UNC3886

Description

(Mandiant) Following the discovery of malware residing within ESXi hypervisors in September 2022, Mandiant began investigating numerous intrusions conducted by UNC3886, a suspected China-nexus cyber espionage actor that has targeted prominent strategic organizations on a global scale. In January 2023, Mandiant provided detailed analysis of the exploitation of a now-patched vulnerability in FortiOS employed by a threat actor suspected to be UNC3886. In March 2023, we provided details surrounding a custom malware ecosystem utilized on affected Fortinet devices. Furthermore, the investigation uncovered the compromise of VMware technologies, which facilitated access to guest virtual machines.

Investigations into more recent operations in 2023 following fixes from the vendors involved in the investigation have corroborated Mandiant’s initial observations that the actor operates in a sophisticated, cautious, and evasive nature. Mandiant has observed that UNC3886 employed several layers of organized persistence for redundancy to maintain access to compromised environments over time. Persistence mechanisms encompassed network devices, hypervisors, and virtual machines, ensuring alternative channels remain available even if the primary layer is detected and eliminated.

Names

Name	Name-Giver
UNC3886	Mandiant

Country

• China

Motivation

• Information theft and espionage

First Seen

2021

Tools

• BOLDMOVE
• CASTLETAP
• LOOKOVER
• MOPSLED
• REPTILE
• RIFLESPINE
• TABLEFLIP
• THINCRUST
• Tiny SHell
• VIRTUALGATE
• VIRTUALPIE
• VIRTUALPITA
• VIRTUALSHINE

Operations

• 2021 Late: Chinese Espionage Group UNC3886 Found Exploiting CVE-2023-34048 Since Late 2021 https://cloud.google.com/blog/topics/threat-intelligence/chinese-vmware-exploitation-since-2021/
• 2022: Bad VIB(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors https://cloud.google.com/blog/topics/threat-intelligence/esxi-hypervisors-malware-persistence
• 2022 Mid: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation https://cloud.google.com/blog/topics/threat-intelligence/fortinet-malware-ecosystem/
• 2022-10: Suspected Chinese Threat Actors Exploiting FortiOS Vulnerability (CVE-2022-42475) https://cloud.google.com/blog/topics/threat-intelligence/chinese-actors-exploit-fortios-flaw/
• 2023: Cloaked and Covert: Uncovering UNC3886 Espionage Operations https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations
• 2024 Mid: Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-targets-juniper-routers

Information

• https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations

Other Information

Uuid

4e437eb9-73e3-4871-a735-54f1aca46edf

Last Card Change

2025-04-21