering, indicating a focus on long-term persistence, while minimizing the risk of detection.”