Unc3886

Threat Actor Profile Updated a day ago
Download STIX
Preview STIX
UNC3886 is a threat actor with suspected links to China, known for its cyber espionage operations targeting global strategic organizations. Since 2021, this advanced persistent threat (APT) group has been exploiting a VMware zero-day vulnerability, identified as CVE-2023-34048. The cybersecurity industry has observed UNC3886's persistent and sophisticated attacks, leveraging multiple zero-day vulnerabilities and deploying advanced malware. A deep dive into UNC3886's activities revealed their preferred method of operation. Upon gaining access to compromised endpoints, the group deploys "Reptile," their rootkit of choice. This tactic allows them to maintain stealthy and persistent access to the victim's network. Further investigations showed that UNC3886 has previously compromised firewall and virtualization applications that lack endpoint detection support, demonstrating their advanced capabilities and strategic approach to their targets. Mandiant, a prominent threat intelligence company, tracks UNC3886 and suggests that it is likely a Chinese threat group operating on behalf of Beijing. Their activities pose significant threats to organizations worldwide due to their exploitation of critical vulnerabilities and the deployment of sophisticated malware. As such, it's crucial for organizations to stay vigilant, ensure their systems are up-to-date, and implement robust security measures to mitigate the risk of compromise by threat actors like UNC3886.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Zero Day
Vulnerability
Mandiant
Vmware
Malware
Exploit
Esxi
Exploits
Apt
Fortigate
Fortios
Windows
Vcenter
Espionage
State Sponso...
exploited
Rootkit
LOTL
exploitation
Ivanti
Backdoor
bugs
Lateral Move...
Evasive
flaw
China
Remote Code ...
RCE (Remote ...
Chinese
Vpn
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
APT41Unspecified
1
APT41, also known as Winnti, Wicked Panda, and Wicked Spider, is a sophisticated threat actor attributed to China. This group has been active since at least 2012, targeting organizations across 14 countries. The group is known for its extensive use of various code families and tools, with at least 4
Unc5221Unspecified
1
UNC5221, a threat actor linked to China, has been identified as the group behind recent cyberattacks involving new malware specifically designed to exploit vulnerabilities in Ivanti Connect Secure VPN and Policy Secure devices. The discovery was made by Mandiant researchers who observed the deployme
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2023-34048Unspecified
3
CVE-2023-34048 is a critical out-of-bounds write vulnerability discovered in VMware's vCenter Server, a widely used server management software. This flaw in software design or implementation poses a high risk of exploitation and has a Common Vulnerability Scoring System (CVSSv3) score of 9.8 out of
CVE-2023-20867Unspecified
2
CVE-2023-20867 is a critical vulnerability in VMware Tools, first revealed by Mandiant researchers in June 2023. This flaw in software design or implementation was exploited by the threat group UNC3886, allowing it to gain privileged access to Windows, Linux, and PhotonOS guest virtual machines with
CVE-2022-41328Unspecified
2
CVE-2022-41328 is a significant software vulnerability discovered in Fortinet's FortiOS. It was heavily targeted by China-nexus intrusion sets, particularly UNC3886, who exploited the vulnerability to deploy custom malware families on Fortinet and VMware systems. This exploitation occurred in Septem
CVE-2022-22948Unspecified
1
None
CVE-2022-41040Unspecified
1
CVE-2022-41040 is a software vulnerability that was discovered in late September 2022, along with another flaw, CVE-2022-41082. These two zero-day vulnerabilities were collectively known as ProxyNotShell. The vulnerabilities were exploited to compromise Microsoft Exchange through the proxy mechanism
CVE-2022-41082Unspecified
1
CVE-2022-41082 is a critical software vulnerability discovered in Microsoft Exchange Servers, which allows for Remote Code Execution (RCE). This flaw is one of two zero-day vulnerabilities found, the other being CVE-2022-41040. The RCE vulnerability presents a significant threat as it enables attack
ProxynotshellUnspecified
1
ProxyNotShell is a software vulnerability, specifically a flaw in the design or implementation of Microsoft Exchange Server. It was first identified and exploited through CVE-2022-41082, as reported by Palo Alto Networks' Unit 42. The ProxyNotShell exploit method leveraged an AutoDiscover endpoint t
CVE-2023-208670Unspecified
1
CVE-2023-208670 is a zero-day vulnerability that allows attackers to bypass authentication in VMware Tools, a set of services and modules used to enhance the performance of virtual machines. The vulnerability enables attackers to execute arbitrary code on a vulnerable system and gain complete contro
CVE-2023-2868Unspecified
1
CVE-2023-2868 is a significant software vulnerability that was identified in the Barracuda Email Security Gateway (ESG) appliances. This flaw, specifically a remote command injection vulnerability, was disclosed by Barracuda on May 30th, 2023. The vulnerability had been exploited as early as October
CVE-2021-44228Unspecified
1
CVE-2021-44228, also known as the Log4j vulnerability, is a software flaw found in Apache Log4j, a widely used logging utility. Despite multiple attempts by Advanced Persistent Threat (APT) actors to exploit this vulnerability in the ServiceDesk system, these efforts were unsuccessful. However, it b
CVE-2021-44207Unspecified
1
CVE-2021-44207 is a significant software vulnerability that was exploited by APT41, a prolific Chinese state-sponsored espionage group known for targeting both public and private sector organizations. This flaw in the USAHerds web application's design or implementation mirrors a previously reported
Source Document References
Information about the Unc3886 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securityaffairs
a day ago
Security Affairs Malware Newsletter - Round 3
Securityaffairs
2 days ago
Security Affairs Malware Newsletter - Round 3
Securityaffairs
8 days ago
Security Affairs Malware Newsletter - Round 2
Securityaffairs
16 days ago
Security Affairs Malware Newsletter - Round 1
Securityaffairs
23 days ago
Security Affairs newsletter Round 478 by Pierluigi Paganini – INTERNATIONAL EDITION
Checkpoint
a month ago
24th June – Threat Intelligence Report - Check Point Research
Securityaffairs
a month ago
Security Affairs newsletter Round 477 by Pierluigi Paganini – INTERNATIONAL EDITION
BankInfoSecurity
a month ago
Chinese Hackers Used Open-Source Rootkits for Espionage
Securityaffairs
a month ago
Security Affairs newsletter Round 476 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs
2 months ago
Security Affairs newsletter Round 473 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs
3 months ago
Security Affairs newsletter Round 470 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs
3 months ago
Security Affairs newsletter Round 469 by Pierluigi Paganini – INTERNATIONAL EDITION
BankInfoSecurity
3 months ago
State Hackers' New Frontier: Network Edge Devices
Securityaffairs
3 months ago
Security Affairs newsletter Round 467 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs
3 months ago
Security Affairs newsletter Round 466 by Pierluigi Paganini
Securityaffairs
4 months ago
Security Affairs newsletter Round 465 by Pierluigi Paganini
Securityaffairs
4 months ago
Security Affairs newsletter Round 464 by Pierluigi Paganini
Securityaffairs
4 months ago
Security Affairs newsletter Round 463 by Pierluigi Paganini
Securityaffairs
4 months ago
Security Affairs newsletter Round 462 by Pierluigi Paganini
CERT-EU
5 months ago
Cyber Security Week in Review: March 1, 2024