A newly discovered cyber espionage campaign by China-linked hacking group UNC3886 has compromised outdated Juniper Networks routers, according to Mandiant, Google Cloud Security’s threat intelligence division. The attackers deployed custom malware, using advanced techniques to bypass built-in security protections and maintain stealthy, long-term access.
UNC3886’s Attack and Malware Techniques
Mandiant’s investigation found that UNC3886 has been targeting end-of-life Juniper MX routers running outdated Junos OS versions. By leveraging custom malware, the attackers gained root access to these devices, modifying system processes to evade detection.
Key findings include:
- Custom Malware Deployment: Mandiant identified six distinct backdoors based on the TINYSHELL framework, designed for persistent access and remote control of compromised devices. The malware includes scripts to disable logging, making it difficult for security teams to detect anomalies.
- Exploitation of Junos OS Security Features: UNC3886 was able to bypass Junos OS’s Veriexec security mechanism by injecting malicious code into legitimate system processes. This technique, tracked as CVE-2025-21590, enabled them to execute arbitrary commands undetected.
- Expansion Beyond Edge Devices: Historically, UNC3886 has targeted virtualisation and network edge devices. However, this latest campaign demonstrates a shift towards internal networking infrastructure, including core ISP routers, significantly expanding their potential reach and impact.
Mandiant and Juniper Networks’ Response
Mandiant collaborated with Juniper Networks to analyse the malware and assess its impact. Juniper has since released security updates, as well as a refreshed version of the Juniper Malware Removal Tool (JMRT), designed to scan for and eliminate the malware.
Security Recommendations for Organisations
Mandiant urges organisations to take immediate steps to secure their network environments:
- Upgrade Juniper Devices to the Latest Versions: Outdated hardware and software present critical vulnerabilities. Organisations should ensure their routers run supported, patched versions of Junos OS.
- Run Security Scans with JMRT: The latest JMRT release includes detection capabilities for UNC3886’s malware. Running the tool’s Quick Scan and Integrity Check is essential after upgrading devices.
- Implement Strong Authentication Controls: Use multi-factor authentication (MFA) and role-based access control (RBAC) to limit exposure to unauthorised access.
- Improve Network Visibility and Logging: Organisations should enhance their monitoring systems to detect unusual behaviour and review administrative activity regularly.
- Adopt a Proactive Security Posture: Threat actors continuously evolve their tactics. Engaging with a security intelligence provider like Mandiant can help organisations stay ahead of emerging cyber threats.
The Growing Threat to Network Infrastructure
UNC3886’s ability to infiltrate core networking devices highlights the evolving threat landscape, where espionage groups seek long-term access to global communications infrastructure. As networking hardware increasingly becomes a target, organisations must prioritise cybersecurity investments to protect against sophisticated, nation-state-backed adversaries.
Mandiant continues to investigate this campaign and advises any potentially impacted organisations to seek professional threat-hunting services to assess and mitigate risks.
