{ "id": "b7a4afb0-4cf6-4438-8267-58c34b758cbe", "created_at": "2026-04-06T00:07:28.520957Z", "updated_at": "2026-04-10T03:29:54.661296Z", "deleted_at": null, "sha1_hash": "b5a5db100da653137a7c98fccc413d0b6cc0ace3", "title": "Chinese Espionage Group UNC3886 Found Exploiting CVE-2023-34048 Since Late 2021", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 322679, "plain_text": "Chinese Espionage Group UNC3886 Found Exploiting CVE-2023-\r\n34048 Since Late 2021\r\nBy Mandiant\r\nPublished: 2024-01-19 · Archived: 2026-04-05 14:21:15 UTC\r\nWritten by: Alexander Marvi, Shawn Chew, Punsaen Boonyakarn\r\nWhile publicly reported and patched in October 2023, Mandiant and VMware Product Security have found\r\nUNC3886, a highly advanced China-nexus espionage group, has been exploiting CVE-2023-34048 as far back as\r\nlate 2021.\r\nThese findings stem from Mandiant’s continued research of the novel attack paths used by UNC3886, which\r\nhistorically focuses on technologies that are unable to have EDR deployed to them. UNC3886 has a track record\r\nof utilizing zero-day vulnerabilities to complete their mission without being detected, and this latest example\r\nfurther demonstrates their capabilities.\r\nWhen covering the discovery of CVE-2023-20867 in VMware’s tools, the attack path in Figure 1 was presented\r\ndescribing the flow of attacker activity within the VMware ecosystem (i.e. vCenter, ESXi Hypervisors, Virtualized\r\nGuest Machines). At the time, with the evidence available, Mandiant continued researching how backdoors were\r\nbeing deployed to vCenter systems.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/chinese-vmware-exploitation-since-2021/\r\nPage 1 of 3\n\nIn late 2023, a similarity was observed across impacted vCenter systems that explained how the attacker was\r\ngaining initial access to the vCenter systems. Located in the VMware service crash logs,\r\n/var/log/vMonCoredumper.log, the following entries (Figure 2) show the \"vmdird\" service crashing minutes prior\r\nto attacker backdoors being deployed.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/chinese-vmware-exploitation-since-2021/\r\nPage 2 of 3\n\n2022-01-01T01:31:55.361+00:00| \u003cREDACTED\u003e| I125: FILE: FileCreateDirectoryEx: Failed to create /tmp. Error = 17\r\n2022-01-01T01:31:55.362+00:00| \u003cREDACTED\u003e| I125: FILE: FileCreateDirectoryEx: Failed to create /tmp/vmware-root.\r\n2022-01-01T01:31:55.419+00:00| \u003cREDACTED\u003e| I125: Notify vMon about vmdird dumping core. Pid : 1558\r\n2022-01-01T01:31:55.421+00:00| \u003cREDACTED\u003e| I125: Successfully notified vMon.\r\n2022-01-01T01:31:55.927+00:00| \u003cREDACTED\u003e| I125: Successfully generated core file.\r\nFigure 2: vMonCorDumper.log (Timestamps revised for client confidentiality)\r\nAnalysis of the core dump of \"vmdird\" by both Mandiant and VMware Product Security showed that the process\r\ncrashing is closely aligned with the exploitation of CVE-2023-34048, the out-of-bounds write vCenter\r\nvulnerability in the implementation of the DCE/RPC protocol patched in October 2023, which enables\r\nunauthenticated remote command execution on vulnerable systems.\r\nWhile publicly reported and patched in October 2023, Mandiant has observed these crashes across multiple\r\nUNC3886 cases between late 2021 and early 2022, leaving a window of roughly a year and a half that this\r\nattacker had access to this vulnerability. Most environments where these crashes were observed had log entries\r\npreserved, but the \"vmdird\" core dumps themselves were removed. VMware’s default configurations keep core\r\ndumps for an indefinite amount of time on the system, suggesting the core dumps were purposely removed by the\r\nattacker in an attempt to cover their tracks.\r\nAs mentioned in the VMware advisory, this vulnerability has since been patched in vCenter 8.0U2 and Mandiant\r\nrecommends VMware users updating to the latest version of vCenter to account for this vulnerability seeing\r\nexploitation in the wild.\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://cloud.google.com/blog/topics/threat-intelligence/chinese-vmware-exploitation-since-2021/\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/chinese-vmware-exploitation-since-2021/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/chinese-vmware-exploitation-since-2021/" ], "report_names": [ "chinese-vmware-exploitation-since-2021" ], "threat_actors": [ { "id": "9df8987a-27fc-45c5-83b0-20dceb8288af", "created_at": "2025-10-29T02:00:51.836932Z", "updated_at": "2026-04-10T02:00:05.253487Z", "deleted_at": null, "main_name": "UNC3886", "aliases": [ "UNC3886" ], "source_name": "MITRE:UNC3886", "tools": [ "MOPSLED", "VIRTUALPIE", "CASTLETAP", "THINCRUST", "VIRTUALPITA", "RIFLESPINE" ], "source_id": "MITRE", "reports": null }, { "id": "a08d93aa-41e4-4eca-a0fd-002d051a2c2d", "created_at": "2024-08-28T02:02:09.711951Z", "updated_at": "2026-04-10T02:00:04.957678Z", "deleted_at": null, "main_name": "UNC3886", "aliases": [ "Fire Ant" ], "source_name": "ETDA:UNC3886", "tools": [ "BOLDMOVE", "CASTLETAP", "LOOKOVER", "MOPSLED", "RIFLESPINE", "TABLEFLIP", "THINCRUST", "Tiny SHell", "VIRTUALGATE", "VIRTUALPIE", "VIRTUALPITA", "VIRTUALSHINE", "tsh" ], "source_id": "ETDA", "reports": null }, { "id": "1c91699d-77d3-4ad7-9857-9f9196ac1e37", "created_at": "2023-11-04T02:00:07.663664Z", "updated_at": "2026-04-10T02:00:03.385989Z", "deleted_at": null, "main_name": "UNC3886", "aliases": [], "source_name": "MISPGALAXY:UNC3886", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434048, "ts_updated_at": 1775791794, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b5a5db100da653137a7c98fccc413d0b6cc0ace3.pdf", "text": "https://archive.orkl.eu/b5a5db100da653137a7c98fccc413d0b6cc0ace3.txt", "img": "https://archive.orkl.eu/b5a5db100da653137a7c98fccc413d0b6cc0ace3.jpg" } }