C0056: RedPenguin
The RedPenguin project was launched by Juniper in July 2024 to investigate reported malware infections of Juniper MX Series routers. RedPenguin activity was separately attributed to UNC3886 and included the deployment of multiple custom versions of the publicly-available TINYSHELL backdoor on Juniper routers.[1][2]
Analyst context for executives and security teams
RedPenguin matters because ATT&CK describes it as activity involving malware infections of Juniper MX Series routers and custom TINYSHELL backdoors. For leaders, the practical issue is not a desktop malware problem; it is potential compromise of edge/network infrastructure that can affect visibility, routing trust, credential exposure, and incident response confidence.
Executive priority
Prioritize this as an edge-infrastructure resilience and evidence-readiness issue. Executives should ask whether Juniper MX and similar network devices are inventoried, centrally logged, access-controlled, and included in incident response playbooks. Because the campaign is attributed in ATT&CK to UNC3886 and uses stealth, proxying, valid accounts, rootkits, and exfiltration-over-C2 techniques, coverage depends on router telemetry, privileged access governance, and the ability to preserve forensic evidence before cleanup activity removes it.
Technical view
ATT&CK provides no official detection text and no campaign-level platforms, but the description identifies Juniper MX routers and relationships include Network Device CLI, Unix Shell, Valid Accounts, Rootkit, Network Sniffing, Proxy/Multi-hop Proxy, Non-Application Layer Protocol, Traffic Signaling, Ingress Tool Transfer, File Deletion, and Clear Network Connection History. SOC and IR teams should validate whether network-device logs, authentication records, configuration history, file/process visibility where available, and network flow/packet evidence can support investigation of stealthy command execution, tool transfer, hidden services, credential use, and outbound C2 paths.
Likely telemetry
- Network device authentication and authorization logs, especially administrative and privileged account use
- Network Device CLI command history and configuration change records where retained
- Router/system logs showing process execution, shell access, file creation, file deletion, or abnormal service behavior where available
- NetFlow, firewall, IDS/IPS, and packet metadata for unusual outbound connections, proxy behavior, non-application-layer protocols, or traffic signaling patterns
- Configuration backups and integrity baselines for Juniper MX routers and other edge devices
Detection direction
- Do not assume endpoint EDR coverage applies to routers; validate device-native logging and network-based monitoring separately.
- Tune for abnormal administrative access, unusual CLI activity, unexpected shell use, and changes to network-device configuration or connection history.
- Correlate valid-account activity with unusual source locations, timing, device targets, and follow-on network connections.
- Look for stealth indicators suggested by related techniques: hidden or masqueraded files, rootkit-like concealment, process injection behavior where observable, file deletion, and cleared connection history.
- Use network telemetry to identify proxy chains, non-standard C2 channels, multi-stage communications, and exfiltration over existing C2 rather than relying only on known indicators.
Mitigation priorities
- Inventory Juniper MX routers and other critical edge/network devices, confirm ownership, software/firmware state, and exposure paths.
- Apply relevant vendor guidance from the cited Juniper and Mandiant reporting and maintain a patch/vulnerability management process for edge infrastructure.
- Restrict and monitor administrative access to network devices; enforce least privilege, strong authentication where supported, and separation of administrative accounts.
- Preserve centralized logs and configuration backups so file deletion or cleared connection history on the device does not eliminate investigative evidence.
- Limit outbound connectivity from network infrastructure to expected destinations and protocols where operationally feasible.
Analyst notes and limits
The campaign is linked by ATT&CK to UNC3886 and to REPTILE, MEDUSA, and multiple techniques spanning execution, stealth, credential access, discovery, command and control, and exfiltration. The most decision-useful takeaway is to test whether edge/network infrastructure is monitored and recoverable at the same standard as servers and endpoints.
ATT&CK does not provide official detection guidance, campaign-level platforms, or detailed procedure examples in the supplied fields. This summary uses only the supplied description, external references, and relationships; local device models, logging configuration, network architecture, and vendor advisories are required to determine actual exposure and coverage.
RedPenguin
The RedPenguin project was launched by Juniper in July 2024 to investigate reported malware infections of Juniper MX Series routers. RedPenguin activity was separately attributed to UNC3886 and included the deployment of multiple custom versions of the publicly-available TINYSHELL backdoor on Juniper routers.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1057 | Process Discovery | During RedPenguin, UNC3886 used malware capable of reading the PID for the Junos OS snmpd daemon.CitationJuniper RedPenguin MAR 2025 |
| Enterprise | T1040 | Network Sniffing | During RedPenguin, UNC3886 used a passive backdoor to act as a libpcap-based packet sniffer.CitationMandiant UNC3886 Juniper Routers MAR 2025 |
| Enterprise | T1587.001 | Malware Sub-technique | During RedPenguin, UNC3886 deployed custom malware based on the publicly-available TINYSHELL backdoor.CitationMandiant UNC3886 Juniper Routers MAR 2025CitationCensys RedPenguin MAR 2025 |
| Enterprise | T1104 | Multi-Stage Channels | During RedPenguin, UNC3886 used malware with separate channels to request and carry out tasks from C2.CitationMandiant UNC3886 Juniper Routers MAR 2025 |
