Chinese hackers have implemented custom backdoors on Juniper Networks Junos OS MX routers.
Mandiant has identified custom backdoors on Junos OS routers from Juniper Networks. The malware is attributed to the China-nexus espionage group UNC3886. The attack targets end-of-life hardware and software.
Backdoors
The backdoors, based on TINYSHELL, provide both active and passive access capabilities. They also include scripts that disable logging mechanisms, making detection more difficult. According to Mandiant, UNC3886 has previously targeted virtualization technologies and peripheral devices, which often do not support advanced security monitoring. The focus is on long-term access to networks and lateral movement using stolen credentials.
read also
Juniper routers worldwide secretly equipped with mysterious backdoor
Mandiant worked with Juniper Networks to investigate the impact. The affected routers use outdated hardware and software. Juniper Networks advises customers to upgrade their devices to the latest firmware versions, which include mitigations and updated signatures for the Juniper Malware Removal Tool (JMRT). After upgrading, it is recommended to perform a JMRT Quick Scan and Integrity Check.
Ongoing Threat
UNC3886 continues to refine its tactics and techniques. The group introduced a new tool in 2024 that allows them to move further within networks. Mandiant has not found any technical similarities between this activity and known campaigns such as Volt Typhoon or Salt Typhoon. The findings confirm that UNC3886 specializes in exploiting network and edge devices for long-term infiltration.