🇨🇳

UNC3886

APT Group Information theft and espionage 15 zero-day CVEs ETDA ✓

Also Known As

No alias recorded

Target Countries 2

Countries highlighted in red

Province of China Taiwan United States

Sectors Targeted

Pharmaceutical and Medicine Manufacturing 32541 Computer Systems Design Services 541512 Computer Systems Design and Related Services 54151 Telecommunications 517 Air Transportation 481

Details

Origin 🇨🇳 CN

Last Updated 08 Nov 2023

MITRE ATT&CK 114

T1003 - OS Credential Dumping T1003.001 - LSASS Memory T1005 - Data from Local System T1008 T1014 - Rootkit T1016 T1018 - Remote System Discovery T1021 - Remote Services T1021.004 - SSH T1027 - Obfuscated Files or Information T1027.001 - Binary Padding T1027.005 T1027.013 T1036 - Masquerading T1036.004 - Masquerade Task or Service T1036.005 T1037 T1037.004 T1040 - Network Sniffing T1041 - Exfiltration Over C2 Channel T1049 - System Network Connections Discovery T1053 - Scheduled Task/Job T1055 - Process Injection T1056 - Input Capture T1057 T1059 - Command and Scripting Interpreter T1059.001 - PowerShell T1059.003 T1059.004 - Unix Shell T1059.006 T1059.008 T1059.012 T1068 T1070 - Indicator Removal on Host T1070.002 - Clear Linux or Mac System Logs T1070.004 - File Deletion T1070.006 T1070.007 T1071 - Application Layer Protocol T1071.001 - Web Protocols T1074 - Data Staged T1074.001 T1078 - Valid Accounts T1078.001 T1082 - System Information Discovery T1083 - File and Directory Discovery T1087 - Account Discovery T1090 - Proxy T1090.003 T1095 - Non-Application Layer Protocol T1102 - Web Service T1104 T1105 - Ingress Tool Transfer T1110 - Brute Force T1124 T1133 - External Remote Services T1134 - Access Token Manipulation T1136 - Create Account T1140 - Deobfuscate/Decode Files or Information T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution T1204 - User Execution T1205 - Traffic Signaling T1205.001 T1212 T1218 T1218.011 T1219 - Remote Access Software T1486 - Data Encrypted for Impact T1490 - Inhibit System Recovery T1496 - Resource Hijacking T1497 - Virtualization/Sandbox Evasion T1498 - Network Denial of Service T1505 T1505.003 - Web Shell T1505.006 T1529 - System Shutdown/Reboot T1543 - Create or Modify System Process T1547 - Boot or Logon Autostart Execution T1548 T1552.004 - Private Keys T1553 - Subvert Trust Controls T1553.006 - Code Signing Policy Modification T1554 T1555 - Credentials from Password Stores T1555.005 T1556 - Modify Authentication Process T1560 - Archive Collected Data T1560.001 T1560.003 T1562 - Impair Defenses T1562.001 - Disable or Modify Tools T1562.003 T1562.004 T1563 - Remote Service Session Hijacking T1564 T1564.011 T1570 T1571 - Non-Standard Port T1573 - Encrypted Channel T1573.001 T1587 T1587.001 T1587.004 T1588 T1588.001 T1588.004 T1601 - Modify System Image T1673 T1675 T1681 T1685 T1686 T1690

Related Zero-Days 15

CVE-2016-5195 CVE-2022-42475 CVE-2023-34048 CVE-2024-55591 CVE-2025-1316 CVE-2025-22457 CVE-2025-24201 CVE-2025-24983 CVE-2025-24984 CVE-2025-24985 CVE-2025-24991 CVE-2025-24993 CVE-2025-26633 CVE-2025-27363 CVE-2025-41244

Known Names 2 entries

UNC3886 Mandiant

Fire Ant Sygnia

Description

(Mandiant) Following the discovery of malware residing within ESXi hypervisors in September 2022, Mandiant began investigating numerous intrusions conducted by UNC3886, a suspected China-nexus cyber espionage actor that has targeted prominent strategic organizations on a global scale. In January 2023, Mandiant provided detailed analysis of the exploitation of a now-patched vulnerability in FortiOS employed by a threat actor suspected to be UNC3886. In March 2023, we provided details surrounding a custom malware ecosystem utilized on affected Fortinet devices. Furthermore, the investigation uncovered the compromise of VMware technologies, which facilitated access to guest virtual machines. Investigations into more recent operations in 2023 following fixes from the vendors involved in the investigation have corroborated Mandiant's initial observations that the actor operates in a sophisticated, cautious, and evasive nature. Mandiant has observed that UNC3886 employed several layers of organized persistence for redundancy to maintain access to compromised environments over time. Persistence mechanisms encompassed network devices, hypervisors, and virtual machines, ensuring alternative channels remain available even if the primary layer is detected and eliminated.

Tools Used 13

BOLDMOVE CASTLETAP LOOKOVER MOPSLED REPTILE RIFLESPINE TABLEFLIP THINCRUST Tiny SHell VIRTUALGATE VIRTUALPIE VIRTUALPITA VIRTUALSHINE

Operations 7

2021 Late Chinese Espionage Group UNC3886 Found Exploiting CVE-2023-34048 Since Late 2021 https://cloud.google.com/blog/topics/threat-intelligence/chinese-vmware-exploitation-since-2021/

2022 Bad VIB(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors https://cloud.google.com/blog/topics/threat-intelligence/esxi-hypervisors-malware-persistence

2022 Mid Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation https://cloud.google.com/blog/topics/threat-intelligence/fortinet-malware-ecosystem/

2022-10 Suspected Chinese Threat Actors Exploiting FortiOS Vulnerability (CVE-2022-42475) https://cloud.google.com/blog/topics/threat-intelligence/chinese-actors-exploit-fortios-flaw/

2023 Cloaked and Covert: Uncovering UNC3886 Espionage Operations https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations

2024 Mid Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-targets-juniper-routers

2025 Early Fire Ant: A Deep-Dive into Hypervisor-Level Espeonage https://www.sygnia.co/blog/fire-ant-a-deep-dive-into-hypervisor-level-espionage/

Reports & References 3

https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations https://therecord.media/singapore-accuses-chinese-backed-hackers-critical-infrastructure-attacks https://www.trendmicro.com/en_us/research/25/g/revisiting-unc3886-tactics-to-defend-against-present-risk.html

ETDA Profile

UNC3886

Origin

China

First Seen 2021

Motivation

Information theft and espionage

View on ETDA APT Groups ↗