{ "id": "2017b169-b671-4304-82d4-c30d3e1120fa", "created_at": "2026-04-06T00:12:33.219715Z", "updated_at": "2026-04-10T13:11:42.890855Z", "deleted_at": null, "sha1_hash": "33d14ff57a444d5d15de790e5a2463b53f0f50f5", "title": "Revisiting UNC3886 Tactics to Defend Against Present Risk", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 430381, "plain_text": "Revisiting UNC3886 Tactics to Defend Against Present Risk\r\nPublished: 2025-07-28 · Archived: 2026-04-05 15:07:10 UTC\r\nAPT \u0026 Targeted Attacks\r\nWe examine the past tactics used by UNC3886 to gain insight on how to best strengthen defenses against the\r\nongoing and emerging threats of this APT group.\r\nBy: Cj Arsley Mateo, Ieriz Nicolle Gonzalez, Jacob Santos, Paul John Bardon, Angelo Junio, Rayven Cervantes\r\nJul 28, 2025 Read time: 8 min (2193 words)\r\nKey Takeaways\r\nUNC3886 is an APT group that has historically targeted critical infrastructure, including\r\ntelecommunications, government, technology, and defense, with a recent attack against Singapore.\r\nThe group is known for rapidly exploiting zero-day and high-impact vulnerabilities in network and\r\nvirtualization devices such as VMware vCenter/ESXi, Fortinet FortiOS, and Juniper Junos OS.\r\nUNC3886 deploys custom toolsets including TinyShell (a covert remote access tool) and Reptile (a stealthy\r\nLinux rootkit), and Medusa, leveraging layered persistence and advanced defense evasion methods such as\r\nrootkit deployment, living-off-the-land tactics, and replacement/backdooring of core system binaries.\r\nTrend Vision One™ detects and blocks the indicators of compromise (IOCs) highlighted in this blog. Trend\r\nVision One customers can also access hunting queries, threat insights, and threat intelligence reports to\r\ngain rich context and the latest updates on UNC3886.\r\nOn July 18, Singapore’s Coordinating Minister for National Security K. Shanmugam revealed that the country was\r\nfacing a highly sophisticated threat actoropen on a new tab targeting critical infrastructure—UNC3886. First\r\nreportedopen on a new tab in 2022, this advanced persistent threat (APT) group has been targeting essential\r\nservices in Singapore, posing a severe risk to their national security.\r\nIn this entry, we draw on observations and the tactics, techniques, and procedures (TTPs) from previously\r\nrecorded UNC3886 attacks. Our aim is to get a good understanding of this threat group and enhance overall\r\ndefensive posture against similar tactics.\r\nAn overview of UNC3886\r\nUNC3886 is a cyber espionage group whose targets include the US, Europe, and Singapore, where it currently\r\nrepresents a significant threat. Known for its persistent attack methods, the group homes in on critical sectors such\r\nas government, telecommunications, technology, defense, energy, and utilities. While first reported in 2022, there\r\nhave been evidence of its activity dating back to late 2021open on a new tab.\r\nThe Cyber Security Agency (CSA) of Singapore has been actively investigating UNC3886's activities and\r\nmonitoring all critical service sectors. The group's activities have been detected in parts of Singapore's critical\r\nhttps://www.trendmicro.com/en_us/research/25/g/revisiting-unc3886-tactics-to-defend-against-present-risk.html\r\nPage 1 of 8\n\ninformation infrastructure that power essential services, highlighting the severe threat they pose to national\r\nsecurity. Although the specific sectors affected have not been disclosed, the agency has emphasized the need to\r\npreserve operational security by not disclosing further information at this stage.\r\nTactics, Techniques and Procedures (TTPs)\r\nUNC3886 operates using advanced techniques and primarily targets network devices, virtualization systems (e.g.\r\nVMware vCenter/ESXi, Fortinet FortiOS, and Juniper Junos OS), and critical information infrastructure. The\r\ngroup is also known for using zero-day exploits and deploying custom open-source malware specifically\r\ndeveloped to evade detection and maintain persistence within the target networks. Additionally, UNC3886\r\nleverages tools already present on the victim's system to further evade detection.