A newly discovered campaign by the China-linked cyber espionage group UNC3886 has been detected, targeting obsolete MX routers from Juniper Networks to deploy custom backdoors, demonstrating their capacity to focus on internal network infrastructure.
According to Google-owned Mandiant, “The backdoors had varied custom capabilities, including active and passive backdoor functions, as well as an embedded script that disables logging mechanisms on the target device,” as stated in a report shared with The Hacker News.
The threat intelligence firm views this development as an evolution of the adversary’s tactics, which have historically involved exploiting zero-day vulnerabilities in devices from Fortinet, Ivanti, and VMware to breach networks and establish remote access.
First identified in September 2022, the hacking group is considered “highly skilled” and capable of targeting edge devices and virtualization technologies with the goal of compromising defense, technology, and telecommunications organizations in the United States and Asia.
These attacks typically exploit the fact that network perimeter devices often lack security monitoring and detection solutions, allowing the hackers to operate undetected.
Mandiant noted, “The compromise of routing devices is a recent trend in the tactics of espionage-motivated adversaries, granting the capability for long-term, high-level access to crucial routing infrastructure, with potential for more disruptive actions in the future.”
The latest campaign, detected in mid-2024, involves the use of implants based on TinyShell, a C-based backdoor used by various Chinese hacking groups, including Liminal Panda and Velvet Ant.
Mandiant identified six distinct TinyShell-based backdoors, each with unique capabilities:
- appid: supports file upload/download, interactive shell, SOCKS proxy, and configuration changes
- to: similar to appid but with different hard-coded C2 servers
- irad: a passive backdoor that acts as a libpcap-based packet sniffer to extract commands from ICMP packets
- lmpad: a utility and passive backdoor that can launch an external script to perform process injection into legitimate Junos OS processes to stall logging
- jdosd: implements a UDP backdoor with file transfer and remote shell capabilities
- oemd: a passive backdoor that communicates with the C2 server via TCP and supports standard TinyShell commands
Notably, the attackers circumvent Junos OS’ Verified Exec (veriexec) protections by gaining privileged access to a router from a terminal server using legitimate credentials.
The elevated permissions are then used to inject malicious payloads into the memory of a legitimate cat process, allowing the execution of the lmpad backdoor while veriexec is enabled.
Mandiant noted, “The primary purpose of this malware is to disable logging before the operator connects to the router and then restore logs after the operator disconnects.”
Other tools deployed by UNC3886 include rootkits like Reptile and Medusa, PITHOOK to hijack SSH authentications, and GHOSTTOWN for anti-forensics purposes.
Organizations are advised to upgrade their Juniper devices to the latest images, which include mitigations and updated signatures for the Juniper Malware Removal Tool (JMRT).
This development comes after Lumen Black Lotus Labs revealed that Juniper Networks routers have been targeted by a custom backdoor as part of a campaign dubbed J-magic.
Mandiant researchers stated, “The malware deployed on Juniper Networks’ Junos OS routers demonstrates UNC3886’s in-depth knowledge of advanced system internals.”
“Furthermore, UNC3886 prioritizes stealth in its operations through the use of passive backdoors and log tampering, indicating a focus on long-term persistence while minimizing detection risk.”
