Skip Navigation

March 13, 2025 |

China-linked threat actor deploys backdoors, rootkits on Junos OS routers

Loading table of contents...

The China-linked threat actor, tracked as UNC3886, has been observed targeting end-of-life (EoL) Juniper Networks routers to install several variations of its TinyShell backdoor. The campaign leverages the fact that edge devices, like the targeted Juniper routers, typically do not have cybersecurity solutions installed on them, allowing the threat actor’s activity to go unnoticed for long periods of time.

Researchers have discovered that the following backdoors, all based on UNC3886’s TinyShell family of backdoors, were deployed during the campaign:

  • appid - supports file upload/download, interactive shell, SOCKS proxy, and configuration changes.
  • to - identical to appid but uses a different set of hard-coded C2 servers.
  • irad - passive backdoor that serves as a libpcap-based packet sniffer that extracts commands from ICMP packets to be executed on the compromised router.
  • lmpad - a tool and passive backdoor that can launch an external script to perform process injection into legitimate Junos OS processes to delay logging.
  • jdosd - a UDP backdoor with file transfer and remote shell capabilities.
  • oemd - a passive backdoor that communicates with the C2 and facilitates TinyShell commands to upload/download files and execute shell commands.
ThreatRoundUp_SignUp_Simplified

Stay on top of emerging threats.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

Junos OS contains a mechanism called Verified Exec (veriexec) that restricts untrusted code from being executed. However, UNC3886 was able to defeat this protection by elevating its permissions on the affected device and injecting its malicious payloads into the memory of a legitimate process that veriexec allows to run. This technique has now been classified as a vulnerability, being assigned the designation CVE-2025-21590.

In addition to the custom TinyShell backdoors, UNC3886 was also observed deploying rootkits like Pithook to capture SSH authentications and credentials, Ghosttown to restrict forensic efforts, as well as Reptile and Medusa.

Juniper Networks is advising impacted users to ensure they are running the latest version of Junos OS on their devices to minimize the threat UNC3886’s activities pose.

Source: The Hacker News

Analysis

By compromising these edge devices, UNC3886 can gain persistent, high-level access to critical network infrastructure which could facilitate network traffic monitoring/manipulation, credential harvesting, and malware deployment. Additionally, edge devices often lack comprehensive security monitoring, allowing UNC3886 to operate with minimal chance of being detected.

While specific instances of Chinese threat actors targeting Juniper's Junos OS-based routers have not been extensively documented in the past, Chinese threat actors have often been observed targeting network infrastructure devices to conduct espionage and cyber operations. For example, the Salt Typhoon group exploited vulnerabilities in Cisco's IOS software to gain full control over network devices, affecting telecommunications and academic institutions across multiple countries, including the United States.

This campaign serves as a reminder for organizations to prioritize the security of their network infrastructure, ensuring that devices are up-to-date and adequately monitored to defend against sophisticated threats.

Mitigation

Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for emerging threats emanating from China-linked actors like UNC3886. Field Effect MDR users are automatically notified if activity associated with these groups is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.

Field Effect strongly encourages users of the impacted Junos OS devices to update their software to the latest version as soon as possible. Additionally, users running EoL devices should consider replacing them with suitable, secure alternative solutions to mitigate the associated risks.

Related Articles