\r\nEven when detected and removed, the group is persistent and often attempts re-entry into the network. The group's\r\nattack chain involves several advanced techniques including:\r\nExploiting public-facing applications for initial access (T1190)\r\nUsing valid accounts for persistence (T1078)\r\nEmploying remote access tools (T1219) and application layer protocols (T1071) for command and control.\r\nThis combination of advanced and persistent techniques with strategic targets makes UNC3886 a group that\r\nwarrants heightened vigilance. Its past activities offer insight into the group’s capabilities, tools, as well as\r\neffective defenses that could derail their operation.\r\nWe take a closer look at the techniques, vulnerabilities, and other tactics UNC3886 have used in the past to get an\r\nidea of what could still be their current operations.\r\nTACTIC TECHNIQUE\r\nInitial Access (TA0001) T1190: Exploit Public-Facing Application\r\nExecution (TA0002)\r\nT1203: Exploitation for Client Execution\r\nT1059.004: Command and Scripting Interpreter: Unix Shell\r\nT1059.008: Command and Scripting Interpreter: Network Device CLI\r\nPersistence (TA0003)\r\nT1547: Boot or Logon Autostart Execution\r\nT1078: Valid Accounts\r\nPrivilege Escalation (TA0004)\r\nT1078: Valid Accounts\r\nT1601: Modify System Image\r\nT1562.003: Impair Defenses: Impair Command History Logging\r\nDefense Evasion (TA0005) T1036.005: Masquerading: Match Legitimate Resource Name or\r\nLocation\r\nhttps://www.trendmicro.com/en_us/research/25/g/revisiting-unc3886-tactics-to-defend-against-present-risk.html\r\nPage 2 of 8\n\nTACTIC TECHNIQUE\r\nT1055.009: Process Injection: Proc Memory\r\nT1140: Deobfuscate/Decode Files or Information\r\nT1014: Rootkit\r\nT1027: Obfuscated Files or Information\r\nT1601: Modify System Image\r\nT1562.003: Impair Defenses: Impair Command History Logging\r\nCredential Access (TA0006)\r\nT1003: OS Credential Dumping\r\nT1056: Input Capture\r\nLateral Movement (TA0008) T1563.001: Remote Service Session Hijacking: SSH Hijacking\r\nCollection (TA0009) T1074: Data Staged\r\nExfiltration (TA0010) T1041: Exfiltration Over C2 Channel\r\nCommand and Control\r\n(TA0011)\r\nT1573: Encrypted Channel\r\nT1090: Proxy\r\nT1205.002: Traffic Signaling: Socket Filters\r\nT1219: Remote Access Tools\r\nT1071: Application Layer Protocol\r\nTable 1. Summary of UNC3886 TTPs\r\nMalware and rootkits\r\nAs mentioned earlier, UNC3886 have used open-source custom malware designed for stealth and persistence, and\r\noften use legitimate tools found on compromised hosts to evade detection. The group’s use of TinyShell, Reptile,\r\nand Medusa are indicative of its advanced capabilities, showcasing their ability to develop and deploy\r\nsophisticated tools tailored for Linux environments. Trend™ Research analyzed and revisited the malware and\r\nrootkits used by the group, to get a better understanding of how they operate.\r\nTinyShell\r\nTinyShell is a lightweight, Python-based remote access tool (RAT) or backdoor. It provides threat actors with\r\nremote command execution over HTTP/HTTPS and simple, encrypted communications, making it well-suited for\r\nstealthy operations. The use of TinyShell by UNC3886 demonstrates a focus on lightweight, agile attack tools that\r\nare highly effective in targeted, post-exploitation operations.\r\nhttps://www.trendmicro.com/en_us/research/25/g/revisiting-unc3886-tactics-to-defend-against-present-risk.html\r\nPage 3 of 8\n\nReptile Linux rootkit\r\nUNC3886 uses the Reptile Linux rootkit, which operates at the kernel level. This rootkit’s core capabilities\r\ninclude hiding files, processes, and network activity. It can also provide attackers with a hidden backdoor,\r\nallowing them to regain access to a compromised system even if other access methods are discovered and\r\nremoved. Notably, Reptile is often used in attacks to establish a persistent and stealthy foothold in the targeted\r\nsystem. It features functionalities such as port knocking (a method to secretly open ports by sending a specific\r\nsequence of connection attempts) and the ability to execute commands with root privileges.