Revisiting UNC3886 Tactics to Defend Against Present Risk

    Date: 07/29/2025

    Severity: High

    Summary

    UNC3886 is a sophisticated APT group known for targeting critical infrastructure sectors such as telecommunications, government, technology, and defense. Recently, it launched an attack against Singapore, exploiting zero-day and high-impact vulnerabilities in devices like VMware vCenter/ESXi, Fortinet FortiOS, and Juniper Junos OS. On July 18, Singapore’s Coordinating Minister for National Security, K. Shanmugam, confirmed the presence of a highly advanced threat actor—UNC3886—actively targeting the nation’s vital services. First identified in 2022, the group continues to pose a serious threat to Singapore’s national security.

    Indicators of Compromise (IOC) List

    IP Address : 

    47.252.54.82

    8.210.103.134

    8.210.75.218

    8.219.0.112

    8.219.131.77

    8.222.216.144

    8.222.218.20

    149.28.122.119

    207.246.64.38

    45.32.252.98

    45.77.106.183

    103.232.86.209

    103.232.86.210

    103.232.86.217

    154.216.2.149

    155.138.161.47

    58.64.204.139

    58.64.204.142

    58.64.204.165

    118.193.61.71

    123.58.196.34

    123.58.207.86

    152.32.144.15

    152.32.205.208

    152.32.231.251

    165.154.134.40

    165.154.135.108

    165.154.7.145

    101.100.182.122

    116.88.34.184

    129.126.109.50

    158.140.135.244

    223.25.78.136

    45.77.39.28

    8.222.225.8

    118.189.188.122

    47.246.68.13

    118.193.61.78

    118.193.63.40

    152.32.129.62

    Hash : 

    1893523f2a4d4e7905f1b688c5a81b069f06b3c3d8c0ff9d16620468d117edbb
    
    5bef7608d66112315eefff354dae42f49178b7498f994a728ae6203a8a59f5a2
    
    71234dea18a33848c80cdec8b547a3b7a370ad2718c21b0a4121f12fd9dfa50b

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection 

    IP Address : 

    dstipaddress IN ("152.32.231.251","45.32.252.98","165.154.135.108","223.25.78.136","118.193.61.78","58.64.204.139","45.77.39.28","158.140.135.244","8.219.0.112","149.28.122.119","47.246.68.13","154.216.2.149","8.219.131.77","118.189.188.122","47.252.54.82","103.232.86.217","58.64.204.165","8.210.103.134","155.138.161.47","118.193.61.71","123.58.207.86","118.193.63.40","123.58.196.34","45.77.106.183","165.154.7.145","165.154.134.40","207.246.64.38","8.210.75.218","129.126.109.50","8.222.216.144","8.222.218.20","103.232.86.209","103.232.86.210","58.64.204.142","152.32.144.15","152.32.205.208","101.100.182.122","116.88.34.184","8.222.225.8","152.32.129.62") or srcipaddress IN ("152.32.231.251","45.32.252.98","165.154.135.108","223.25.78.136","118.193.61.78","58.64.204.139","45.77.39.28","158.140.135.244","8.219.0.112","149.28.122.119","47.246.68.13","154.216.2.149","8.219.131.77","118.189.188.122","47.252.54.82","103.232.86.217","58.64.204.165","8.210.103.134","155.138.161.47","118.193.61.71","123.58.207.86","118.193.63.40","123.58.196.34","45.77.106.183","165.154.7.145","165.154.134.40","207.246.64.38","8.210.75.218","129.126.109.50","8.222.216.144","8.222.218.20","103.232.86.209","103.232.86.210","58.64.204.142","152.32.144.15","152.32.205.208","101.100.182.122","116.88.34.184","8.222.225.8","152.32.129.62")

    Hash :

    sha256hash IN ("5bef7608d66112315eefff354dae42f49178b7498f994a728ae6203a8a59f5a2","1893523f2a4d4e7905f1b688c5a81b069f06b3c3d8c0ff9d16620468d117edbb","71234dea18a33848c80cdec8b547a3b7a370ad2718c21b0a4121f12fd9dfa50b")

    Reference:   

    https://www.trendmicro.com/en_us/research/25/g/revisiting-unc3886-tactics-to-defend-against-present-risk.html 


    Tags

    Threat ActorUNC3886APTCritical InfrastructureCommunicationsGovernment Services and FacilitiesInformation TechnologyExploitSingapore

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags