Cybersecurity researchers have uncovered a sophisticated cyber espionage campaign targeting critical network infrastructure, marking a significant evolution in tactics by Chinese state-sponsored hackers.
Mandiant, a leading cybersecurity firm, has discovered multiple custom backdoors deployed on Juniper Networks‘ routers, attributing the activity to a Chinese espionage group known as UNC3886.
The backdoors provided attackers with persistent access to compromised networks while actively evading detection mechanisms.
In mid-2024, Mandiant discovered threat actors had deployed custom backdoors on Juniper Networks’ Junos OS routers, which form critical components of many organizational network infrastructures.
The APT Hackers attributed these backdoors to UNC3886, a highly skilled China-nexus cyber espionage group with a history of targeting network devices and virtualization technologies, particularly within defense, technology, and telecommunication organizations across the US and Asia.
Mandiant worked with Juniper Networks to investigate the activity and determined that the affected Juniper MX routers were running end-of-life hardware and software, making them particularly vulnerable to compromise.
The discovery builds upon Mandiant’s previous reports of UNC3886’s similar malware ecosystems deployed on virtualization technologies and network edge devices in 2022 and 2023.
This latest campaign demonstrates UNC3886’s continued focus on maintaining long-term access to victim networks while showing deep understanding of the underlying technology of targeted appliances.
Sophisticated TINYSHELL-Based Backdoors with Custom Capabilities
Mandiant’s investigation identified six distinct malware samples across multiple compromised Juniper MX routers.
Each sample was a modified version of a TINYSHELL backdoor – a lightweight backdoor written in C that communicates using a custom binary protocol – but with unique capabilities specifically designed for Junos OS.
The backdoors were cleverly disguised with names mimicking legitimate Juniper system processes, including “appid,” “to,” “irad,” “lmpad,” “jdosd,” and “oemd”.
The attackers demonstrated significant technical sophistication by circumventing Juniper’s Verified Exec (veriexec) protection system, which normally prevents unauthorized code execution.
UNC3886 achieved this by injecting malicious code into the memory of legitimate processes.
The backdoors incorporated both active variants that would initiate communication with command and control servers, and passive variants that would remain dormant until receiving specific network triggers.
Perhaps most concerning was the inclusion of code specifically designed to disable logging mechanisms on the target devices, effectively erasing evidence of the attackers’ activities.
Implications and Recommendations for Network Security
The compromises highlight a concerning trend of espionage-motivated adversaries targeting routing infrastructure, which typically lacks robust security monitoring solutions such as endpoint detection and response (EDR) agents.
This activity grants attackers long-term, high-level access to crucial routing infrastructure, with potential for more disruptive actions in the future.
Mandiant has issued several recommendations for organizations to protect themselves.
First and foremost, organizations should upgrade their Juniper devices to the latest software images released by Juniper Networks, which include mitigations and updated signatures for the Juniper Malware Removal Tool (JMRT).
After upgrading, organizations should run the JMRT Quick Scan and Integrity Check.
Additional recommendations include implementing robust multi-factor authentication, granular access control for network devices, enhanced monitoring of administrative activities, prioritizing vulnerability management, implementing a device lifecycle management program, strengthening security posture through access controls and segmentation, and leveraging threat intelligence to improve security controls.
As network infrastructure continues to be targeted by sophisticated threat actors, organizations must remain vigilant and proactive in their security measures to protect these critical systems that form the backbone of digital communications.
Indicators of Compromise
Host-Based Indicators
| Filename | Malware Family | MD5 | SHA1 | SHA256 |
| appid | TINYSHELL | 2c89a18944d3a895bd6432415546635e | 50520639cf77df0c15cc95076fac901e3d04b708 | 98380ec6bf4e03d3ff490cdc6c48c37714450930e4adf82e6e14d244d8373888 |
| irad | TINYSHELL | aac5d83d296df81c9259c9a533a8423a | 1a6d07da7e77a5706dd8af899ebe4daa74bbbe91 | 5bef7608d66112315eefff354dae42f49178b7498f994a728ae6203a8a59f5a2 |
| jdosd | TINYSHELL | 8023d01ffb7a38b582f0d598afb974ee | 06a1f879da398c00522649171526dc968f769093 | c0ec15e08b4fb3730c5695fb7b4a6b85f7fe341282ad469e4e141c40ead310c3 |
| lmpad | TINYSHELL | 5724d76f832ce8061f74b0e9f1dcad90 | f8697b400059d4d5082eee2d269735aa8ea2df9a | 5995aaff5a047565c0d7fe3c80fa354c40e7e8c3e7d4df292316c8472d4ac67a |
| oemd | TINYSHELL | e7622d983d22e749b3658600df00296d | cf7af504ef0796d91207e41815187a793d430d85 | 905b18d5df58dd6c16930e318d9574a2ad793ec993ad2f68bca813574e3d854b |
| to | TINYSHELL | b9e4784fa0e6283ce6e2094426a02fce | 01735bb47a933ae9ec470e6be737d8f646a8ec66 | e1de05a2832437ab70d36c4c05b43c4a57f856289224bbd41182deea978400ed |
| oemd | TINYSHELL | bf80c96089d37b8571b5de7cab14dd9f | cec327e51b79cf11b3eeffebf1be8ac0d66e9529 | 3751997cfcb038e6b658e9180bc7cce28a3c25dbb892b661bcd1065723f11f7e |
| lmpad | TINYSHELL | 3243e04afe18cc5e1230d49011e19899 | 2e9215a203e908483d04dfc0328651d79d35b54f | 7ae38a27494dd6c1bc9ab3c02c3709282e0ebcf1e5fcf59a57dc3ae56cfd13b4 |
Network Indicators
| Description | Indicator |
| TINYSHELL Command and Control server | 129.126.109.50:22 |
| TINYSHELL Command and Control server | 116.88.34.184:22 |
| TINYSHELL Command and Control server | 223.25.78.136:22 |
| TINYSHELL Command and Control server | 45.77.39.28:22 |
| TINYSHELL Command and Control server | 101.100.182.122:22 |
| TINYSHELL Command and Control server | 118.189.188.122:22 |
| TINYSHELL Command and Control server | 158.140.135.244:22 |
| TINYSHELL Command and Control server | 8.222.225.8:22 |
Are you from SOC/DFIR Teams?: Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
