UNC3886

Overview

China-nexus espionage actor targeting network edge devices and hypervisors. Exploits zero-days in Fortinet, VMware, and Juniper. Deploys firmware-level implants for persistence.

MITRE ATT&CK Coverage

Recon

Res Dev

Init Access

Execution

Persistence

Priv Esc

Def Evasion

Cred Access

Discovery

Lat Move

Collection

Exfil

Impact

3 of 14 tactics observed

Raw TTPs

Network Edge ExploitationZero-Day UsageFirmware PersistenceHypervisor TargetingCustom Rootkits

Related Intelligence (3)

CRITICALZero DayExploited

UNC3886 Deploys Firmware Rootkit on Juniper MX Routers via Zero-Day

UNC3886 exploits Juniper Junos zero-day to deploy firmware-level rootkits on MX-series routers. Implant survives software upgrades and factory resets.

CVE-2026-29001Juniper MX Series

3d agoMandiant

CRITICALVulnerabilityExploited

Critical Fortinet FortiManager Flaw Enables Managed Firewall Takeover

CVE-2026-48788 allows registration of rogue FortiGate devices to FortiManager, enabling config push to entire managed firewall estate.

CVE-2026-48788FortiManager 7.4

Mar 21, 2026Fortinet PSIRT / Mandiant

HIGHAptExploited

UNC3886 Linked to VMware vCenter Exploitation Campaign Targeting Defense Sector

UNC3886 exploits known VMware vCenter vulnerabilities to deploy VirtualPita and VirtualPie backdoors across defense contractor virtualization infrastructure.

CVE-2025-22224CVE-2025-22225VMware vCenter Server

Mar 15, 2026Mandiant / Microsoft