Unc3886 Targets Juniper Routers With Custom Backdoors

---

In mid-2024, Mandiant discovered that a sophisticated espionage group, linked to China (UNC3886), had compromised Juniper Networks’ routers running the Junos OS. The attackers deployed custom backdoors within the router firmware, which allowed them to maintain access and control over the affected devices. These backdoors, primarily based on the TINYSHELL backdoor, were specifically crafted to operate in the unique environment of Junos OS, with functionalities to support both active and passive access. The operation involved leveraging multiple vulnerabilities and exploiting the routers’ lack of comprehensive security monitoring, focusing on maintaining long-term access without detection.

Severity Level: High

Threat Details

1. Reconnaissance:

• The attackers first scanned for vulnerable Juniper MX routers, primarily focusing on those running outdated or end-of-life software and hardware.

2. Initial Compromise:

• Using valid credentials (likely stolen or leaked) through terminal servers or network authentication systems, the attackers gained privileged access to the routers.

3. Privilege Escalation:

• Once access was achieved, the attackers escalated privileges to root-level access and entered the FreeBSD shell environment.

4. Exploitation of CVE-2025-21590:

• The attackers used process injection to bypass Veriexec’s file integrity protection and deploy their custom backdoors. This technique involved injecting malicious payloads into the memory of legitimate processes, such as the cat process, ensuring that the malicious code would execute without triggering Veriexec alerts.

5. Malware Deployment:

• After bypassing security, the attackers deployed TINYSHELL-based backdoors, which provided capabilities such as remote shell access, file transfer, proxy creation, and system monitoring.

6. Malicious Payload Execution:

• The backdoors, once activated, executed commands such as file uploads/downloads, proxy establishment, and creation of persistent communication channels with the attackers’ Command and Control (C2) servers.

7. Log Tampering and Anti-forensics:

• To avoid detection, UNC3886 tampered with logging mechanisms and disabled forensic artifacts, effectively hiding their actions from administrators.

8. Exfiltration and Control:

• While no evidence of data exfiltration was found, the attackers had full control over the routers, potentially using them for further network reconnaissance or disruption.

Malware Details:

UNC3886 used a variety of TINYSHELL-based backdoors, each tailored to operate on Junos OS devices. The following malware variants were identified:

1. appid: An active backdoor mimicking the legitimate appidd daemon. It maintained two TCP sockets for command communication and used AES encryption for secure communication. This backdoor allowed file uploads/downloads and shell access.
2. to: Similar to appid, this active backdoor mimicked the top command and communicated with C2 servers through AES-encrypted channels.
3. irad: A passive backdoor that acted as a packet sniffer, capturing network traffic using the libpcap library. It listened for specific ICMP packets with a magic string to activate the backdoor.
4. lmpad: A passive backdoor that mimicked the lmpd (Link Management Protocol Daemon). It was used for process injection into Junos OS processes to disable logging, providing stealth for the operators.
5. jdosd: A passive backdoor that used UDP communication and custom RC4 encryption for secure communication. It supported remote file transfer and shell access.
6. oemd: A passive backdoor that bound to specific network interfaces and communicated via TCP. It used AES encryption for C2 communication and supported standard TINYSHELL commands.

Source:

• https://supportportal.juniper.net/s/article/2025-03-Out-of-Cycle-Security-Bulletin-Junos-OS-A-local-attacker-with-shell-access-can-execute-arbitrary-code-CVE-2025-21590?language=en_US
• https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-targets-juniper-routers

CVE-2025-21590 Details:

1. Vulnerability Type: Improper Isolation or Compartmentalization
2. Severity: Medium (CVSS v3.1: 4.4, CVSS v4.0: 6.7)
3. Issue Description: A local attacker with shell access and high privileges can execute arbitrary code on Junos OS devices, compromising device integrity.
4. This issue affects all versions of Junos OS.

Recommendations:

1. Ensure that all Juniper devices are running the latest firmware and software patches that contain mitigations and updated signatures for JMRT and run JMRT Quick Scan and Integrity check after the upgrade. The following software releases address CVE-2025-21590: 21.2R3-S9, 21.4R3-S10, 22.2R3-S6, 22.4R3-S6, 23.2R2-S3, 23.4R2-S4, 24.2R1-S2, 24.2R2, 24.4R1, and all subsequent releases.
2. CVE-2025-21590 Workaround: Juniper Networks strongly recommended to mitigate the risk of exploitation by restricting shell access to trusted users only.
3. Implement a centralized IAM system with robust MFA and granular RBAC for managing network devices.
4. Ensure that memory and process integrity features, like Veriexec on Junos OS, are configured and properly implemented.
5. Implement a device lifecycle management program that includes proactive monitoring, automated software updates, and end-of-life (EOL) replacement planning to ensure network devices are always supported and secure. 
6. Block the IOCs at their respective controls. https://www.virustotal.com/gui/collection/69bf6e9649be869b4a0384bd4ce18ca2cad347b60998c31006a881a9f62cd8cc/iocs

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.