Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers

    Friday, March 14, 2025 In: Threat Research Print

    Date: 03/14/2025

    Severity: Medium

    Summary

    In mid-2024, researchers discovered the China-nexus espionage group UNC3886 deploying custom TINYSHELL backdoors on Juniper Networks’ Junos OS routers, including end-of-life devices. These backdoors featured capabilities like disabling logging mechanisms and enabling passive and active access. Researchers recommend updating devices and running security tools to mitigate the threat. The attack highlights UNC3886's evolving tactics and focus on targeting network and edge devices, which often lack robust security measures.

    Indicators of Compromise (IOC) List

    IP Address 

    129.126.109.50

    116.88.34.184

    223.25.78.136

    45.77.39.28

    101.100.182.122

    118.189.188.122

    158.140.135.244

    8.222.225.8

    Hash

    2c89a18944d3a895bd6432415546635e

    aac5d83d296df81c9259c9a533a8423a

    8023d01ffb7a38b582f0d598afb974ee

    5724d76f832ce8061f74b0e9f1dcad90

    e7622d983d22e749b3658600df00296d

    b9e4784fa0e6283ce6e2094426a02fce

    bf80c96089d37b8571b5de7cab14dd9f

    3243e04afe18cc5e1230d49011e19899

    50520639cf77df0c15cc95076fac901e3d04b708

    1a6d07da7e77a5706dd8af899ebe4daa74bbbe91

    06a1f879da398c00522649171526dc968f769093

    f8697b400059d4d5082eee2d269735aa8ea2df9a

    cf7af504ef0796d91207e41815187a793d430d85

    01735bb47a933ae9ec470e6be737d8f646a8ec66

    cec327e51b79cf11b3eeffebf1be8ac0d66e9529

    2e9215a203e908483d04dfc0328651d79d35b54f

    98380ec6bf4e03d3ff490cdc6c48c37714450930e4adf82e6e14d244d8373888

    5bef7608d66112315eefff354dae42f49178b7498f994a728ae6203a8a59f5a2

    c0ec15e08b4fb3730c5695fb7b4a6b85f7fe341282ad469e4e141c40ead310c3

    5995aaff5a047565c0d7fe3c80fa354c40e7e8c3e7d4df292316c8472d4ac67a

    905b18d5df58dd6c16930e318d9574a2ad793ec993ad2f68bca813574e3d854b

    e1de05a2832437ab70d36c4c05b43c4a57f856289224bbd41182deea978400ed

    3751997cfcb038e6b658e9180bc7cce28a3c25dbb892b661bcd1065723f11f7e

    7ae38a27494dd6c1bc9ab3c02c3709282e0ebcf1e5fcf59a57dc3ae56cfd13b4

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    dstipaddress IN ("101.100.182.122","118.189.188.122","116.88.34.184","158.140.135.244","8.222.225.8","129.126.109.50","223.25.78.136","45.77.39.28") or ipaddress IN ("101.100.182.122","118.189.188.122","116.88.34.184","158.140.135.244","8.222.225.8","129.126.109.50","223.25.78.136","45.77.39.28") or publicipaddress IN ("101.100.182.122","118.189.188.122","116.88.34.184","158.140.135.244","8.222.225.8","129.126.109.50","223.25.78.136","45.77.39.28") or srcipaddress IN ("101.100.182.122","118.189.188.122","116.88.34.184","158.140.135.244","8.222.225.8","129.126.109.50","223.25.78.136","45.77.39.28")

    Detection Query 2

    md5hash IN ("aac5d83d296df81c9259c9a533a8423a","2c89a18944d3a895bd6432415546635e","8023d01ffb7a38b582f0d598afb974ee","5724d76f832ce8061f74b0e9f1dcad90","e7622d983d22e749b3658600df00296d","b9e4784fa0e6283ce6e2094426a02fce","bf80c96089d37b8571b5de7cab14dd9f","3243e04afe18cc5e1230d49011e19899")

    Detection Query 3

    sha1hash IN ("50520639cf77df0c15cc95076fac901e3d04b708","1a6d07da7e77a5706dd8af899ebe4daa74bbbe91","06a1f879da398c00522649171526dc968f769093","f8697b400059d4d5082eee2d269735aa8ea2df9a","cf7af504ef0796d91207e41815187a793d430d85","01735bb47a933ae9ec470e6be737d8f646a8ec66","cec327e51b79cf11b3eeffebf1be8ac0d66e9529","2e9215a203e908483d04dfc0328651d79d35b54f")

    Detection Query 4

    sha256hash IN ("5bef7608d66112315eefff354dae42f49178b7498f994a728ae6203a8a59f5a2","98380ec6bf4e03d3ff490cdc6c48c37714450930e4adf82e6e14d244d8373888","c0ec15e08b4fb3730c5695fb7b4a6b85f7fe341282ad469e4e141c40ead310c3","5995aaff5a047565c0d7fe3c80fa354c40e7e8c3e7d4df292316c8472d4ac67a","905b18d5df58dd6c16930e318d9574a2ad793ec993ad2f68bca813574e3d854b","e1de05a2832437ab70d36c4c05b43c4a57f856289224bbd41182deea978400ed","3751997cfcb038e6b658e9180bc7cce28a3c25dbb892b661bcd1065723f11f7e","7ae38a27494dd6c1bc9ab3c02c3709282e0ebcf1e5fcf59a57dc3ae56cfd13b4")

    Reference:  

    https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-targets-juniper-routers


    Tags

    MalwareTINYSHELLBackdoorCyber espionageChina

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.