G1048: UNC3886
UNC3886 is a China-nexus cyberespionage group that has been active since at least 2022, targeting defense, technology, and telecommunication organizations located in the United States and the Asia-Pacific-Japan (APJ) regions. UNC3886 has displayed a deep understanding of edge devices and virtualization technologies through the exploitation of zero-day vulnerabilities and the use of novel malware families and utilities.[1][2]
Analyst context for executives and security teams
UNC3886 matters because ATT&CK describes it as a China-nexus espionage group focused on defense, technology, and telecommunications, with demonstrated attention to edge devices and virtualization technologies. For leaders, the practical issue is not only endpoint compromise; it is whether firewalls, routers, ESXi hosts, vCenter/Linux systems, and privileged administration paths are visible, patched, and included in incident response plans.
Executive priority
Prioritize this as an infrastructure-resilience and high-value-identity risk. The supplied relationships tie UNC3886 to zero-day exploitation reporting, compromised FortiGate firewalls, Juniper router activity, ESXi/vCenter backdoors, Linux rootkits, credential access, SSH lateral movement, and command execution. Executives should ask whether network devices and virtualization platforms are covered by vulnerability management, logging, backup/recovery, privileged access governance, and audit evidence—not just traditional EDR coverage.
Technical view
ATT&CK provides no official detection text for this group, so SOC and IR teams should validate coverage from the related behaviors and software. Relationship context points to ESXi and Linux backdoors such as VIRTUALPITA and VIRTUALPIE, Linux rootkits such as REPTILE and MEDUSA, network-device backdoors such as THINCRUST and CASTLETAP, and techniques including LSASS memory access, SSH, boot/logon initialization scripts, RC scripts, network sniffing, Unix shell, Python, PowerShell, Windows command shell, and Hypervisor CLI use. Detection engineering should focus on administrative-plane activity, persistence on Unix-like and network devices, suspicious hypervisor CLI usage, unexpected listeners or fallback channels, and evidence of rootkit-style hiding.
Likely telemetry
- ESXi host logs, vCenter events, VIB installation records, hypervisor CLI activity, and VM management actions
- Linux process, authentication, shell history, service, startup script, linker/library, and file integrity telemetry
- Network device configuration changes, admin login records, firmware/software inventory, ICMP or unusual management-plane activity, and router/firewall logs
- SSH authentication logs and privileged account activity across ESXi, Linux, macOS, and network devices where applicable
- Windows security telemetry relevant to LSASS access, PowerShell, cmd.exe, and privileged credential use
Detection direction
- Treat lack of official group detection guidance as a coverage gap: build detections from the related techniques and software rather than from the group name alone.
- Validate visibility on edge and virtualization infrastructure; many organizations collect endpoint telemetry but lack comparable logs from routers, firewalls, ESXi hosts, and vCenter/Linux systems.
- Baseline legitimate hypervisor, SSH, Unix shell, Python, PowerShell, and network-device administrative activity so alerts can distinguish routine administration from unusual timing, source, command patterns, or persistence changes.
- Hunt for persistence in boot/logon initialization scripts and RC scripts, especially on ESXi, Linux, macOS, and network devices referenced by the related techniques.
- Review for rootkit indicators and blind spots: hidden processes, unexpected kernel/userland hooks, modified libraries, abnormal process listings, and discrepancies between host telemetry and network observations.
Mitigation priorities
- Inventory and risk-rank edge devices, routers, firewalls, ESXi hosts, vCenter systems, Linux servers, and privileged management paths that would be material to business continuity.
- Ensure vulnerability management explicitly covers network devices and virtualization infrastructure, including rapid assessment of vendor advisories related to zero-day reporting cited by ATT&CK references.
- Restrict and monitor privileged administrative access, especially SSH, hypervisor management interfaces, and network-device management planes; enforce least privilege and strong authentication where supported.
