Chinese Hackers Breach Juniper Networks Routers With Custom Backdoors and Rootkits
The China-nexus cyber espionage group tracked as UNC3886 has been observed targeting end-of-life MX routers from Juniper Networks as part of a campaign designed to deploy custom backdoors, highlighting their ability to focus on internal networking infrastructure.
"The backdoors had varying custom capabilities, including active and passive backdoor functions, as well as an embedded script that disables logging mechanisms on the target device," Google-owned Mandiant said in a report shared with The Hacker News.
The threat intelligence firm described the development as an evolution of the adversary's tradecraft, which has historically leveraged zero-day vulnerabilities in Fortinet, Ivanti, and VMware devices to breach networks of interest and establish persistence for remote access.
First documented in September 2022, the hacking crew is assessed to be "highly adept" and capable of targeting edge devices and virtualization technologies with the ultimate goal of breaching defense, technology, and telecommunication organizations located in the United States and Asia.
These attacks typically take advantage of the fact that such network perimeter devices lack security monitoring and detection solutions, thereby allowing them to operate unimpeded and without attracting attention.
Cybersecurity
"The compromise of routing devices is a recent trend in the tactics of espionage-motivated adversaries as it grants the capability for a long-term, high-level access to the crucial routing infrastructure, with a potential for more disruptive actions in the future," Mandiant said.
The latest activity, spotted in mid-2024, involves the use of implants that are based on TinyShell, a C-based backdoor that has been put to use by various Chinese hacking groups like Liminal Panda and Velvet Ant in the past.
"Groups like Velvet Ant and Liminal Panda may favor TinyShell for targeting Linux-based systems due to its lightweight nature and inherent compatibility," Austin Larsen, principal threat analyst at Google Threat Intelligence Group, told The Hacker News.
"As an open-source tool, it offers the benefits of being free, requiring less dedicated R&D than fully custom malware, and potentially making attribution more challenging for investigators. Its customizability also allows threat actors to adapt it with specific features needed for the targeted devices, offering a practical and less conspicuous option compared to more complex RATs like PlugX and ShadowPad."
Mandiant said it identified six distinct TinyShell-based backdoors, each carrying a unique capability -
appid (aka A Poorly Plagiarized Implant Daemon), which supports file upload/download, interactive shell, SOCKS proxy, and configuration changes (e.g., command-and-control server, port number, network interface, etc.)
to (aka TooObvious), which is same as appid but with a different set of hard-coded C2 servers
irad (aka Internet Remote Access Daemon), a passive backdoor that acts as a libpcap-based packet sniffer to extract commands to be executed on the device from ICMP packets
lmpad (aka Local Memory Patching Attack Daemon), a utility and a passive backdoor that can launch an external script to perform process injection into legitimate Junos OS processes to stall logging
jdosd (aka Junos Denial of Service Daemon), which implements a UDP backdoor with file transfer and remote shell capabilities
oemd (aka Obscure Enigmatic Malware Daemon), a passive backdoor that communicates with the C2 server via TCP and supports standard TinyShell commands to upload/download files and execute a shell command
It's also notable for taking steps to execute the malware by circumventing Junos OS' Verified Exec (veriexec) protections, which prevent untrusted code from being executed. This is accomplished by gaining privileged access to a router from a terminal server used for managing network devices using legitimate credentials.
The elevated permissions are then used to inject the malicious payloads into the memory of a legitimate cat process, resulting in the execution of the lmpad backdoor while veriexec is enabled.
Cybersecurity
"The main purpose of this malware is to disable all possible logging before the operator connects to the router to perform hands-on activities and then later restore the logs after the operator disconnects," Mandiant noted.
Some of the other tools deployed by UNC3886 include rootkits like Reptile and Medusa; PITHOOK to hijack SSH authentications and capture SSH credentials; and GHOSTTOWN for anti-forensics purposes.
Organizations are recommended to upgrade their Juniper devices to the latest images released by Juniper Networks, which includes mitigations and updated signatures for the Juniper Malware Removal Tool (JMRT).
The development comes a little over a month after Lumen Black Lotus Labs revealed that enterprise-grade Juniper Networks routers have become the target of a custom backdoor as part of a campaign dubbed J-magic that delivers a variant of a known backdoor named cd00r.
Larsen said this specific cluster of activity is attributed to a different threat group named UNC4841, and that there are no indications to suggest UNC4841 was involved in targeting the end-of-life Juniper Networks routers.
"While some malware families historically deployed by UNC3886 have also shown similar characteristics to those deployed by UNC4841, shared infrastructure and techniques among China-nexus cyber espionage actors isn't unusual," Larsen added.
In a coordinated advisory, Juniper Networks said it launched in July 2024 a project codenamed RedPenguin to investigate the infections aimed at MX Series routers, finding that at least one security vulnerability contributed to a successful attack such that it allowed the attackers to run malware on veriexec-protected routers. The flaw in question is CVE-2025-21590 (CVSS v4 score: 6.7).
"An Improper Isolation or Compartmentalization vulnerability in the kernel of Juniper Networks Junos OS allows a local attacker with high privileges to compromise the integrity of the device," Juniper said in an advisory. "A local attacker with access to the shell is able to inject arbitrary code which can compromise an affected device."
The vulnerability has been addressed in Junos OS versions 21.2R3-S9, 21.4R3-S10, 22.2R3-S6, 22.4R3-S6, 23.2R2-S3, 23.4R2-S4, 24.2R1-S2, 24.2R2, and 24.4R1.
The networking equipment maker also described jdosd and irad as remote access toolkits, lmpad as a local access toolkit specifically engineered to target Junos OS devices, and appid, to, and oemd as RATs based on TinyShell. All are designed with the same goal in mind: To provide persistent backdoors on long-running Junos OS devices.
"The malware deployed on Juniper Networks' Junos OS routers demonstrates that UNC3886 has in-depth knowledge of advanced system internals," Mandiant researchers said.
"Furthermore, UNC3886 continues to prioritize stealth in its operations through the use of passive backdoors, together with log and forensics artifact tampering, indicating a focus on long-term persistence, while minimizing the risk of detection."
(The story was updated after publication to include responses from Google Mandiant and an advisory from Juniper Networks.)