The Hackers Who Hid Inside Your Router — and Nobody Noticed for a Year

Inside UNC3886's Ghost Campaigns: A China-linked espionage group that quietly embedded itself into the backbone of the internet, gave its malware the names of innocent system daemons, and turned your forgotten hardware into a permanent spy post.

Imagine a burglar who doesn't pick your lock.

Instead, they befriend the building superintendent, get a copy of the master key, and move into the maintenance closet. They've been there for eight months. They read every piece of mail that passes through the building. They leave no trace.

Now imagine that burglar doing this to the routers that carry the internet traffic of defense contractors, telecommunications companies, and government agencies and naming their tools things like jdosd and oemd, file names so boringly routine that no engineer would blink twice.

That is the story of UNC3886. And the audacity only grows from there.

Why This Is Not Your Typical Hack Story

On March 12, 2025, Google's Mandiant threat intelligence unit published a report they titled, with unusual bluntness — "Ghost in the Router."

The title was earned.

Mandiant researchers revealed that a China-linked espionage group had been silently operating inside Juniper Networks' Junos OS routers since at least mid-2024. Not on the network attached to the routers. Not on servers behind the routers. Inside the routers themselves — one of the most foundational, least-scrutinized pieces of infrastructure in any enterprise.

The numbers are secondary to the method, but they still land hard:

• Six distinct malware families, all derived from a single open-source seed, each engineered for a different phase of the attack.
• Targeted sectors: Defense, technology, and telecommunications — the three sectors whose secrets are worth the most to a nation-state adversary.
• Primary geography: United States and Asia-Pacific.
• Duration of undetected operation: Months, across multiple organizations, before Mandiant's investigation surfaced it.

"UNC3886 has in-depth knowledge of advanced system internals… demonstrating their expertise in stealth operations." _— _Mandiant, Google Cloud Threat Intelligence

Who Is UNC3886?

Mandiant uses the prefix UNC — Uncategorized — for threat clusters that are real and dangerous but not yet definitively tied to a specific government program. For UNC3886, however, the indicators are clear enough that Mandiant classifies it as a China-nexus group with high confidence.

The profile fits a familiar pattern:

• Zero-day expertise: UNC3886 doesn't wait for public vulnerability disclosures. It finds its own. It was using a Fortinet zero-day (CVE-2022–41328) as far back as 2023 before pivoting to Juniper.
• Network device obsession: While most espionage groups target laptops and email servers, UNC3886 specifically hunts the infrastructure itself — firewalls, VPN appliances, and now core ISP-grade routers.
• Deliberate stealth over speed: Unlike ransomware gangs that want to be noticed, UNC3886 prioritizes invisibility above everything else. They are not here to make a point. They are here to listen.
• Expansion from edge to core: Previous campaigns went after edge devices — the network perimeter. This campaign moved inward, targeting internal ISP-grade routing hardware that no one expects to be a threat vector.

The shift is significant. If edge devices are the front door, core routers are the plumbing. Compromising them means watching all the traffic, not just what crosses the perimeter.

The Entry Point: Borrowed Keys, Not Broken Locks

Every intrusion begins somewhere. UNC3886 chose a deceptively mundane entry strategy: they didn't exploit a dramatic zero-day to break in. They stole credentials.

Mandiant's investigation found that UNC3886 gained initial access by compromising network authentication services — specifically targeting TACACS+ (Terminal Access Controller Access-Control System), the protocol that enterprise networks use to authenticate administrator logins to routers and switches.

Think of TACACS+ as the keycard system for your entire network device fleet. If you own the authentication server, you own the keys to every router that trusts it.

Once inside the authentication layer, the attackers harvested legitimate credentials, used those credentials to reach the Juniper MX routers directly, and then did something that should have been impossible.

They started writing malware to the filesystem.

The Veriexec Problem: A Security Feature Turned Inside Out

Juniper's Junos OS comes with a built-in protection called Veriexec — a file integrity monitor that prevents unauthorized binaries from executing. It's a robust defense. If a file isn't in the trusted registry, it doesn't run.

UNC3886 solved this problem elegantly and without triggering a single alert.

Instead of trying to run a new binary — which Veriexec would have blocked — they injected malicious code into the memory of a process that was already trusted.

The router saw a legitimate process running. The logs showed nothing suspicious. The malware was already inside, operating within the permissions of a trusted system daemon, invisible to the file integrity monitor because it never touched the filesystem as an executable.

This technique was novel enough that Juniper assigned it its own CVE: CVE-2025–21590.

