China-Linked UNC3886 Exploits Juniper Routers for Espionage

Summary

Mandiant published a blog detailing the discovery of custom backdoors on Juniper Networks’ Junos OS routers, which they identified in mid-2024 and attributed to the China-nexus group UNC3886. These TINYSHELL-based backdoors had both active and passive functionalities and disabled logging to evade detection. The attack targeted end-of-life Juniper MX routers, leading Mandiant to recommend upgrading to the latest software and running Juniper Malware Removal Tool (JMRT) scans.

UNC3886 has previously deployed custom malware on virtualization and network edge devices, which often lack EDR monitoring. Their focus remains on stealthy lateral movement using legitimate credentials to ensure persistent access. The new tool introduced in 2024 demonstrates their advanced understanding of targeted technologies. At the time of publishing, Mandiant found no technical overlaps between UNC3886’s activity and other China-linked groups, including Volt Typhoon and Salt Typhoon.

Technical Details

Mandiant's blog details UNC3886's attack on Juniper Networks' Junos OS routers, bypassing Veriexec protection using process injection, now tracked as CVE-2025-21590. The attackers gained root access, created Base64-encoded payloads, and injected malicious code into a cat process to execute the lmpad backdoor stealthily. They manipulated memory locations using dd commands and hijacked fclose to run shellcode instead. After execution, they deleted traces, leaving only a legitimate-looking compromised process. Mandiant's analysis recovered three payloads but could not retrieve all original files from the infected routers.

TINYSHELL is an open-source lightweight backdoor written in C that uses a custom binary protocol for communication. It supports remote file upload/download and establishing a remote shell session. The FreeBSD version of TINYSHELL appears to be the base for customized backdoors identified in this investigation.

appid —Active Backdoor

The appid malware is a TINYSHELL-based active backdoor written in C. It communicates with hardcoded C2 servers linked to a GOBRAT ORB network. It rotates through C2 servers, maintaining two synchronized TCP sockets for tasking and handling requests. Network traffic is encrypted with AES, and the malware supports standard TINYSHELL commands along with proxy and reconfiguration capabilities. It allows modifying C2 settings, including IP addresses, port numbers, and sleep timeouts.

to—Active Backdoor

The to malware is another TINYSHELL-based active backdoor, identical to appid but with a different set of hardcoded C2 servers. It follows the same tasking and handling mechanism, using two synchronized TCP sockets and AES encryption for communication. Like appid, it supports remote file operations, shell access, proxy setup, and reconfiguration. The C2 addresses, ports, and other settings can be modified through its configuration menu.

irad—Passive Backdoor

The irad malware is a TINYSHELL-based passive backdoor that functions as a libpcap-based packet sniffer. It operates in two modes: active mode, where it connects to a provided C2 address, and passive mode, where it listens for commands via ICMP packets containing a specific magic string. The malware decrypts and validates commands before executing them, supporting standard TINYSHELL operations like file transfer and shell access alongside custom commands like connection relaying. It employs AES encryption, HMAC authentication, and hardcoded keys/tokens for secure communication. If triggered by a special termination string, it stops its listening process.

lmpad—Passive Backdoor

The lmpad malware is a TINYSHELL-based backdoor that disables logging on Junos OS devices before an attacker connects, ensuring stealth. It receives RC4-encrypted commands via UDP and supports standard TINYSHELL functions alongside custom commands to manipulate logs, execute remote shells, and modify system processes. It employs direct memory manipulation using dd to disable SNMP traps and auditing in mgd and snmpd. Additionally, it can backup and restore Juniper configurations, erase traces of attacker activity, and update sleep/socket timeouts. If an unknown command is received, it terminates execution.

jdosd—Passive Backdoor

The jdosd malware is a passive UDP backdoor that operates on port 33512, enabling remote shell access and file transfer. It uses a flawed custom RC4 encryption with a fixed key for traffic security. The attacker connects by sending a 0xDEADBEEF magic value, receiving an encrypted response along with the malware's process ID. It supports standard TINYSHELL commands for file operations and remote shell execution alongside two custom commands: one (0xAC) does nothing, while the other (0xFF) terminates the malware.

Oemd—Passive Backdoor

The oemd malware is a passive C-based backdoor that dynamically receives its C2 address via UDP before establishing an AES-encrypted, XOR-encoded TCP connection. It binds to specific network interfaces defined in environment variables (INTFS, RTS, UPRT, DAEMON). During setup, it retrieves the interface's local index and listens for C2 instructions. It supports standard TINYSHELL commands for file transfers and remote command execution. When running shell commands, it clears HISTFILE and allows TERM value customization.

Junos OS Socket Behavior & Linux Compatibility Analysis

The analyzed samples create an AF_ROUTE socket, likely specific to JunosOS, for interacting with the routing subsystem. This socket helps retrieve the interface index, similar to rt_ messages on OpenBSD. While oemd uses the ifinfo command, other samples rely on custom rt_ messages via the socket. The message includes an interface name and logical sub-interface, crucial for Juniper devices using sub-interfaces instead of VLANs. The retrieved interface index is then applied in a setsockopt call for C2 communication over TCP or UDP.

Mandiant observed UNC3886 using similar TTPs, leveraging rootkits like REPTILE and MEDUSA with SEAELF and BUSYBOX for command execution and persistence. Instead of kubo/injector, they deployed PITHOOK and a modified SSH server to hijack authentication and capture credentials. They also replaced the TACACS+ daemon with a backdoored version for credential theft. GHOSTTOWN malware was used for anti-forensics. No evidence of data staging or exfiltration was found during the investigation.

Recommendations

• Update Juniper devices to the latest firmware, apply JMRT mitigations, and run integrity scans.

• Use centralized IAM with MFA and RBAC to protect network device access.

• Enforce standardized configurations with automated validation and alerting for deviations.

• Prioritize high-risk admin activities and regularly review detection capabilities.

• Patch network device vulnerabilities promptly, including those in niche OS environments.

• Implement proactive monitoring, automated updates, and EOL replacement planning.

• Enforce strict access controls, network segmentation, and hardening measures.

• Continuously leverage threat intelligence to refine security controls against evolving threats.

Conclusion

Mandiant’s investigation into UNC3886’s operations on Juniper Networks' Junos OS routers reveals a highly sophisticated cyber espionage campaign. The attackers leveraged TINYSHELL-based backdoors with both active and passive functionalities, demonstrating deep technical expertise in bypassing security mechanisms and maintaining persistence. Their strategic targeting of end-oflife Juniper MX routers, coupled with advanced stealth techniques such as disabling logging and manipulating memory structures, highlights the evolving tactics of nation-state actors.

The discovery of these custom backdoors emphasizes the need for organizations to proactively secure their network infrastructure, particularly for devices that lack endpoint detection capabilities. Mandiant’s findings reinforce the importance of timely software updates, robust access controls, and continuous network monitoring to detect unauthorized activities. While no direct links were established between UNC3886 and other China-nexus groups, their ability to remain undetected underscores the necessity for heightened vigilance.