| Enterprise | T1059.008 | Network Device CLI Sub-technique | During RedPenguin, UNC3886 accessed the Junos OS CLI on targeted devices.CitationMandiant UNC3886 Juniper Routers MAR 2025CitationJuniper RedPenguin MAR 2025 |
| Enterprise | T1571 | Non-Standard Port | During RedPenguin, UNC3886 used a backdoor that binds to port 45678 by default.CitationMandiant UNC3886 Juniper Routers MAR 2025 |
| Enterprise | T1070.007 | Clear Network Connection History and Configurations Sub-technique | During RedPenguin, UNC3886 used an implant to delete logs associated with unauthorized access to targeted Junos OS devices.CitationJuniper RedPenguin MAR 2025 |
| Enterprise | T1078 | Valid Accounts | During RedPenguin, UNC3886 used legitimate credentials to gain priviliged access to Juniper routers.CitationMandiant UNC3886 Juniper Routers MAR 2025CitationCensys RedPenguin MAR 2025 |
| Enterprise | T1059.004 | Unix Shell Sub-technique | During RedPenguin, UNC3886 used malware capable of launching an interactive shell.CitationMandiant UNC3886 Juniper Routers MAR 2025CitationJuniper RedPenguin MAR 2025 |
| Enterprise | T1203 | Exploitation for Client Execution | During RedPenguin, UNC3886 exploited CVE-2025-21590 to bypass Veriexec protections in Junos OS designed to prevent unauthorized binary execution.CitationMandiant UNC3886 Juniper Routers MAR 2025CitationJuniper RedPenguin MAR 2025 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | During RedPenguin, UNC3886 malware used the RC4 cipher to encrypt outgoing C2 messages.CitationJuniper RedPenguin MAR 2025 |
| Enterprise | T1016 | System Network Configuration Discovery | During RedPenguin, UNC3886 leveraged JunoOS CLI queries to obtain the interface index which contains system and network details.CitationMandiant UNC3886 Juniper Routers MAR 2025CitationJuniper RedPenguin MAR 2025 |
| Enterprise | T1090 | Proxy | During RedPenguin, UNC3886 used malware capable of establishing a SOCKS proxy connection to a specified IP and port.CitationMandiant UNC3886 Juniper Routers MAR 2025CitationJuniper RedPenguin MAR 2025 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | During RedPenguin, UNC3886 created multiple strains of malware using names to mimic legitimate binaries such as appid, to, irad, lmpad, jdosd, and oemd.CitationMandiant UNC3886 Juniper Routers MAR 2025 |
| Enterprise | T1055 | Process Injection | During RedPenguin, UNC3886 exploited CVE-2025-21590 to enable malicious code injection into the memory of legitimate processes.CitationMandiant UNC3886 Juniper Routers MAR 2025CitationJuniper RedPenguin MAR 2025 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | During RedPenguin, UNC3886 used malware implants to deobfuscate incoming C2 messages and encoded archives.CitationMandiant UNC3886 Juniper Routers MAR 2025CitationJuniper RedPenguin MAR 2025 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | During RedPenguin, UNC3886 generated Base64-encoded files in the FreeBSD shell environment of targeted Juniper devices.CitationMandiant UNC3886 Juniper Routers MAR 2025CitationJuniper RedPenguin MAR 2025 |
| Enterprise | T1205 | Traffic Signaling | During RedPenguin, UNC3886 leveraged malware capable of inpecting packets for a magic-string to activate backdoor functionalities.CitationMandiant UNC3886 Juniper Routers MAR 2025 |
| Enterprise | T1690 | Prevent Command History Logging | During RedPenguin, UNC3886 used malware to clear the `HISTFILE` environmental variable and to inject into Junos OS processes to inhibit logging.CitationMandiant UNC3886 Juniper Routers MAR 2025CitationJuniper RedPenguin MAR 2025 |
| Enterprise | T1105 | Ingress Tool Transfer | During RedPenguin, UNC3886 used backdoor malware capable of downloading files to compromised infrastructure.CitationMandiant UNC3886 Juniper Routers MAR 2025 |
| Enterprise | T1090.003 | Multi-hop Proxy Sub-technique | During RedPenguin, UNC3886 used infrastructure associated with operational relay box (ORB) networks.CitationMandiant UNC3886 Juniper Routers MAR 2025 |
| Enterprise | T1095 | Non-Application Layer Protocol | During RedPenguin, UNC3886 leveraged malware that used UDP and TCP sockets for C2.CitationMandiant UNC3886 Juniper Routers MAR 2025CitationCensys RedPenguin MAR 2025CitationJuniper RedPenguin MAR 2025 |
| Enterprise | T1554 | Compromise Host Software Binary | During RedPenguin, UNC3886 peformed a local memory patching attack to modify the snmpd and mgd Junos OS daemons.CitationJuniper RedPenguin MAR 2025 |
| Enterprise | T1070.004 | File Deletion Sub-technique | During RedPenguin, UNC3886 used malware capaple of removing scripts after execution.CitationMandiant UNC3886 Juniper Routers MAR 2025 |
| Enterprise | T1014 | Rootkit | During RedPenguin, UNC3886 used rootkits such as REPTILE and MEDUSA.CitationMandiant UNC3886 Juniper Routers MAR 2025 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | During RedPenguin, UNC3886 uploaded specified files from compromised devices to a remote server. CitationMandiant UNC3886 Juniper Routers MAR 2025 |
Groups, software, and campaigns
G1048: UNC3886
UNC3886 is a China-nexus cyberespionage group that has been active since at least 2022, targeting defense, technology, and telecommunication organizations located in the United States and the Asia-Pacific-Japan (APJ) regions. UNC3886 has displayed a deep understanding of edge devices and virtualization technologies through the exploitation of zero-day vulnerabilities and the use of novel malware families and utilities.[1][2]
S1219: REPTILE
S1220: MEDUSA
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 271f2538f23c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Juniper RedPenguin MAR 2025
Juniper Networks, Cybersecurity R&D. (2025, March 11). The RedPenguin Malware Incident. Retrieved June 24, 2025.
Open source URL -
[2]
Mandiant UNC3886 Juniper Routers MAR 2025
Lamparski, L. et al. (2025, March 11). Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers. Retrieved June 24, 2025.
Open source URL -
[3]
mitre-attack C0056Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.