Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers | Google Cloud Blog
Tags
cmtmf-attack-pattern: Process Injection
country: China
attack-pattern: Data Direct Credentials - T1589.001 Exploits - T1587.004 Exploits - T1588.005 Hardware - T1592.001 Ip Addresses - T1590.005 Malware - T1587.001 Malware - T1588.001 Multi-Factor Authentication - T1556.006 Network Devices - T1584.008 Process Injection - T1631 Server - T1583.004 Server - T1584.004 Software - T1592.002 Ssh - T1021.004 Trap - T1546.005 Tool - T1588.002 Vulnerabilities - T1588.006 Connection Proxy - T1090 Process Injection - T1055 Rootkit - T1014 Trap - T1154 Rootkit
Show in Graph
Common Information
Type Value
UUID eb0c30a5-9b58-4b15-b92b-d6450f55e45f
Fingerprint a4759d116cbe1a81
Analysis status DONE
Considered CTI value 2
Text language
Published March 12, 2025, midnight
Added to db March 12, 2025, 3:58 p.m.
Last updated March 20, 2025, 8:42 p.m.
Headline Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers
Title Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers | Google Cloud Blog
Detected Hints/Tags/Attributes 111/3/23
Source URLs
Redirection Url
Details Source https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-targets-juniper-routers/
URL Provider
Details Provider Source level domain
Details google.com cloud.google.com
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 437 Threat Intelligence https://cloudblog.withgoogle.com/topics/threat-intelligence/rss/ 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details CVE 41 
cve-2022-41328
Details Domain 183 
libc.so
Details Domain 2 
libjucomm.so
Details Domain 2 
snmpd.pid
Details Domain 2 
mgd.pid
Details File 3 
ldb.tar
Details File 8 
loader.bin
Details File 52 
payload.bin
Details File 2 
pc.bin
Details File 2 
pfed_jdhcp6_trace.log
Details File 2 
utx.log
Details IPv4 5 
129.126.109.50
Details IPv4 5 
116.88.34.184
Details IPv4 5 
223.25.78.136
Details IPv4 5 
45.77.39.28
Details IPv4 5 
101.100.182.122
Details IPv4 5 
118.189.188.122
Details IPv4 5 
158.140.135.244
Details IPv4 5 
8.222.225.8
Details IPv4 782 
0.0.0.0
Details Mandiant Uncategorized Groups 77 
UNC3886
Details Yara rule 2 
rule M_Hunting_PacketEncryptionLayer_1 {
	meta:
		author = "Mandiant"
	strings:
		$pel_1 = "pel_client_init"
		$pel_2 = "pel_server_init"
		$pel_3 = "pel_setup_context"
		$pel_4 = "pel_send_msg"
		$pel_5 = "pel_recv_msg"
		$pel_6 = "pel_send_all"
		$pel_7 = "pel_recv_all"
		$pel_8 = "pel_errno"
		$pel_9 = "pel_context"
		$pel_10 = "pel_ctx"
		$pel_11 = "send_ctx"
		$pel_12 = "recv_ctx"
	condition:
		4 of ($pel_*)
}
Details Yara rule 2 
rule M_Hunting_TINYSHELL_5 {
	meta:
		author = "Mandiant"
	strings:
		$tsh_1 = "tsh_get_file"
		$tsh_2 = "tsh_put_file"
		$tsh_3 = "tsh_runshell"
		$tshd_1 = "tshd_get_file"
		$tshd_2 = "tshd_put_file"
		$tshd_3 = "tshd_runshell"
	condition:
		all of ($tshd_*) or all of ($tsh_*)
}