The delivery mechanism itself was almost comically low-tech: attackers used a standard Unix "here document" — a shell scripting feature so old it predates the internet — to encode a base64 payload, decode it in memory, decompress it, and inject it into a running process. No exotic zero-day required. Just a deep understanding of how the operating system works combined with a technique hiding in plain sight for decades.

# Conceptual representation of the delivery technique:
# A "here document" feeds encoded data directly to a shell variable,
# decoded and decompressed entirely in memory — never written to disk
# as an executable, never flagged by Veriexec.
cat << 'EOF' | base64 -d | gunzip | [inject into trusted process memory]
[base64-encoded payload]
EOF

# Conceptual representation of the delivery technique:
# A "here document" feeds encoded data directly to a shell variable,
# decoded and decompressed entirely in memory — never written to disk
# as an executable, never flagged by Veriexec.
cat << 'EOF' | base64 -d | gunzip | [inject into trusted process memory]
[base64-encoded payload]
EOF

Meet the Six: The TINYSHELL Family

Once inside, UNC3886 didn't deploy one backdoor. They deployed six, each purpose-built for a different task, all derived from the same open-source foundation: TinyShell, a minimal C-language backdoor originally published for legitimate security research.

Taking a simple, known tool and engineering six custom variants from it is a fingerprint. It tells you something about the group: they have serious developers, they reuse code efficiently, and they understand that bespoke malware built from innocuous open-source code is much harder to attribute than off-the-shelf commercial implants.

Here is what each variant was designed to do:

Malware NameTypePrimary FunctionREPTILEActive backdoorPersistent remote shell accessMEDUSAPassive backdoorCredential harvesting from SSH sessionsTINYSHELL (custom)Active/passiveEncrypted file transfer and command executionjdosdPassive backdoorCovert UDP/TCP channel for remote commandsoemdPassive backdoorCovert file transfer and command relayGHOSTTOWNAnti-forensics toolEvidence destruction and log manipulation

The naming convention for jdosd and oemd is deliberate. On a Junos OS system, legitimate daemons carry exactly these kinds of short, cryptic names. rpd for the routing protocol daemon. mgd for the management daemon. Two more nonsense-looking names in the process list would raise no flags for an administrator doing a quick review.

GHOSTTOWN deserves its own paragraph.

Its entire purpose is to make the investigation impossible. After an operation, GHOSTTOWN removes forensic artifacts — cleaned logs, wiped traces, no breadcrumbs. It's the equivalent of a burglar vacuuming the floor on the way out. Mandiant's investigation noted: in the compromised environments they examined, there was no observed evidence of data staging and exfiltration. Not because data wasn't taken but because the evidence of it taking place was removed.

PITHOOK: The SSH Credential Skimmer

One of the more creative tools in UNC3886's arsenal was PITHOOK — a custom SSH server replacement that quietly hijacked SSH authentications.

Instead of using a generic credential harvester, the attackers replaced the TACACS+ daemon binary — the authentication service itself — with a backdoored version that performed its legitimate function perfectly (so no one noticed anything wrong) while simultaneously capturing every credential that passed through it.

Normal Flow:  Admin → SSH → TACACS+ daemon → Authenticate → Grant Access
UNC3886 Flow: Admin → SSH → BACKDOORED TACACS+ → Capture credential →
              Authenticate → Grant Access → Forward credential to attacker

Normal Flow:  Admin → SSH → TACACS+ daemon → Authenticate → Grant Access
UNC3886 Flow: Admin → SSH → BACKDOORED TACACS+ → Capture credential →
              Authenticate → Grant Access → Forward credential to attacker

The authentication still works. The admin gets in normally. The attacker gets a copy of every username and password that touches the system. It is a wiretap built into the lock itself.

The Logging Kill Switch

Perhaps the most chilling capability across the malware suite is simple: the ability to turn off the router's logging mechanisms entirely before conducting operations.

Multiple TINYSHELL variants carried embedded scripts designed specifically to disable Junos OS logging during active attacker sessions. The sequence would work roughly as follows:

1. Attacker connects to the passive backdoor
2. Logging is disabled via the embedded script
3. Attacker conducts their operation (lateral movement, credential harvesting, traffic interception)
4. Logging is re-enabled
5. GHOSTTOWN cleans any residual artifacts
6. Connection drops

From a defender's perspective, this is the nightmare scenario. The logs exist. They show the system running normally. The gap where the intrusion occurred simply… doesn't appear.

Why Routers? Why Now?

This is the strategic question worth sitting with.

