UNC3886
UNC3886 is a China-nexus, state-sponsored espionage group tracked by Mandiant. Known aliases in the provided content include Fire Ant and UNC3886. The group has targeted network infrastructure and virtualization environments, including Juniper routers, Junos OS devices, Fortinet appliances, and VMware vCenter and ESXi environments. ENISA’s 2025 Threat Landscape report noted UNC3886 among actors targeting Juniper routers and exploiting zero-day vulnerabilities in network infrastructure, and Taiwan’s NSB named UNC3886 among Chinese groups involved in sustained targeting of Taiwan’s critical sectors. The group is described as focused on long-term access, stealth, and use of legitimate credentials for lateral movement while avoiding detection. Mandiant reported UNC3886 exploited a vulnerability as a zero day for nearly two years prior to disclosure. In Junos OS intrusions, Mandiant attributed deployment of several TINYSHELL-based backdoors, including active and passive variants, and noted the use of embedded scripts to disable logging. Mandiant also reported UNC3886 activity against VMware environments, where the group deployed Linux rootkits including REPTILE and MEDUSA after exploiting vCenter and ESXi vulnerabilities. Reporting in the provided content also links UNC3886 to MEDUSA and its installer SEAELF, and to a MEDUSA/OrBit codebase configuration matching specific XOR key, credentials, and install path characteristics. Observed tradecraft in the provided content includes staging captured credentials in var/log/ldapd<unique_keyword>.2.gz; listing running processes on guest VMs from ESXi hosts; executing Windows commands on guest virtual machines through vmtoolsd.exe; timestomping ESXi hosts before installing malicious vSphere Installation Bundles; and using esxcli to remove files created by malicious VIBs from disk. During the RedPenguin campaign, UNC3886 uploaded specified files from compromised devices to a remote server, generated Base64-encoded files in the FreeBSD shell environment of targeted Juniper devices, exploited CVE-2025-21590 to enable malicious code injection into the memory of legitimate processes, performed local memory patching to modify the snmpd and mgd Junos OS daemons, trojanized Fortinet firmware, and replaced the legitimate /usr/bin/tac_plus TACACS+ daemon with a malicious credential-logging version. The group is also described as prioritizing stealth through passive backdoors and tampering with logs and forensic artifacts, and as demonstrating deep understanding of the underlying appliance technologies it targets.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
54 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
19 malware families attributed to this actor across reporting.
14 additional families tracked in Mallory.
Associated vulnerabilities
22 CVEs this actor has used in observed campaigns. 22 of them exploited in the wild.
After compromising the hypervisor, the Fire Ant actors exploited another vulnerability — CVE-2023-20867 — to execute commands inside the guest virtual machines (VMs) without the required authentication. CVE-2023-20867 is an authentication bypass flaw that was also exploited by UNC3886 and disclosed by Mandiant researchers in 2023.
Sygnia's investigation into the cyberespionage campaign found that Fire Ant actors exploited a nearly two-year-old vulnerability in VMware vCenter, tracked as CVE-2023-34048, to gain initial access to targeted organizations.
During RedPenguin, UNC3886 exploited CVE-2025-21590 to enable malicious code injection into the memory of legitimate processes.
UNC3886 has used zero-day vulnerabilities CVE-2022-41328 against FortiOS and CVE-2023-20867 and CVE-2023-34048 against VMware vCenter.
The abuse of CVE-2022-22948, on the other hand, has been attributed by Google-owned Mandiant to a China-nexus cyber espionage group known as UNC3886...
17 more CVEs tied to this actor tracked in Mallory.
Observables
36 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Targeting VMware environments and deploying Linux rootkits for stealth, persistence, and credential theft after exploiting vCenter and ESXi vulnerabilities.
State-sponsored espionage activity using the OrBit/Medusa-derived Linux rootkit codebase to maintain covert access on compromised systems.
State-sponsored espionage actor using MEDUSA/OrBit and SEAELF against Juniper and VMware infrastructure; the 2024 0xAA-key OrBit cluster is assessed to match UNC3886’s MEDUSA configuration.
China-linked espionage group that deployed TINYSHELL-based backdoors on Junos OS routers, disabled logging, targeted virtualization and network edge devices, and emphasized stealth, credential use, lateral movement, and long-term persistence.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.