- Centralize logs from ESXi, vCenter, Linux, Windows, routers, and firewalls into SOC workflows with retention sufficient for espionage-style investigations.
- Harden persistence surfaces by controlling startup scripts, service creation, VIB installation, administrative shells, and configuration changes on Unix-like, ESXi, and network-device platforms.
Analyst notes and limits
The strongest decision value in this object comes from the relationship set: UNC3886 is linked to a router-focused campaign, ESXi/Linux backdoors, network-device malware, Linux rootkits, and multiple execution, persistence, credential-access, discovery, lateral-movement, command-and-control, and stealth techniques. This supports a defensive focus on infrastructure that is often under-instrumented: edge devices, hypervisors, and privileged administration layers.
The supplied ATT&CK group object has no official detection section, no group-level platforms or tactics, and limited campaign detail. Any local risk assessment requires environment-specific asset exposure, vendor versions, logging depth, administrative baselines, and intelligence sources beyond the supplied fields. This summary does not assert current activity, customer exposure, or guaranteed detection coverage.
UNC3886
UNC3886 is a China-nexus cyberespionage group that has been active since at least 2022, targeting defense, technology, and telecommunication organizations located in the United States and the Asia-Pacific-Japan (APJ) regions. UNC3886 has displayed a deep understanding of edge devices and virtualization technologies through the exploitation of zero-day vulnerabilities and the use of novel malware families and utilities.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1027.005 | Indicator Removal from Tools Sub-technique | UNC3886 has replaced atomic indicators mentioned in threat intelligence publications, sometimes as quickly as under a week after release.CitationGoogle Cloud Threat Intelligence VMWare ESXi Zero-Day 2023 |
| Enterprise | T1681 | Search Threat Vendor Data | UNC3886 has replaced indicators mentioned in open-source threat intelligence publications at times under a week after their release.CitationGoogle Cloud Threat Intelligence VMWare ESXi Zero-Day 2023 |
| Enterprise | T1059.012 | Hypervisor CLI Sub-technique | UNC3886 has used the esxcli command line utility to modify firewall rules, install malware, and for artifact removal.CitationGoogle Cloud Threat Intelligence ESXi VIBs 2022CitationGoogle Cloud Threat Intelligence VMWare ESXi Zero-Day 2023 |
| Enterprise | T1083 | File and Directory Discovery | UNC3886 has used `vmtoolsd.exe` to enumerate files on guest machines.CitationGoogle Cloud Threat Intelligence ESXi VIBs 2022CitationGoogle Cloud Threat Intelligence VMWare ESXi Zero-Day 2023 |
| Enterprise | T1078.001 | Default Accounts Sub-technique | UNC3886 has harvested and used vCenter Server service accounts.CitationGoogle Cloud Threat Intelligence VMWare ESXi Zero-Day 2023 |
| Enterprise | T1554 | Compromise Host Software Binary | UNC3886 has trojanized Fortinet firmware and replaced the legitimate `/usr/bin/tac_plus` TACACS+ daemon for Linux with a malicious version containing credential logging functionality.CitationGoogle Cloud Mandiant UNC3886 2024CitationMandiant Fortinet Zero Day |
| Enterprise | T1068 | Exploitation for Privilege Escalation | UNC3886 has exploited zero-day vulnerability CVE-2023-20867 to enable execution of privileged commands across Windows, Linux, and PhotonOS (vCenter) guest VMs.CitationGoogle Cloud Threat Intelligence VMWare ESXi Zero-Day 2023 |
