UNC3886
UNC3886 is a China-nexus, state-sponsored espionage group tracked by Mandiant. The group has targeted virtualization and network edge infrastructure, including VMware vCenter and ESXi environments, Junos OS-powered Juniper routers, and Fortinet devices, and has also been named by Taiwan’s National Security Bureau among Chinese threat groups involved in sustained targeting of Taiwan’s critical sectors. Mandiant describes UNC3886 as focused on long-term access, stealth, and the use of legitimate credentials for lateral movement while avoiding detection. Observed UNC3886 tradecraft includes exploitation of vCenter and ESXi vulnerabilities, including zero-day exploitation reported by Mandiant; deployment of Linux rootkits REPTILE and MEDUSA in VMware environments; installation of malicious vSphere Installation Bundles; timestomping ESXi hosts prior to VIB installation; use of esxcli to remove files created by malicious VIBs; staging captured credentials in var/log/ldapd<unique_keyword>.2.gz; executing Windows commands on guest virtual machines through vmtoolsd.exe; and running scripts from ESXi hosts to list processes on guest VMs. In Juniper-focused activity, Mandiant reported UNC3886 deployed multiple TINYSHELL-based backdoors on Junos OS routers, including active and passive variants, and used embedded scripts to disable logging. During the RedPenguin campaign, UNC3886 generated Base64-encoded files in the FreeBSD shell environment of targeted Juniper devices, exploited CVE-2025-21590 to enable malicious code injection into the memory of legitimate processes, and performed local memory patching of the snmpd and mgd Junos OS daemons. UNC3886 has also disabled OpenSSL digital signature verification of system files through corruption of boot files. The group has trojanized Fortinet firmware and replaced the legitimate /usr/bin/tac_plus TACACS+ daemon on Linux with a malicious credential-logging version. Mandiant reporting identifies MEDUSA and its installer SEAELF as tools used by UNC3886 against Juniper and VMware infrastructure. Additional reporting linked UNC3886 to a MEDUSA/OrBit codebase variant with a specific 0xAA encryption key, distinct credentials, and an install path matching Intezer’s 2024 Lineage A samples exactly. Known aliases in the provided content include Fire Ant and UNC3886.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
54 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
19 malware families attributed to this actor across reporting.
14 additional families tracked in Mallory.
Associated vulnerabilities
22 CVEs this actor has used in observed campaigns. 22 of them exploited in the wild.
After compromising the hypervisor, the Fire Ant actors exploited another vulnerability — CVE-2023-20867 — to execute commands inside the guest virtual machines (VMs) without the required authentication. CVE-2023-20867 is an authentication bypass flaw that was also exploited by UNC3886 and disclosed by Mandiant researchers in 2023.
Sygnia's investigation into the cyberespionage campaign found that Fire Ant actors exploited a nearly two-year-old vulnerability in VMware vCenter, tracked as CVE-2023-34048, to gain initial access to targeted organizations.
During RedPenguin, UNC3886 exploited CVE-2025-21590 to enable malicious code injection into the memory of legitimate processes.
UNC3886 has used zero-day vulnerabilities CVE-2022-41328 against FortiOS and CVE-2023-20867 and CVE-2023-34048 against VMware vCenter.
The abuse of CVE-2022-22948, on the other hand, has been attributed by Google-owned Mandiant to a China-nexus cyber espionage group known as UNC3886...
17 more CVEs tied to this actor tracked in Mallory.
Observables
36 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Targeting VMware environments and deploying Linux rootkits for stealth, persistence, and credential theft after exploiting vCenter and ESXi vulnerabilities.
State-sponsored espionage activity using the OrBit/Medusa-derived Linux rootkit codebase to maintain covert access on compromised systems.
State-sponsored espionage actor using MEDUSA/OrBit and SEAELF against Juniper and VMware infrastructure; the 2024 0xAA-key OrBit cluster is assessed to match UNC3886’s MEDUSA configuration.
China-linked espionage group that deployed TINYSHELL-based backdoors on Junos OS routers, disabled logging, targeted virtualization and network edge devices, and emphasized stealth, credential use, lateral movement, and long-term persistence.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.