{
	"id": "9d960695-154b-4630-a663-6cadecb21d59",
	"created_at": "2026-04-06T00:19:12.748793Z",
	"updated_at": "2026-04-10T03:29:54.670254Z",
	"deleted_at": null,
	"sha1_hash": "51173f1e438ea35bf2a449d2acda6ec9ab80f6b8",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 60175,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 20:06:18 UTC\r\n APT group: UNC3886\r\nNames\r\nUNC3886 (Mandiant)\r\nFire Ant (Sygnia)\r\nCountry China\r\nMotivation Information theft and espionage\r\nFirst seen 2021\r\nDescription\r\n(Mandiant) Following the discovery of malware residing within ESXi hypervisors in\r\nSeptember 2022, Mandiant began investigating numerous intrusions conducted by\r\nUNC3886, a suspected China-nexus cyber espionage actor that has targeted\r\nprominent strategic organizations on a global scale. In January 2023, Mandiant\r\nprovided detailed analysis of the exploitation of a now-patched vulnerability in\r\nFortiOS employed by a threat actor suspected to be UNC3886. In March 2023, we\r\nprovided details surrounding a custom malware ecosystem utilized on affected\r\nFortinet devices. Furthermore, the investigation uncovered the compromise of\r\nVMware technologies, which facilitated access to guest virtual machines.\r\nInvestigations into more recent operations in 2023 following fixes from the vendors\r\ninvolved in the investigation have corroborated Mandiant's initial observations that\r\nthe actor operates in a sophisticated, cautious, and evasive nature. Mandiant has\r\nobserved that UNC3886 employed several layers of organized persistence for\r\nredundancy to maintain access to compromised environments over time. Persistence\r\nmechanisms encompassed network devices, hypervisors, and virtual machines,\r\nensuring alternative channels remain available even if the primary layer is detected\r\nand eliminated.\r\nObserved\r\nTools used\r\nBOLDMOVE, CASTLETAP, LOOKOVER, MOPSLED, REPTILE, RIFLESPINE,\r\nTABLEFLIP, THINCRUST, Tiny SHell, VIRTUALGATE, VIRTUALPIE,\r\nVIRTUALPITA, VIRTUALSHINE.\r\nOperations performed Late 2021 Chinese Espionage Group UNC3886 Found Exploiting CVE-2023-\r\n34048 Since Late 2021\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=4e437eb9-73e3-4871-a735-54f1aca46edf\r\nPage 1 of 2\n\n2022\nBad VIB(E)s Part One: Investigating Novel Malware Persistence\nWithin ESXi Hypervisors\nMid 2022\nFortinet Zero-Day and Custom Malware Used by Suspected\nChinese Actor in Espionage Operation\nOct 2022\nSuspected Chinese Threat Actors Exploiting FortiOS Vulnerability\n(CVE-2022-42475)\n2023\nCloaked and Covert: Uncovering UNC3886 Espionage Operations\nMid 2024\nGhost in the Router: China-Nexus Espionage Actor UNC3886\nTargets Juniper Routers\nEarly 2025\nFire Ant: A Deep-Dive into Hypervisor-Level Espeonage\nInformation\nLast change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=4e437eb9-73e3-4871-a735-54f1aca46edf\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=4e437eb9-73e3-4871-a735-54f1aca46edf\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=4e437eb9-73e3-4871-a735-54f1aca46edf"
	],
	"report_names": [
		"showcard.cgi?u=4e437eb9-73e3-4871-a735-54f1aca46edf"
	],
	"threat_actors": [
		{
			"id": "9df8987a-27fc-45c5-83b0-20dceb8288af",
			"created_at": "2025-10-29T02:00:51.836932Z",
			"updated_at": "2026-04-10T02:00:05.253487Z",
			"deleted_at": null,
			"main_name": "UNC3886",
			"aliases": [
				"UNC3886"
			],
			"source_name": "MITRE:UNC3886",
			"tools": [
				"MOPSLED",
				"VIRTUALPIE",
				"CASTLETAP",
				"THINCRUST",
				"VIRTUALPITA",
				"RIFLESPINE"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "a08d93aa-41e4-4eca-a0fd-002d051a2c2d",
			"created_at": "2024-08-28T02:02:09.711951Z",
			"updated_at": "2026-04-10T02:00:04.957678Z",
			"deleted_at": null,
			"main_name": "UNC3886",
			"aliases": [
				"Fire Ant"
			],
			"source_name": "ETDA:UNC3886",
			"tools": [
				"BOLDMOVE",
				"CASTLETAP",
				"LOOKOVER",
				"MOPSLED",
				"RIFLESPINE",
				"TABLEFLIP",
				"THINCRUST",
				"Tiny SHell",
				"VIRTUALGATE",
				"VIRTUALPIE",
				"VIRTUALPITA",
				"VIRTUALSHINE",
				"tsh"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "1c91699d-77d3-4ad7-9857-9f9196ac1e37",
			"created_at": "2023-11-04T02:00:07.663664Z",
			"updated_at": "2026-04-10T02:00:03.385989Z",
			"deleted_at": null,
			"main_name": "UNC3886",
			"aliases": [],
			"source_name": "MISPGALAXY:UNC3886",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434752,
	"ts_updated_at": 1775791794,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/51173f1e438ea35bf2a449d2acda6ec9ab80f6b8.pdf",
		"text": "https://archive.orkl.eu/51173f1e438ea35bf2a449d2acda6ec9ab80f6b8.txt",
		"img": "https://archive.orkl.eu/51173f1e438ea35bf2a449d2acda6ec9ab80f6b8.jpg"
	}
}