UNC3886
UNC3886 is a China-nexus espionage threat actor. The provided content describes it as focused on long-term, stealthy access and as demonstrating deep understanding of the underlying technologies it targets, particularly virtualization platforms, network edge devices, and routers. Known aliases in the content are UNC3886 and Fire Ant. The actor is described as targeting VMware environments, including vCenter and ESXi, where researchers observed deployment of Linux rootkits such as REPTILE and MEDUSA after exploitation of vulnerabilities. The content also states that UNC3886 targeted Juniper routers and exploited zero-day vulnerabilities in network infrastructure. In Junos OS router intrusions attributed by Mandiant, UNC3886 deployed multiple TINYSHELL-based backdoors, including active and passive variants, and used embedded scripts to disable logging for stealth and persistence. Mandiant assessed that the group emphasizes gathering and using legitimate credentials for lateral movement, tampers with logs and forensic artifacts, and prioritizes passive backdoors and long-term access. The content further states that UNC3886 activity is cited as an example of China-nexus actors increasingly exploiting edge devices and appliances for initial access, including against the defense and aerospace sector. Google Threat Intelligence Group assessed that China-nexus groups, including campaigns associated with UNC3886, have been highly active by volume against defense industrial base entities over the last two years, and that such intrusions may support preparatory access or research-and-development theft missions. Taiwan’s National Security Bureau also named UNC3886 among Chinese threat groups involved in sustained targeting of critical infrastructure sectors. Additional activity directly mentioned in the content includes staging captured credentials in var/log/ldapd<unique_keyword>.2.gz, using scripts to timestomp ESXi hosts before installing malicious vSphere Installation Bundles (VIBs), and exploitation of a vulnerability as a zero-day for nearly two years prior to disclosure. The content also notes UNC3886 exploitation of CVE-2025-21590 during RedPenguin activity to enable malicious code injection into the memory of legitimate processes.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
51 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
20 malware families attributed to this actor across reporting.
15 additional families tracked in Mallory.
Associated vulnerabilities
24 CVEs this actor has used in observed campaigns. 24 of them exploited in the wild.
After compromising the hypervisor, the Fire Ant actors exploited another vulnerability — CVE-2023-20867 — to execute commands inside the guest virtual machines (VMs) without the required authentication. CVE-2023-20867 is an authentication bypass flaw that was also exploited by UNC3886 and disclosed by Mandiant researchers in 2023.
Sygnia's investigation into the cyberespionage campaign found that Fire Ant actors exploited a nearly two-year-old vulnerability in VMware vCenter, tracked as CVE-2023-34048, to gain initial access to targeted organizations.
During RedPenguin, UNC3886 exploited CVE-2025-21590 to enable malicious code injection into the memory of legitimate processes.
UNC3886 has used zero-day vulnerabilities CVE-2022-41328 against FortiOS and CVE-2023-20867 and CVE-2023-34048 against VMware vCenter.
The abuse of CVE-2022-22948, on the other hand, has been attributed by Google-owned Mandiant to a China-nexus cyber espionage group known as UNC3886...
19 more CVEs tied to this actor tracked in Mallory.
Observables
36 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Listed as an associated threat actor in the detection annotation for exploitation of the public-facing PTC Windchill vulnerability CVE-2026-4681.
Referenced as a threat actor associated with the MITRE ATT&CK technique T1090.003 (Multi-hop Proxy) in the detection annotation for access to anonymizer services.
Targeting VMware environments and deploying Linux rootkits for stealth, persistence, and credential theft after exploiting vCenter and ESXi vulnerabilities.
State-sponsored espionage activity using the OrBit/Medusa-derived Linux rootkit codebase to maintain covert access on compromised systems.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.