Once inside, they deployed a backdoor named TinyShell, which includes capabilities for both active and passive operations while disabling logging mechanisms.

Mandiant researchers have uncovered a sophisticated espionage campaign linked to a China-based group known as UNC3886, which has exploited vulnerabilities in Juniper Networks' Junos OS since mid-2024.

The group has targeted Juniper MX routers that were running end-of-life hardware and software, which typically lack adequate security monitoring.

The primary aim of this malware is to disable logging before operators perform their activities, later restoring logs to cover their tracks.

Mandiant emphasized the attackers' sophisticated understanding of the targeted technology, prompting urgent recommendations for organizations to upgrade their Juniper devices.

Mandiant's report reveals that UNC3886 has deployed custom backdoors on these routers, allowing for stealthy access and control.

Attackers gained access through legitimate credentials, circumventing Junos OS' Verified Exec protections to execute malicious payloads.

Organizations are advised to utilize the Juniper Malware Removal Tool and implement secure authentication systems like multifactor authentication to mitigate risks.

The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-21590 to its catalog of actively exploited vulnerabilities, directing federal agencies to secure affected devices by early April.

While Mandiant has identified fewer than ten known victims, the nature of the detection challenges suggests that more organizations may be compromised.

Interestingly, there was no evidence of data exfiltration during the investigation, leaving the ultimate objectives of the spies somewhat unclear.

The Google Threat Intelligence report highlights that UNC3886 aims for long-term access to victim networks rather than immediate data theft.