| Enterprise | T1673 | Virtual Machine Discovery | UNC3886 has used scripts to enumerate ESXi hypervisors and their guest VMs.CitationGoogle Cloud Threat Intelligence VMWare ESXi Zero-Day 2023 |
| Enterprise | T1564.011 | Ignore Process Interrupts Sub-technique | UNC3886 modified the startup file `/etc/init.d/localnet` to execute the line `nohup /bin/support &` so the script would run when the system was rebooted.CitationMandiant Fortinet Zero Day |
| Enterprise | T1587.001 | Malware Sub-technique | UNC3886 has deployed custom malware families on Fortinet and VMware systems.CitationMandiant Fortinet Zero Day |
| Enterprise | T1212 | Exploitation for Credential Access | UNC3886 exploited CVE-2022-22948 in VMware vCenter to obtain encrypted credentials from the vCenter postgresDB.CitationGoogle Cloud Mandiant UNC3886 2024 |
| Enterprise | T1675 | ESXi Administration Command | UNC3886 used `vmtoolsd.exe` to run commands on guest virtual machines from a compromised ESXi host.CitationGoogle Cloud Threat Intelligence ESXi VIBs 2022CitationGoogle Cloud Threat Intelligence VMWare ESXi Zero-Day 2023CitationGoogle Cloud Mandiant UNC3886 2024CitationMandiant Fortinet Zero Day |
| Enterprise | T1218.011 | Rundll32 Sub-technique | UNC3886 has used rundll32.exe to execute MiniDump for dumping LSASS process memory.CitationGoogle Cloud Threat Intelligence ESXi VIBs 2022 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | UNC3886 has staged captured credentials in `var/log/ldapd |
| Enterprise | T1070.007 | Clear Network Connection History and Configurations Sub-technique | UNC3886 has cleared specific events that contained the threat actor’s IP address from multiple log sources.CitationMandiant Fortinet Zero Day |
| Enterprise | T1059.006 | Python Sub-technique | UNC3886 has used Python scripts to enumerate ESXi hosts and guest VMs.CitationGoogle Cloud Threat Intelligence VMWare ESXi Zero-Day 2023 |
| Enterprise | T1548 | Abuse Elevation Control Mechanism | UNC3886 has used vSphere Installation Bundles (VIBs) that contained modified descriptor XML files with the `acceptance-level` set to `partner` which allowed for privilege escalation.CitationGoogle Cloud Threat Intelligence ESXi VIBs 2022 |
| Enterprise | T1070.006 | Timestomp Sub-technique | UNC3886 has used scripts to timestomp ESXi hosts prior to installing malicious vSphere Installation Bundles (VIBs).CitationGoogle Cloud Threat Intelligence VMWare ESXi Zero-Day 2023 |
| Enterprise | T1690 | Prevent Command History Logging | UNC3886 has tampered with and disabled logging services on targeted systems.CitationGoogle Cloud Threat Intelligence VMWare ESXi Zero-Day 2023 |
| Enterprise | T1560.003 | Archive via Custom Method Sub-technique | UNC3886 has XOR encrypted and Gzip compressed captured credentials.CitationGoogle Cloud Mandiant UNC3886 2024 |
| Enterprise | T1203 | Exploitation for Client Execution | UNC3886 has exoloited CVE-2023-34048 to enable command execution on vCenter servers and CVE-2023-20867 in VMware Tools to execute unauthenticated Guest Operations from ESXi hosts to guest VMs.CitationGoogle Cloud Mandiant UNC3886 2024 |
| Enterprise | T1037.004 | RC Scripts Sub-technique | UNC3886 has placed a bash installation script into `/etc/rc.local.d/` to establish persistence.CitationGoogle Cloud Threat Intelligence ESXi VIBs 2022 |
| Enterprise | T1685 | Disable or Modify Tools | UNC3886 has disabled OpenSSL digital signature verification of system files through corruption of boot files.CitationMandiant Fortinet Zero Day |
| Enterprise | T1070.004 | File Deletion Sub-technique | UNC3886 has used the the esxcli command line to remove files created by malicious vSphere Installation Bundles from disk.CitationGoogle Cloud Threat Intelligence ESXi VIBs 2022CitationMandiant Fortinet Zero Day |
