China-linked cyberespionage group known as UNC3886 is using customized malware to target Juniper Networks’ end-of-life MX routers running Junos OS, Mandiant’s recent investigation reveals.
The malware, tracked as TINYSHELL, includes both active and passive backdoor functions. This specific campaign, first identified in mid-2024, targets the defense, telecommunications, and technology sectors in both the US and Asia.
The group first gained access to a target network through a terminal server used for managing devices, exploiting legitimate credentials to gain access to a Juniper router. UNC3886 was able to circumvent Veriexec protection, which prevents unauthorized binaries from executing, by injecting malicious code into the memory of a legitimate process. This issue is now tracked as CVE-2025-21590.
Once inside, UNC3886 exploited the FreeBSD shell environment of Junos OS and leveraged the “here document” feature to create and decode a base64-encoded file. The file contained a compressed archive with malicious binaries that were executed on the compromised device.
Six distinct variants of TINYSHELL backdoors were identified, all designed to exploit the specific vulnerabilities of Juniper’s MX routers. These custom versions offered enhanced persistence and stealth features, including the ability to bypass Veriexec protection, a security mechanism that prevents unauthorized binaries from executing on Junos OS.
UNC3886 achieved this by injecting malicious code directly into the memory of legitimate processes. Along with the TINYSHELL malware, the group used a variety of other tools, including the REPTILE and MEDUSA rootkits, the SEAELF loader for establishing persistence, and a custom SSH server designed to hijack SSH authentications, capture credentials, and facilitate lateral movement within compromised networks.
The group also deployed the GHOSTTOWN malware for anti-forensics, likely to obscure their activities and hinder detection efforts. Additionally, UNC3886 replaced the TACACS+ daemon binary on affected routers with a backdoored version that captured network authentication credentials, ensuring continued access to the system. Mandiant said that it didn’t see evidence that the threat actor exfiltrated data.
