← threatfilter.dev / all groups / UNC3886
UNC3886
Overview
UNC3886 is a China-nexus cyberespionage group that has been active since at least 2022, targeting defense, technology, and telecommunication organizations located in the United States and the Asia-Pacific-Japan (APJ) regions. UNC3886 has displayed a deep understanding of edge devices and virtualization technologies through the exploitation of zero-day vulnerabilities and the use of novel malware families and utilities.
Capabilities
- Exploitation of public-facing / client applications — ATT&CK T1190, T1203, T1212
- Custom malware/implant development — ATT&CK: 8 attributed custom malware families
TTPs — 49 techniques across 13 tactics
Reconnaissance
Resource Development
-
T1587.001Malware -
T1587.004Exploits -
T1588.001Malware -
T1588.004Digital Certificates
Initial Access
Execution
-
T1059.001PowerShell -
T1059.003Windows Command Shell -
T1059.004Unix Shell -
T1059.006Python -
T1059.012Hypervisor CLI -
T1203Exploitation for Client Execution -
T1675ESXi Administration Command
Persistence
-
T1037Boot or Logon Initialization Scripts -
T1037.004RC Scripts -
T1505.006vSphere Installation Bundles -
T1554Compromise Host Software Binary
Privilege Escalation
Stealth
-
T1014Rootkit -
T1027.005Indicator Removal from Tools -
T1036.004Masquerade Task or Service -
T1070.004File Deletion -
T1070.006Timestomp -
T1070.007Clear Network Connection History and Configurations -
T1078Valid Accounts -
T1078.001Default Accounts -
T1205Traffic Signaling -
T1205.001Port Knocking -
T1218.011Rundll32 -
T1564.011Ignore Process Interrupts
Defense Impairment
Credential Access
-
T1003.001LSASS Memory -
T1040Network Sniffing -
T1212Exploitation for Credential Access -
T1555.005Password Managers
Discovery
-
T1057Process Discovery -
T1083File and Directory Discovery -
T1124System Time Discovery -
T1673Virtual Machine Discovery
Lateral Movement
-
T1021.004SSH -
T1570Lateral Tool Transfer
Collection
-
T1074.001Local Data Staging -
T1560.001Archive via Utility -
T1560.003Archive via Custom Method
Command and Control
-
T1008Fallback Channels -
T1095Non-Application Layer Protocol
Tools & malware (8)
MOPSLED · VIRTUALPIE · CASTLETAP · THINCRUST · VIRTUALPITA · REPTILE · MEDUSA · RIFLESPINE
Reporting (2)
- VMware ESXi Zero-Day Used by Chinese Espionage Actor to Perform Privileged Guest Operations on Compromised Hypervisors — Alexander Marvi, Brad Slaybaugh, Ron Craft, and Rufus Brown
- Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation — Marvi, A. et al.