\r\nInstallation:\r\nDuring the installation process the rootkit prompts what capabilities should be enabled, as seen below:\r\nFigure 1. Configuration setup for the Reptile rootkit\r\nhttps://www.trendmicro.com/en_us/research/25/g/revisiting-unc3886-tactics-to-defend-against-present-risk.html\r\nPage 4 of 8\n\nCapabilities:\r\nReptile rootkit uses multiple script files to build a single executable using the “CMake” tool on Linux machines.\r\nHide process: the rootkit can hide process by checking task flags and changing them. This can be done\r\nusing PID or Filename as input.\r\nHide directory: the rootkit can hide directories by changing flags.\r\nFile content tampering: rootkit has the capability to tamper/change file content.\r\nHide connections: the rootkit has the capability to hide/unhide connections done via a list system. The\r\nrootkit creates a list of network connections that are then hidden.\r\nBackdoor: if the backdoor capability is initialized during installation the following config are created\r\nautomatically. The backdoor can execute commands using this credential and connections.\r\nEncrypt: the rootkit can be used to encrypt files using a randomly generated key.\r\nMedusa rootkit\r\nMedusa is another kernel-level rootkit specifically designed for Linux systems, that has been reportedly used by\r\nUNC3886 alongside Reptile. Similar to Reptile, its primary functions include hiding malicious activities, such as\r\nprocesses, files, and network connections, from administrators and security tools.\r\nBy operating within the kernel, Medusa can intercept system calls and manipulate their output, effectively\r\ncloaking the presence of other malware and the attacker's actions. Most notably, Medusa is used in maintaining\r\ncovert persistence on compromised Linux servers, allowing UNC3886 to operate undetected for extended periods.\r\nIt is often used in conjunction with other tools to facilitate command and control (C\u0026C) communication and data\r\nexfiltration.\r\nCapabilities:\r\nPAM Backdoor: Hook libpam authentication system calls for persisting with a hidden root user\r\nProcess Hiding: Hooks rootkit can intercept the 'kill' function to prevent the user from terminating the\r\nrootkit process. By hiding itself from the system, the rootkit can remain undetected and achieve persistence\r\non the system.\r\nFile Hiding: Hooks 'stat' and 'readdir' to hide files and directories.\r\nNetwork Hiding: Hooks the 'getaddrinfo' function to filter out addresses of remote hosts that it wants to\r\nhide. By using these techniques, the rootkit can effectively hide network activity from the user and other\r\nprograms.\r\nAnti-Debugging: Also Hooks 'kill' system call can be intercepted to prevent the debugger from sending\r\nsignals to the rootkit process. By evading debugging, the rootkit can make it more difficult for security\r\nresearchers to discover and analyze its behavior.\r\nAuth Logging: Hooks pam_prompt(), pam_vprompt and pam_syslog to log all successful authentications\r\nlocally, or remotely via SSH to Medusa home directory\r\nExecution Logging : Hooks syslog() and pam_syslog to log all successful authentications locally, or\r\nremotely via SSH to Medusa home directory\r\nMopSled\r\nhttps://www.trendmicro.com/en_us/research/25/g/revisiting-unc3886-tactics-to-defend-against-present-risk.html\r\nPage 5 of 8\n\nMopSled is a modular, shellcode-based backdoor capable of communicating with its C\u0026C server over HTTP or a\r\ncustom binary protocol via TCP. Its core functionality centers around extending its capabilities by downloading\r\nand executing plugins from the C\u0026C server. Additionally, MOPSLED employs a custom implementation of the\r\nChaCha20 encryption algorithm to decrypt both embedded and external configuration files.