Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Matrix Botnet

UNC3886 – Threat Actor

January 25, 2025
Reading Time: 5 mins read
in Threat Actors
UNC3886 – Threat Actor

UNC3886

Location

China

Date of initial activity

2021

Suspected Attribution 

Cybercriminals

Motivation

Espionage
Financial Gain

Associated Tools

REPTILE
MEDUSA
MOPSLED
RIFLESPINE

Software

Linux
ESXi

Overview

In the ever-evolving landscape of cyber threats, UNC3886 emerges as a prominent and sophisticated actor, known for its advanced espionage operations. This cyber espionage group, believed to be associated with China, has demonstrated a high degree of sophistication and operational stealth, targeting strategic organizations across the globe. The group’s activities came under scrutiny following the discovery of malware within ESXi hypervisors in September 2022. This marked the beginning of an extensive investigation by Mandiant, which revealed UNC3886’s extensive and intricate cyber espionage techniques. UNC3886’s operations have been characterized by their use of zero-day vulnerabilities and advanced malware to infiltrate and maintain access within targeted environments. The group has exploited critical vulnerabilities in widely used technologies, including FortiOS and VMware products, to execute their malicious activities. Their tactics involve leveraging publicly available rootkits, such as REPTILE and MEDUSA, to establish long-term persistence and evade detection. This has enabled UNC3886 to maintain covert control over compromised systems, demonstrating their ability to operate undetected for extended periods. The group’s sophisticated approach extends to their use of trusted third-party services for command and control (C2) communications, employing platforms like GitHub and Google Drive to obfuscate their activities. This method of leveraging legitimate services for malicious purposes underscores the group’s adeptness at blending in with normal network traffic, making their activities challenging to detect and mitigate. The recent revelations from Mandiant’s investigations highlight the evolving threat landscape and underscore the importance of robust cybersecurity measures to counteract such advanced and persistent threats.

Common targets

Information

Attack Vectors

Software Vulnerabilities

Phishing

How they operate

Initial Access and Exploitation Techniques
UNC3886’s modus operandi begins with exploiting zero-day vulnerabilities in critical infrastructure. They have demonstrated a knack for identifying and leveraging unpatched security flaws in widely-used platforms such as FortiOS and VMware vCenter. For instance, vulnerabilities like CVE-2022-41328 and CVE-2023-34048 were exploited to gain initial access to target environments. These zero-day exploits allowed the threat actor to execute arbitrary commands, download malicious payloads, and establish footholds within compromised systems.
Persistence and Evasion Strategies
Once inside the target environment, UNC3886 focuses on maintaining long-term access through sophisticated persistence mechanisms. They employ publicly available rootkits such as REPTILE and MEDUSA to ensure their presence remains undetected. REPTILE, for instance, is a Linux rootkit that provides stealthy access to compromised systems. It operates through a loadable kernel module (LKM) that hooks into kernel functions, enabling the threat actor to hide processes, files, and network connections. This rootkit is complemented by a user-mode component for command execution and file manipulation, allowing UNC3886 to evade detection by traditional security measures. MEDUSA, another rootkit used by UNC3886, exhibits capabilities beyond mere access. It can log user credentials and capture command executions, providing a means to move laterally within the network. MEDUSA’s deployment often follows the initial installation of REPTILE, indicating a tiered approach to persistence and data collection.
Command and Control Mechanisms
UNC3886’s command and control (C2) infrastructure is notably sophisticated, utilizing both traditional and innovative methods. The group leverages trusted third-party services, such as GitHub and Google Drive, for C2 communications. MOPSLED, a modular backdoor, exemplifies this strategy by using HTTP and custom binary protocols to interact with its C2 server. This approach allows for dynamic updates and plugin retrieval, enhancing the malware’s capabilities and maintaining a persistent connection to compromised systems. Similarly, RIFLESPINE, a cross-platform backdoor, utilizes Google Drive to transfer files and execute commands. This malware encrypts instructions using AES and interacts with Google Drive to download and upload files, ensuring that C2 communications remain covert and resilient against detection.
Credential Access and Data Exfiltration
Credential harvesting is a critical component of UNC3886’s operations. The group employs techniques such as credential dumping and input capture to extract sensitive information. By exploiting vulnerabilities in TACACS+ authentication and using keyloggers like MEDUSA, they gather credentials that facilitate further network infiltration. This ability to acquire and abuse credentials significantly enhances their access and operational capabilities. Data exfiltration is executed through established C2 channels, where UNC3886 stages and retrieves sensitive data in a manner that avoids detection. Their use of encrypted communications and obfuscated channels ensures that exfiltrated data remains concealed from security monitoring systems.

