Chinese Hackers Breach Juniper Routers

A China-linked cyber espionage group, tracked as UNC3886, has been found targeting end-of-life Juniper Networks MX routers to deploy custom backdoors and rootkits. This attack highlights a growing trend of state-sponsored hackers exploiting internal networking infrastructure to gain persistent access.

According to a report by Google-owned Mandiant, UNC3886 has a history of exploiting zero-day vulnerabilities in Fortinet, Ivanti, and VMware devices. The group’s recent focus on Juniper routers underscores its evolving tradecraft, allowing hackers to operate undetected in high-value networks across defense, technology, and telecommunications sectors in the U.S. and Asia.

Mandiant researchers revealed that the attackers deployed six TinyShell-based backdoors, including appid, to, irad, lmpad, jdosd, and oemd, each serving unique functions. These malware implants disable logging mechanisms, execute commands remotely, and provide long-term access to compromised devices. Their use of TinyShell, an open-source C-based backdoor, adds an extra layer of stealth and makes attribution more challenging.

By circumventing Junos OS’ Verified Exec (veriexec) protections, the hackers successfully injected malicious payloads into system memory. They gained privileged access via a terminal server using legitimate credentials, allowing them to modify logs and execute backdoors like lmpad without detection.

Beyond these implants, UNC3886 also deployed rootkits such as Reptile and Medusa, PITHOOK to hijack SSH credentials, and GHOSTTOWN for anti-forensics measures. These tools enabled deep infiltration into Juniper routers, granting the hackers long-term control over targeted networks.

The attack bears similarities to a separate campaign called J-Magic, which involved a different China-linked group, UNC4841. However, security experts note no direct connection between the two groups, though shared malware tactics and infrastructure are common among China-backed cyber actors.

Juniper Networks launched Project RedPenguin in July 2024 to investigate these intrusions. It identified CVE-2025-21590, a kernel vulnerability in Junos OS, which allowed attackers with high privileges to inject arbitrary code into the system. This flaw has since been patched in multiple Junos OS versions.

The networking firm categorized jdosd and irad as remote access toolkits, lmpad as a local access toolkit, and the appid, to, and oemd backdoors as TinyShell-based RATs. All were designed to maintain persistent access to compromised devices.

Mandiant’s analysis highlights UNC3886’s deep expertise in Junos OS internals and its focus on long-term stealth operations. By tampering with logs and forensic artifacts, the group ensures its presence remains undetected for extended periods.

Organizations using Juniper routers are urged to upgrade to the latest firmware, implement network segmentation, and deploy stronger authentication measures to prevent further breaches. As cyber espionage groups continue evolving, proactive security strategies are crucial to mitigating risks.