← All Threat Actors
Threat Actor Profile

UNC3886

G1048
▲ High Threat
UNC3886 is an advanced cyber espionage group with unique capabilities in how they operate on-network as well as the tools they utilize in their campaigns. UNC3886 has been observed targeting firewall and virtualization technologies which lack EDR support. Their ability to manipulate firewall firmware and exploit a zero-day indicates they have curated a deeper-level of understanding of such technologies. UNC3886 has modified publicly available malware, specifically targeting *nix operating systems.
Origin China

Known TTPs

Indicator Removal from Tools
Search Threat Vendor Data
Hypervisor CLI
File and Directory Discovery
Default Accounts
Compromise Host Software Binary
Exploitation for Privilege Escalation
Virtual Machine Discovery
Ignore Process Interrupts
Malware
Exploitation for Credential Access
ESXi Administration Command
Rundll32
Local Data Staging
Clear Network Connection History and Configurations
Python
Abuse Elevation Control Mechanism
Timestomp
Prevent Command History Logging
Archive via Custom Method
Exploitation for Client Execution
RC Scripts
Disable or Modify Tools
File Deletion
Digital Certificates
Password Managers
Exploits
vSphere Installation Bundles
Archive via Utility
LSASS Memory
Process Discovery
Lateral Tool Transfer
Malware
Windows Command Shell
Masquerade Task or Service
Boot or Logon Initialization Scripts
Rootkit
PowerShell
Network Sniffing
System Time Discovery
Valid Accounts
Port Knocking
Exploit Public-Facing Application
Non-Application Layer Protocol
Disable or Modify System Firewall
Unix Shell
Traffic Signaling
SSH
Fallback Channels

External Resources

CISA Advisories ↗

Related Intelligence

Hacking the mainframe…

LINK COPIED TO CLIPBOARD