| Enterprise | T1588.004 | Digital Certificates Sub-technique | UNC3886 has deployed malware using the victim's legitimate TLS certificate obtained from a compromised FortiGate device.CitationGoogle Cloud Mandiant UNC3886 2024 |
| Enterprise | T1555.005 | Password Managers Sub-technique | UNC3886 has targeted KeyPass password database files for credential access.CitationGoogle Cloud Threat Intelligence ESXi VIBs 2022 |
| Enterprise | T1587.004 | Exploits Sub-technique | UNC3886 has used zero-day vulnerabilities CVE-2022-41328 against FortiOS and CVE-2023-20867 and CVE-2023-34048 against VMware vCenter.CitationGoogle Cloud Threat Intelligence VMWare ESXi Zero-Day 2023CitationGoogle Cloud Mandiant UNC3886 2024CitationMandiant Fortinet Zero Day |
| Enterprise | T1505.006 | vSphere Installation Bundles Sub-technique | UNC3886 has used vSphere Installation Bundles (VIBs) to install malware and establish persistence across ESXi hypervisors.CitationGoogle Cloud Threat Intelligence ESXi VIBs 2022CitationGoogle Cloud Threat Intelligence VMWare ESXi Zero-Day 2023CitationMandiant Fortinet Zero Day |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | UNC3886 has used Gzip and the Windows command `makecab` to compress files and stolen credentials from victim systems.CitationGoogle Cloud Threat Intelligence ESXi VIBs 2022CitationGoogle Cloud Mandiant UNC3886 2024 |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | UNC3886 has used MiniDump to dump process memory and search for cleartext credentials.CitationGoogle Cloud Threat Intelligence ESXi VIBs 2022 |
| Enterprise | T1057 | Process Discovery | UNC3886 has run scripts to list all running processes on a guest VM from an ESXi host.CitationGoogle Cloud Threat Intelligence VMWare ESXi Zero-Day 2023 |
| Enterprise | T1570 | Lateral Tool Transfer | UNC3886 has utilzed Python scripts to transfer files between ESXi hosts and guest VMs.CitationGoogle Cloud Threat Intelligence VMWare ESXi Zero-Day 2023 |
| Enterprise | T1588.001 | Malware Sub-technique | |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | UNC3886 has executed Windows commands on guest virtual machines through `vmtoolsd.exe`.CitationGoogle Cloud Threat Intelligence ESXi VIBs 2022 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | UNC3886 has named a file ‘fgfm’ in an attempt to disguise it as the legitimate service ‘fgfmd’ which facilitates communication between FortiManager and the FortiGate firewall.CitationMandiant Fortinet Zero Day |
| Enterprise | T1037 | Boot or Logon Initialization Scripts | UNC3886 has attempted to bypass digital signature verification checks at startup by adding a command to the startup config `/etc/init.d/localnet` within the rootfs.gz archive of both FortiManager and FortiAnalyzer devices.CitationMandiant Fortinet Zero Day |
| Enterprise | T1014 | Rootkit | |
| Enterprise | T1059.001 | PowerShell Sub-technique | UNC3886 has used a PowerShell script to search memory dumps for credentials.CitationGoogle Cloud Threat Intelligence ESXi VIBs 2022 |
| Enterprise | T1040 | Network Sniffing | UNC3886 has used the LOOKOVER sniffer to sniff TACACS+ authentication packets.CitationGoogle Cloud Mandiant UNC3886 2024 |
| Enterprise | T1124 | System Time Discovery | UNC3886 has used installation scripts to collect the system time on targeted ESXi hosts.CitationGoogle Cloud Threat Intelligence VMWare ESXi Zero-Day 2023 |
| Enterprise | T1078 | Valid Accounts | UNC3886 has used tools to hijack valid SSH accounts.CitationGoogle Cloud Mandiant UNC3886 2024 |
| Enterprise | T1205.001 | Port Knocking Sub-technique | UNC3886 maintained persistence on FortiGate Firewalls through ICMP port knocking.CitationMandiant Fortinet Zero Day |
