Mandiant uncovers UNC3886 cyber-attack on Juniper routers

Mandiant has identified a cyber espionage campaign by UNC3886, a China-linked hacking group targeting outdated Juniper Networks routers with sophisticated malware.

The research from Mandiant, Google Cloud Security's threat intelligence unit, reveals that the attackers have been exploiting end-of-life Juniper MX routers running older versions of Junos OS. They utilised advanced techniques to maintain persistent access while evading detection by standard security tools.

Mandiant's investigation highlighted several key findings about UNC3886's methods. They developed six distinct malware variants derived from the TINYSHELL backdoor, which were embedded across various compromised routers. These included both active and passive backdoors, alongside scripts intended to disable logging mechanisms and avoid detection.

The attackers also successfully bypassed Junos OS's Veriexec security subsystem by injecting malicious code into legitimate system processes. According to Juniper's security advisories, this vulnerability, tracked as CVE-2025-21590, allowed the execution of unauthorised code without triggering security alerts.

UNC3886's campaign marks a shift in their targeting strategy. Traditionally focused on network edge devices, the group has now turned its attention to internal networking infrastructure, including routers utilised by Internet Service Providers. Such a strategic shift could have significant implications for global communications security.

Mandiant collaborated closely with Juniper Networks to analyse these attacks and devise mitigation strategies. In response, Juniper has released updated security patches and a new version of the Juniper Malware Removal Tool (JMRT) to assist organisations in detecting and removing the malware.

Mandiant has recommended several measures for organisations to protect their network infrastructure from similar threats. They advise upgrading all Juniper routers to supported versions with the latest security patches to prevent exploiting known vulnerabilities.

Organisations are also urged to implement multi-factor authentication to strengthen authentication processes and enforce strict role-based access control to minimise the risk of unauthorised access. Further, conducting security scans with JMRT and enhancing network monitoring and logging are recommended to spot and eliminate hidden malware and suspicious activities.

Mandiant also suggests that organisations adopt secure configuration management, including configuration validation frameworks to prevent unauthorised modifications. Utilising intelligence-driven security strategies is encouraged to stay ahead of emerging cyber threats and improve incident response capabilities. To mitigate exposure to legacy vulnerabilities, replacing end-of-life networking equipment with secure, up-to-date alternatives is advised.

Mandiant's findings emphasise the emerging trend of cyber espionage actors targeting critical networking infrastructure. The ability of UNC3886 to compromise ISP routers showcases the potential for extensive intelligence gathering and possible disruption of global communications.

Given the severity of UNC3886's campaign, Mandiant strongly advises organisations to assess their exposure to these threats and take proactive security measures. Companies concerned about potential compromise can utilise Mandiant's advanced threat hunting and security assessment services to identify and mitigate risks before they develop further.