\r\nRifleSpine\r\nRifleSpine is a cross-platform backdoor that uses Google Drive for file transfer and command execution. It\r\nemploys the CryptoPP library to implement the AES encryption algorithm, securing data transmitted between the\r\ncompromised system and the threat actor.\r\nCastleTap\r\nCastleTap is a passive backdoor that targets FortiGate firewalls, disguised as the legitimate file '/bin/fgfm' to\r\nmimic the authentic 'fgfmd' service. The malware activates when it detects specially crafted ICMP packets\r\ncontaining specific magic strings, then establishes an encrypted SSL connection to a command-and-control server.\r\nOnce connected, CastleTap provides attackers with comprehensive remote access capabilities including file\r\nupload/download, command shell access, and persistent control over the compromised firewall system.\r\nKnown CVEs used\r\nThe common thread among the CVEs used by the group is that they target highly privileged, broadly deployed,\r\noften-overlooked systems to enable impactful techniques (RCE, privilege escalation, persistence, lateral\r\nmovement). This aligns with the APT group’s goal to maximize stealth, impact, and persistence in high-value\r\ntargets.\r\nOrganizations are advised to apply the latest vendor patches for the CVEs used by UNC3886. Based on their\r\nreported past activitiesopen on a new tab, we list them here:\r\n1. CVE-2023-34048open on a new tab\r\nvCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC\r\nprotocol. A malicious actor with network access to vCenter Server may trigger an out-of-bounds\r\nwrite potentially leading to remote code execution.\r\nThe exploitation enables unauthenticated remote command execution on vulnerable vCenter\r\nservers. Mandiant observed deployment of attacker backdoors minutes after crashing of the\r\nvulnerable VMware service.\r\n2. CVE-2022-41328open on a new tab\r\nAn improper limitation of a pathname to a restricted directory vulnerability ('path traversal') [CWE-22] in Fortinet FortiOS version 7.2.0 through 7.2.3, 7.0.0 through 7.0.9 and before 6.4.11 allows a\r\nprivileged attacker to read and write files on the underlying Linux system via crafted CLI\r\ncommands.\r\nIn FortiOS was exploited to download and execute backdoors on FortiGate devices.\r\n3. CVE-2022-22948open on a new tab\r\nThe vCenter Server contains an information disclosure vulnerability due to improper permission of\r\nfiles. A malicious actor with non-administrative access to the vCenter Server may exploit this issue\r\nhttps://www.trendmicro.com/en_us/research/25/g/revisiting-unc3886-tactics-to-defend-against-present-risk.html\r\nPage 6 of 8\n\nto gain access to sensitive information.\r\nIn VMware vCenter was exploited to obtain encrypted credentials in the vCenter's postgresDB for\r\nfurther access.\r\n4. CVE-2023-20867open on a new tab\r\nA fully compromised ESXi host can force VMware Tools to fail to authenticate host-to-guest\r\noperations, impacting the confidentiality and integrity of the guest virtual machine.\r\nIn VMware Tools was exploited to execute unauthenticated Guest Operations from ESXi host to\r\nguest virtual machines.\r\n5. CVE-2022-42475open on a new tab\r\nAllows a remote unauthenticated attacker to execute arbitrary code or commands via specifically\r\ncrafted requests.\r\n6. CVE-2025–21590open on a new tab\r\nA security flaw involving insufficient system separation in Juniper Networks Junos OS kernel\r\npermits an authenticated local user with administrative rights to damage device security. An attacker\r\nwho gains shell-level access can insert malicious code that may lead to full system compromise.\r\nThis vulnerability cannot be triggered through the Junos command-line interface and is limited to\r\nJunos OS platforms.\r\n7. Bring Your Own SSH Server (BYOSSH)\r\nBeyond deploying backdoored SSH binaries to harvest credentials, the threat actor was also\r\nobserved using the MEDUSA rootkit to install a custom SSH server, serving the same malicious\r\npurpose.