Threat Group Cards: A Threat Actor Encyclopedia
Archived: 2026-04-05 20:06:18 UTC
 APT group: UNC3886
Names
UNC3886 (Mandiant)
Fire Ant (Sygnia)
Country China
Motivation Information theft and espionage
First seen 2021
Description
(Mandiant) Following the discovery of malware residing within ESXi hypervisors in
September 2022, Mandiant began investigating numerous intrusions conducted by
UNC3886, a suspected China-nexus cyber espionage actor that has targeted
prominent strategic organizations on a global scale. In January 2023, Mandiant
provided detailed analysis of the exploitation of a now-patched vulnerability in
FortiOS employed by a threat actor suspected to be UNC3886. In March 2023, we
provided details surrounding a custom malware ecosystem utilized on affected
Fortinet devices. Furthermore, the investigation uncovered the compromise of
VMware technologies, which facilitated access to guest virtual machines.
Investigations into more recent operations in 2023 following fixes from the vendors
involved in the investigation have corroborated Mandiant's initial observations that
the actor operates in a sophisticated, cautious, and evasive nature. Mandiant has
observed that UNC3886 employed several layers of organized persistence for
redundancy to maintain access to compromised environments over time. Persistence
mechanisms encompassed network devices, hypervisors, and virtual machines,
ensuring alternative channels remain available even if the primary layer is detected
and eliminated.
Observed
Tools used
BOLDMOVE, CASTLETAP, LOOKOVER, MOPSLED, REPTILE, RIFLESPINE,
TABLEFLIP, THINCRUST, Tiny SHell, VIRTUALGATE, VIRTUALPIE,
VIRTUALPITA, VIRTUALSHINE.
Operations performed Late 2021 Chinese Espionage Group UNC3886 Found Exploiting CVE-2023-
34048 Since Late 2021
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=4e437eb9-73e3-4871-a735-54f1aca46edf
Page 1 of 2

2022
Bad VIB(E)s Part One: Investigating Novel Malware Persistence
Within ESXi Hypervisors
Mid 2022
Fortinet Zero-Day and Custom Malware Used by Suspected
Chinese Actor in Espionage Operation
Oct 2022
Suspected Chinese Threat Actors Exploiting FortiOS Vulnerability
(CVE-2022-42475)
2023
Cloaked and Covert: Uncovering UNC3886 Espionage Operations
Mid 2024
Ghost in the Router: China-Nexus Espionage Actor UNC3886
Targets Juniper Routers
Early 2025
Fire Ant: A Deep-Dive into Hypervisor-Level Espeonage
Information
Last change to this card: 16 August 2025
Download this actor card in PDF or JSON format
Source: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=4e437eb9-73e3-4871-a735-54f1aca46edf
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=4e437eb9-73e3-4871-a735-54f1aca46edf
Page 2 of 2