China related espionage group UNC3886 exploits end-of-life Juniper routers with custom backdoors
Take action: If you are running end-of-life Juniper equipment or are not patching your Juniper devices, you may have been hacked. Push for a fast update effort in the next few days, and run Juniper Malware Removal Tool Quick Scan and Integrity Check after upgrading. Also rotate all credentials and check the rest of the network. Ideally, replace the end-of-life devices and maintain patching discipline.
Learn More
In mid-2024, Mandiant discovered that a China-nexus espionage group known as UNC3886 was deploying custom backdoors on Juniper Networks' Junos OS routers.
This campaign targeted end-of-life (EOL) Juniper MX routers running outdated hardware and software that no longer receive security updates, allowing the threat actors to maintain long-term access to victim networks.
The threat actors gained privileged access to Juniper routers from terminal servers using legitimate credentials, then accessed the FreeBSD shell from the Junos OS CLI. To bypass the Juniper Verified Exec (veriexec) subsystem that normally prevents unauthorized code execution, UNC3886 injected malicious code into the memory of legitimate processes - a vulnerability now tracked as CVE-2025-21590 (CVSS score 6.7).
Mandiant uncovered six distinct TINYSHELL-based backdoors operating on the compromised routers:
- appid - Active backdoor mimicking the legitimate Application Identification Daemon (appidd)
- to - Active backdoor mimicking the legitimate Table of Processes (top)
- irad - Passive backdoor mimicking the legitimate Interface Replication and Synchronization Daemon (irsd)
- lmpad - Utility and passive backdoor mimicking the Link Management Protocol Daemon (lmpd)
- jdosd - Passive backdoor mimicking the Juniper DDOS protection Daemon (jddosd)
- oemd - Passive backdoor mimicking the Operation, Administration and Maintenance Daemon (oamd)
These backdoors provided file transfer, remote shell access, proxy functionality, logging inhibition, and the ability to operate passively until triggered by specific network traffic patterns.
Mandiant has identified fewer than ten victim organizations so far, but suspects others will discover they were compromised after the findings are published. The attackers primarily targeted defense, technology, and telecommunication organizations located in the US and Asia, with focus on maintaining long-term, stealthy access to victim networks.
Charles Carmakal, Mandiant Consulting CTO, indicated that a "significant number of devices" were compromised within the victim environments. However, Mandiant's investigation did not reveal evidence of data staging or exfiltration from the affected systems.
Juniper has released patches and updated signatures for its Juniper Malware Removal Tool (JMRT).
Mandiant and Juniper recommend organizations take the following actions:
- Upgrade Juniper devices to the latest images which contain mitigations and updated signatures for JMRT
- Run the JMRT Quick Scan and Integrity Check after upgrading
- Implement centralized Identity and Access Management (IAM) with multi-factor authentication (MFA)
- Enhance monitoring of high-risk administrative activities
- Prioritize patching and vulnerability management for network devices
- Replace EOL devices
- Apply security hardening measures including access controls and network segmentation