| Enterprise | T1190 | Exploit Public-Facing Application | UNC3886 has exploited CVE-2022-42475 in FortiOS SSL VPNs to obtain access.CitationGoogle Cloud Mandiant UNC3886 2024CitationMandiant Fortinet Zero Day |
| Enterprise | T1095 | Non-Application Layer Protocol | UNC3886 has deployed backdoors that communicate over TCP to compromised network devices and over VMCI to ESXi hosts.CitationGoogle Cloud Threat Intelligence VMWare ESXi Zero-Day 2023CitationGoogle Cloud Mandiant UNC3886 2024CitationMandiant Fortinet Zero Day |
| Enterprise | T1686 | Disable or Modify System Firewall | UNC3886 has used the TABLEFLIP traffic redirection utility and the esxcli command line to modify firewall rules.CitationGoogle Cloud Threat Intelligence ESXi VIBs 2022CitationGoogle Cloud Threat Intelligence VMWare ESXi Zero-Day 2023CitationMandiant Fortinet Zero Day |
| Enterprise | T1059.004 | Unix Shell Sub-technique | UNC3886 has used a bash script to install malicious vSphere Installation Bundles (VIBs).CitationGoogle Cloud Threat Intelligence ESXi VIBs 2022 |
| Enterprise | T1205 | Traffic Signaling | UNC3886 has used the TABLEFLIP traffic redirection utility to listen for specialized command packets on compromised FortiManager devices.CitationMandiant Fortinet Zero Day |
| Enterprise | T1021.004 | SSH Sub-technique | UNC3886 has established remote SSH access to targeted ESXi hosts.CitationGoogle Cloud Threat Intelligence VMWare ESXi Zero-Day 2023CitationMandiant Fortinet Zero Day |
| Enterprise | T1008 | Fallback Channels | UNC3886 has employed layers of redundancy to maintain access to compromised environments including network devices, hypervisors, and virtual machines.CitationGoogle Cloud Mandiant UNC3886 2024 |
Groups, software, and campaigns
S1221: MOPSLED
S1218: VIRTUALPIE
VIRTUALPIE is a lightweight backdoor written in Python that spawns an IPv6 listener on a VMware ESXi server and features command line execution, file transfer, and reverse shell capabilities. VIRTUALPIE has been in use since at least 2022 including by UNC3886 who installed it via malicious vSphere Installation Bundles (VIBs).[1]
S1224: CASTLETAP
S1223: THINCRUST
S1217: VIRTUALPITA
VIRTUALPITA is a passive backdoor with ESXi and Linux vCenter variants capable of command execution, file transfer, and starting and stopping processes. VIRTUALPITA has been in use since at least 2022 including by UNC3886 who leveraged malicious vSphere Installation Bundles (VIBs) for install on ESXi hypervisors.[1]
S1219: REPTILE
S1220: MEDUSA
S1222: RIFLESPINE
RIFLESPINE is a cross-platform backdoor that leverages Google Drive for file transfer and command execution.[1]
C0056: RedPenguin
The RedPenguin project was launched by Juniper in July 2024 to investigate reported malware infections of Juniper MX Series routers. RedPenguin activity was separately attributed to UNC3886 and included the deployment of multiple custom versions of the publicly-available TINYSHELL backdoor on Juniper routers.[1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 2ba5ce7b5176… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Mandiant Fortinet Zero Day
Marvi, A. et al.. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved March 22, 2023.
Open source URL -
[2]
Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023
Alexander Marvi, Brad Slaybaugh, Ron Craft, and Rufus Brown. (2023, June 13). VMware ESXi Zero-Day Used by Chinese Espionage Actor to Perform Privileged Guest Operations on Compromised Hypervisors. Retrieved March 26, 2025.
Open source URL -
[3]
mitre-attack G1048Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.