\r\nProactive security with Trend Vision One™\r\nTrend Vision OneTMproducts is the only AI-powered enterprise cybersecurity platform that centralizes cyber risk\r\nexposure management, security operations, and robust layered protection. This comprehensive approach helps you\r\npredict and prevent threats, accelerating proactive security outcomes across your entire digital estate. With Trend\r\nVision One, you’re enabled to eliminate security blind spots, focus on what matters most, and elevate security into\r\na strategic partner for innovation.\r\nTrend protection rules and filters\r\nTippingPoint\r\n42855: HTTP: Fortinet FortiOS Heap Buffer Overflow Vulnerability CVE-2022-42475\r\n44482: File Propagation Filter for Trojan.Linux.EfPSixSSH.A\r\n45162: C2 filter for Trojan.Linux.Tableflip.A              \r\n45756: C2 filter for TinyShell/Backdoor.Linux.Lmpad.A \r\n45768: File Propagation Filter for TinyShell/Backdoor.Linux.Jdosd.A\r\n45770: C2 filter for TinyShell / Backdoor.Linux.Irad.A\r\nDeep Discovery Inspector (DDI)\r\n4525: CVE-2021-21972 - VSPHERE RCE EXPLOIT - HTTP (REQUEST)\r\nhttps://www.trendmicro.com/en_us/research/25/g/revisiting-unc3886-tactics-to-defend-against-present-risk.html\r\nPage 7 of 8\n\nTrend Vision One™ Threat Intelligence\r\nTo stay ahead of evolving threats, Trend customers can access Threat Insightsproducts which provide the latest\r\ninsights from Trend Research on emerging threats and threat actors.\r\nThreat Insights\r\nEmerging Threats: Advanced Threat Actors on the Rise: UNC3886’s Persistent Operations Revealed\r\nHunting Queries \r\nTrend Vision One Search App\r\nTrend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this\r\nblog post with data in their environment.\r\nUNC3886 APT detection\r\nmalName:*TINYSHELL* AND eventName:MALWARE_DETECTION AND LogType: detection\r\nMore hunting queries are available for Trend Vision One customers with Threat Insights entitlement enabled. \r\nIndicators of Compromise (IoCs)\r\nThe indicators of compromise for this entry can be found here.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/25/g/revisiting-unc3886-tactics-to-defend-against-present-risk.html\r\nhttps://www.trendmicro.com/en_us/research/25/g/revisiting-unc3886-tactics-to-defend-against-present-risk.html\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.trendmicro.com/en_us/research/25/g/revisiting-unc3886-tactics-to-defend-against-present-risk.html" ], "report_names": [ "revisiting-unc3886-tactics-to-defend-against-present-risk.html" ], "threat_actors": [ { "id": "9df8987a-27fc-45c5-83b0-20dceb8288af", "created_at": "2025-10-29T02:00:51.836932Z", "updated_at": "2026-04-10T02:00:05.253487Z", "deleted_at": null, "main_name": "UNC3886", "aliases": [ "UNC3886" ], "source_name": "MITRE:UNC3886", "tools": [ "MOPSLED", "VIRTUALPIE", "CASTLETAP", "THINCRUST", "VIRTUALPITA", "RIFLESPINE" ], "source_id": "MITRE", "reports": null }, { "id": "a08d93aa-41e4-4eca-a0fd-002d051a2c2d", "created_at": "2024-08-28T02:02:09.711951Z", "updated_at": "2026-04-10T02:00:04.957678Z", "deleted_at": null, "main_name": "UNC3886", "aliases": [ "Fire Ant" ], "source_name": "ETDA:UNC3886", "tools": [ "BOLDMOVE", "CASTLETAP", "LOOKOVER", "MOPSLED", "RIFLESPINE", "TABLEFLIP", "THINCRUST", "Tiny SHell", "VIRTUALGATE", "VIRTUALPIE", "VIRTUALPITA", "VIRTUALSHINE", "tsh" ], "source_id": "ETDA", "reports": null }, { "id": "1c91699d-77d3-4ad7-9857-9f9196ac1e37", "created_at": "2023-11-04T02:00:07.663664Z", "updated_at": "2026-04-10T02:00:03.385989Z", "deleted_at": null, "main_name": "UNC3886", "aliases": [], "source_name": "MISPGALAXY:UNC3886", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434353, "ts_updated_at": 1775826702, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/33d14ff57a444d5d15de790e5a2463b53f0f50f5.pdf", "text": "https://archive.orkl.eu/33d14ff57a444d5d15de790e5a2463b53f0f50f5.txt", "img": "https://archive.orkl.eu/33d14ff57a444d5d15de790e5a2463b53f0f50f5.jpg" } }