FlagThis

Chinese cyber espionage group UNC3886 has been targeting Juniper Networks Junos OS MX routers that have reached their end-of-life. Researchers at Mandiant uncovered the attacks, which began in mid-2024, revealing that the group deployed custom backdoors to compromise these outdated systems. These backdoors allowed the attackers to bypass file integrity protections and maintain persistence, enabling them to steal data and conduct espionage.

Mandiant's investigation showed that UNC3886 exploited vulnerabilities in Junos OS, overcoming its protection subsystem, Veriexec, through a technique called process injection. The attackers injected malicious code into legitimate processes by gaining privileged access to a Juniper router from a terminal server using legitimate credentials. Juniper Networks and Mandiant recommend that organizations using these routers immediately upgrade their devices and run an integrity checker to confirm their systems are secure.

ImgSrc: hackread.com

References :

• hackread.com: Chinese Cyber Espionage Group UNC3886 Backdoored Juniper Routers
• www.cybersecuritydive.com: Juniper MX routers targeted by China-nexus threat group using custom backdoors
• : Chinese Hackers Implant Backdoor Malware on Juniper Routers
• BleepingComputer: Chinese hackers are deploying custom backdoors on Juniper Networks  Junos OS MX routers that have reached end-of-life (EoL) and no longer receive security updates.
• www.csoonline.com: Chinese cyberespionage group deploys custom backdoors on Juniper routers
• thehackernews.com: Chinese Hackers Breach Juniper Networks Routers With Custom Backdoors and Rootkits
• The Register - Security: Expired Juniper routers find new life – as Chinese spy hubs
• Cybernews: Chinese cyberespionage group is targeting Juniper routers with custom backdoors for outdated hardware.
• BleepingComputer: Chinese hackers are deploying custom backdoors on Juniper Networks Junos OS MX routers that have reached end-of-life (EoL) and no longer receive security updates.
• The DefendOps Diaries: Chinese Cyberspies Exploit Juniper Routers: A Deep Dive into Advanced Threats
• Industrial Cyber: Mandiant uncovers custom backdoors on Juniper Junos OS routers, linked to Chinese espionage group UNC3886
• The Record: Researchers said the Chinese state-backed group dubbed UNC3886 was behind a campaign to deploy custom backdoors on Juniper's Junos OS routers
• securityaffairs.com: China-linked APT UNC3886 targets EoL Juniper routers
• Security Risk Advisors: China-linked UNC3886 deploying custom backdoors on Juniper routers. Upgrade devices, run JMRT scans, implement MFA for network device management.
• BleepingComputer: ​Juniper Networks has released emergency security updates to patch a Junos OS vulnerability exploited by Chinese hackers to backdoor routers for stealthy access.
• securityaffairs.com: Researchers from Mandiant identified that threat actors have been deploying custom backdoors on Juniper Networks’ Junos OS routers. The group known as UNC3886, targeted critical infrastructure sectors.
• Information Security Buzz: Google Uncovers China-Linked Espionage Campaign Targeting Juniper Routers
• Virus Bulletin: Mandiant researchers describe UNC3886’s TTPs, and their focus on malware & capabilities that enable them to operate on network & edge devices that usually lack security monitoring & detection solutions. The espionage group targets Juniper routers with TINYSHELL-based backdoors.
• securityaffairs.com: Mandiant researchers warn that China-linked actors are deploying custom backdoors on Juniper Networks Junos OS MX routers.
• bsky.app: Juniper Networks has released emergency security updates to patch a Junos OS vulnerability exploited by Chinese hackers to backdoor routers for stealthy access. [...]
• bsky.app: Juniper Networks has released emergency security updates to patch a Junos OS vulnerability exploited by Chinese hackers to backdoor routers for stealthy access.
• Blog: China-linked threat actor deploys backdoors, rootkits on Junos OS routers
• www.it-daily.net: Chinese espionage on old Juniper routers
• www.scworld.com: Old Juniper routers targeted by Chinese hackers to deploy various payloads
• www.techradar.com: Chinese hackers targeting Juniper Networks routers, so patch now
• Rescana: Rescana Cybersecurity Report: Exploitation in the Wild of CVE-2025-21590
• bsky.app: Description of Chinese hackers deploying custom backdoors on Juniper routers.
• www.cysecurity.news: China-linked APT UNC3886 targets EoL Juniper routers
• : Mandiant researchers warn that China-linked actors are deploying custom backdoors on Juniper Networks Junos OS MX routers.
• securityonline.info: Security Advisory: Juniper Issues Urgent Fix for Actively Exploited Junos OS Flaw – CVE-2025-21590
• iHLS: Chinese Cyberespionage Group Targets Defense and Technology Organizations’ Routers
• www.techradar.com: Juniper patches security flaws which could have let hackers take over your router
• www.scworld.com: Actively exploited Juniper router vulnerability addressed
• www.scworld.com: The threat actor (UNC3886) was found to be targeting end-of-life Juniper Networks routers.
• aboutdfir.com: InfoSec News Nuggets 3/17/2025 discusses a state-backed group from China targeting Juniper Networks routers with custom backdoors.
• ASEC: A report on the deep web and dark web from February 2025 notes the espionage group UNC3886 operating out of China targeting routers made by Juniper Networks.

Classification:

• HashTags: #cyberespionage #junipernetworks #APT
• Company: Juniper Networks
• Target: Juniper Routers
• Attacker: UNC3886
• Product: Junos OS
• Feature: backdoor
• Malware: TinyShell
• Type: Espionage
• Severity: Major