Revisiting UNC3886 Tactics to Defend Against Present Risk
Trend Micro, Monday, July 28th, 2025
We examine the past tactics used by UNC3886 to gain insight on how to best strengthen defenses against the ongoing and emerging threats of this APT group.
Key Takeaways
UNC3886 is an APT group that has historically targeted critical infrastructure, including telecommunications, government, technology, and defense, with a recent attack against Singapore.
The group is known for rapidly exploiting zero-day and high-impact vulnerabilities in network and virtualization devices such as VMware vCenter/ESXi, Fortinet FortiOS, and Juniper Junos OS.
UNC3886 deploys custom toolsets including TinyShell (a covert remote access tool) and Reptile (a stealthy Linux rootkit), and Medusa, leveraging layered persistence and advanced defense evasion methods such as rootkit deployment, living-off-the-land tactics, and replacement/backdooring of core system binaries.
Trend Vision One detects and blocks the indicators of compromise (IOCs) highlighted in this blog. Trend Vision One customers can also access hunting queries, threat insights, and threat intelligence reports to gain rich context and the latest updates on UNC3886.