Top Qs
Timeline
Chat
Perspective

UNC3886

Advanced persistent threat group From Wikipedia, the free encyclopedia

Remove ads

UNC3886 is an advanced persistent threat group believed to have China‑nexus affiliations. First publicly identified in mid‑2023, it has been active since at least late 2021, targeting critical infrastructure globally.

History

UNC3886 was first described by cybersecurity firm Mandiant in early 2023, following multiple global intrusions predominantly targeting virtualization and network security technologies[1]. Subsequent investigations attributed the group to campaigns involving state‑sponsored espionage objectives GovInsider+2Google Cloud+2Computer Weekly+2. In mid‑2025, Singapore’s government publicly disclosed that UNC3886 was attacking its critical information infrastructure[2], confirming ongoing operations by July 2025.[3][4][5]

Remove ads

Notable campaigns

VMware and Fortinet Campaigns (2022–2023)

UNC3886 exploited multiple zero‑day vulnerabilities in FortiGate devices and VMware vCenter/Tools to establish footholds, deploy backdoors, and move laterally across enterprise virtualization infrastructure. Rootkits and credential theft facilitated long‑term hidden access industrialcyber.co+3Google Cloud+3Vectra AI+3.[1]

Juniper Routers (Mid‑2024 / 2025)

In mid‑2024, UNC3886 compromised EOL Juniper MX routers using TinyShell variants to disable logs, inject code into trusted processes, and remain persistent even past device reboots. These attacks highlight the group’s ability to tailor malware for embedded network devices Google Cloud.[1]

Fire Ant Campaign (Early 2025)

Sygnia's investigation into the “Fire Ant” campaign found substantial overlaps with UNC3886’s tooling, techniques, and victim profiles. Targets included VMware infrastructure, with deployment of persistent backdoors post-exploitation of CVE‑2023‑34048 and CVE‑2023‑20867 vulnerabilities. Fire Ant’s adaptive capabilities reflect ongoing UNC3886 operations in 2025.[6]

Remove ads

Reactions

  • The Chinese embassy in Singapore criticized local media for reporting that UNC3886 is linked to China, accusing them of relying on unverified claims from a foreign cybersecurity firm.[7]

References

Loading related searches...

Wikiwand - on

Seamless Wikipedia browsing. On steroids.

Remove ads