MITRE Tactics and Techniques

Initial Access:
Exploit Public-Facing Application (T1190): Exploitation of vulnerabilities in applications such as FortiOS and VMware vCenter to gain initial access. Valid Accounts (T1078): Use of stolen or compromised credentials to access systems.
Execution:
Command and Scripting Interpreter (T1059): Execution of scripts and commands via compromised systems, often using custom scripts to deploy malware. Malicious File (T1203): Deployment of malware through files that exploit vulnerabilities or utilize social engineering.
Persistence:
Boot or Logon Autostart Execution (T1547): Use of rootkits and startup scripts to maintain persistence on compromised systems. Account Manipulation (T1098): Creation or modification of accounts to maintain access.
Privilege Escalation:
Exploit Public-Facing Application (T1190): Exploiting vulnerabilities to gain higher-level privileges.
Defense Evasion:
Obfuscated Files or Information (T1027): Use of encryption and obfuscation to hide malware and malicious activity. Rootkits (T1014): Deployment of rootkits such as REPTILE and MEDUSA to evade detection.
Credential Access:
Credential Dumping (T1003): Extraction of credentials from systems, including from TACACS+ authentication and vCenter databases. Input Capture (T1056): Keylogging and capturing credentials through malware like MEDUSA.
Command and Control:
Custom Command and Control Protocol (T1095): Use of custom protocols and services like HTTP or Google Drive for command and control communications. Data Staged (T1074): Staging data for exfiltration or further processing.
Exfiltration:
Exfiltration Over Command and Control Channel (T1041): Use of established C2 channels for exfiltrating data.
Impact:
Data Encrypted for Impact (T1486): Though not specifically mentioned, encryption techniques are employed in some of their tools for secure communication and evasion.
References:
  • Cloaked and Covert: Uncovering UNC3886 Espionage Operations
Tags: cyber espionageCyber threatsFortiOSGitHubGoogle DriveLinuxMedusaMOPSLEDPhishingReptileRIFLESPINEThreat ActorsUNC3886VmwareZero-Day
ADVERTISEMENT

Related Posts

Storm-1811 (Cybercriminal) – Threat Actor

Storm-1811 (Cybercriminal) – Threat Actor

March 2, 2025
CopyCop (State-Sponsored) – Threat Actor

CopyCop (State-Sponsored) – Threat Actor

March 2, 2025
Storm-0539 – Threat Actor

Storm-0539 – Threat Actor

March 2, 2025
Void Manticore (Storm-0842) – Threat Actor

Void Manticore (Storm-0842) – Threat Actor

March 2, 2025
Unfading Sea Haze – Threat Actor

Unfading Sea Haze – Threat Actor

March 2, 2025
Ikaruz Red Team – Threat Actor

Ikaruz Red Team – Threat Actor

March 2, 2025

Latest Alerts

GitLab Patch Stops Service Disruption Risks

3AM Ransomware Email Bomb and Vishing Threat

Function Confusion Hits Serverless Clouds

Venom Spiders More Eggs Malware Hits Hiring

Hazy Hawk Hijacks Cloud DNS For Web Scams

Fake Kling AI Sites Spread Malware To Users

Subscribe to our newsletter

    Latest Incidents

    Cyberattack Paralyzes French Hauts de Seine

    Santa Fe City Loses $324K In Hacker Scam

    Belgium Housing Hit by Ransomware Attack

    UK Peter Green Chilled Hit By Ransomware

    Cellcom Cyberattack Causes Service Outage

    Ohio Kettering Health Faces Cyberattack

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial