Advanced Backdoor Capabilities
According to a report by Mandiant, a Google-owned cybersecurity firm, these backdoors possess a range of functions, including both active and passive backdoor mechanisms. Additionally, an embedded script is used to disable logging features on the targeted device, preventing detection.
Mandiant describes this activity as an evolution of the group’s tactics. Historically, UNC3886 has exploited zero-day vulnerabilities in Fortinet, Ivanti, and VMware devices to compromise networks of interest and establish long-term access.
Since being first identified in September 2022, this hacking group has demonstrated expertise in attacking edge devices and virtualization technologies. Their main targets include defense, technology, and telecommunication organizations in both the United States and Asia.
These attacks are particularly concerning because many network perimeter devices lack robust security monitoring and detection measures. This allows the attackers to operate undetected, making them a persistent threat.
Targeting Network Infrastructure for Long-Term Access
Mandiant notes that compromising routing devices is a growing trend among espionage-driven threat actors. Gaining access to critical routing infrastructure provides attackers with long-term, high-level control, which could lead to more severe disruptions in the future.
In mid-2024, researchers identified implants based on TinyShell, a lightweight, C-based backdoor frequently used by Chinese hacking groups such as Liminal Panda and Velvet Ant.
Austin Larsen, a principal threat analyst at Google Threat Intelligence Group, explained that TinyShell’s open-source nature makes it a preferred tool. It is cost-effective, requires minimal research and development, and complicates attribution for investigators. Additionally, it is highly customizable, allowing attackers to tailor it for specific devices, making it a discreet alternative to more complex remote access tools (RATs) like PlugX and ShadowPad.
Distinct TinyShell-Based Backdoors Identified
Mandiant discovered six unique TinyShell-based backdoors, each with specialized capabilities:
appid (A Poorly Plagiarized Implant Daemon): Supports file transfer, interactive shell access, SOCKS proxy, and configuration changes.
to (TooObvious): Similar to appid but features a distinct set of hard-coded command-and-control (C2) servers.
irad (Internet Remote Access Daemon): A passive backdoor acting as a packet sniffer, extracting commands from ICMP packets.
lmpad (Local Memory Patching Attack Daemon): A utility that allows process injection into legitimate Junos OS processes, preventing logging.
jdosd (Junos Denial of Service Daemon): Implements a UDP-based backdoor with file transfer and remote shell functionalities.
oemd (Obscure Enigmatic Malware Daemon): A passive backdoor that communicates with the C2 server via TCP, supporting standard TinyShell commands.
The attackers also developed techniques to bypass Junos OS’ Verified Exec (veriexec) protections, which typically prevent untrusted code execution. They achieved this by gaining privileged access to a router through a terminal server used for network management, using legitimate credentials.
Once inside, they injected the malicious payloads into the memory of legitimate processes, allowing the lmpad backdoor to operate despite veriexec protections.
Stealth Tactics and Additional Malware Tools
Mandiant highlighted that the primary purpose of this malware is to disable all logging functions before attackers interact with the router, ensuring no traces of their activities are recorded. Once they disconnect, they restore the logs to maintain a façade of normal operation.
Other tools used by UNC3886 include:
Reptile and Medusa (rootkits)
PITHOOK (used to hijack SSH authentications and steal credentials)
GHOSTTOWN (anti-forensics tool)
Mitigation Measures for Organizations
Organizations using Juniper devices are advised to upgrade to the latest firmware versions, which include security patches and updated signatures for the Juniper Malware Removal Tool (JMRT).
This development follows an earlier revelation by Lumen Black Lotus Labs, which reported that enterprise-grade Juniper routers had been targeted by a custom backdoor. This campaign, dubbed J-magic, delivered a modified version of the cd00r backdoor.
However, Mandiant clarified that this separate activity is attributed to another China-linked group, UNC4841. There is currently no evidence suggesting UNC4841 was involved in targeting the end-of-life Juniper routers.
Juniper Networks’ Response and Identified Vulnerability
In July 2024, Juniper Networks launched Project RedPenguin to investigate these attacks on MX Series routers. They discovered that at least one security vulnerability contributed to the successful breaches, allowing attackers to run malware on veriexec-protected routers.
The flaw, identified as CVE-2025-21590 (CVSS v4 score: 6.7), is classified as an Improper Isolation or Compartmentalization vulnerability within the Junos OS kernel. Juniper Networks explained that a local attacker with high privileges could inject arbitrary code, compromising affected devices.
The vulnerability has been patched in the following Junos OS versions:
21.2R3-S9
21.4R3-S10
22.2R3-S6
22.4R3-S6
23.2R2-S3
23.4R2-S4
24.2R1-S2
24.2R2
24.4R1
Juniper Networks also provided further clarification on the malware components:
jdosd and irad: Remote access toolkits
lmpad: Local access toolkit targeting Junos OS
appid, to, and oemd: RATs based on TinyShell
Ongoing Threat and Future Implications
Mandiant’s findings suggest that UNC3886 has deep expertise in advanced system internals, enabling them to maintain stealthy, long-term access to compromised devices.
The group prioritizes evading detection by using passive backdoors and manipulating forensic artifacts, ensuring long-term persistence within targeted networks.
With cyber threats evolving rapidly, organizations must stay vigilant by regularly updating firmware, implementing strong security measures, and monitoring network activity for unusual behavior.
(This article has been updated to include statements from Google Mandiant and an official advisory from Juniper Networks.)