Most enterprise cybersecurity is built around protecting endpoints — laptops, servers, cloud workloads. Endpoint Detection and Response (EDR) tools are mature, well-funded, and widely deployed. It has become genuinely difficult to operate undetected on a modern Windows or Linux server.

Routers are different. They run proprietary operating systems. They rarely have EDR agents. Security teams often lack the expertise to audit them deeply. And critically, end-of-life hardware is everywhere: budget constraints mean that enterprise networks frequently run routers years past the point where the vendor provides security patches.

UNC3886 didn't stumble onto this gap. They built a capability specifically designed to exploit it.

As Mandiant noted, this represents an explicit evolution in Chinese espionage tactics a deliberate expansion from network edge devices to internal routing infrastructure. ISP-grade routers sit at the exact point where traffic from thousands of customers converges. Compromising one means passive access to an extraordinary volume of data without ever touching an endpoint.

It is, in intelligence terms, collection at the source.

Indicators of Compromise (IOCs)

If you are responsible for network infrastructure, hunt for these immediately.

Malware Process and File Names

REPTILE       — Active backdoor, persistent shell
MEDUSA        — Passive credential harvester
GHOSTTOWN     — Anti-forensics, evidence destruction
jdosd         — Passive backdoor, disguised as system daemon
oemd          — Passive backdoor, disguised as system daemon
PITHOOK       — SSH credential skimmer

REPTILE       — Active backdoor, persistent shell
MEDUSA        — Passive credential harvester
GHOSTTOWN     — Anti-forensics, evidence destruction
jdosd         — Passive backdoor, disguised as system daemon
oemd          — Passive backdoor, disguised as system daemon
PITHOOK       — SSH credential skimmer

System Indicators

CVE-2025-21590     — Juniper Junos OS process injection (veriexec bypass)
Modified TACACS+ binary on router filesystem
Unexplained gaps or anomalies in router syslogs
Base64-encoded payloads in shell history
Replacement of legitimate routing daemons

CVE-2025-21590     — Juniper Junos OS process injection (veriexec bypass)
Modified TACACS+ binary on router filesystem
Unexplained gaps or anomalies in router syslogs
Base64-encoded payloads in shell history
Replacement of legitimate routing daemons

YARA Rules

Mandiant published YARA detection rules for the TINYSHELL family variants. Search for these in Mandiant's full technical report (linked in References).

Cyber Defense Playbook: What To Do Right Now

1. Audit your end-of-life hardware immediately. UNC3886 specifically targeted routers running EOL hardware and software. If you have Juniper MX series routers that haven't been updated, treat them as potentially compromised. Upgrade or isolate.

2. Patch CVE-2025–21590. Juniper released a fix. If you haven't applied it, your routers are vulnerable to the exact memory injection technique UNC3886 used to bypass Veriexec. This is not optional.

3. Audit your TACACS+ infrastructure. Check the integrity of your TACACS+ daemon binaries. Compare file hashes against known-good baselines. Look for any replacement or modification of the authentication service binary.

4. Look for logging anomalies. Unexpected log gaps — periods where a device appears to have been running but produced no logs — are a red flag. Build alerting around unexpected logging interruptions.

5. Implement network device lifecycle management. Define a maximum EOL threshold for routers and enforce it. The effort of replacing a router is significant. The cost of having your core routing infrastructure backdoored for eight months is incalculably higher.

6. Check for GHOSTTOWN artifacts. If GHOSTTOWN was deployed, forensic evidence will be sparse by design. This means the absence of evidence should itself be treated as suspicious when other IOCs are present.

Final Thoughts

The name Mandiant chose for their report — "Ghost in the Router" — is more than a dramatic headline. It is a precise operational description.

UNC3886 did not break into your network loudly. It did not encrypt your files and demand a ransom. It did not leave a calling card. It built a permanent, invisible presence inside infrastructure so foundational that most organizations had never thought to look there, running malware with names indistinguishable from system daemons, silencing logs before operating and cleaning up after itself on the way out.

The most dangerous adversary is not the one who makes noise. It is the one who moves through your infrastructure like a ghost — present in everything, visible in nothing.

Check your router processes. Check your TACACS+ binaries. Check your logs for gaps where there should be entries.

Because if UNC3886 has been through your network, the silence in your logs is the loudest thing in the room.

References & Further Reading

• Mandiant / Google Cloud — Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers (March 12, 2025)
• Juniper Networks — Security Advisory JSA93446 / CVE-2025–21590
• Computer Weekly — Chinese espionage group UNC3886 targets Juniper routers
• CSO Online — Chinese cyberespionage group deploys custom backdoors on Juniper routers

Tags: #Cybersecurity #ThreatIntelligence #NetworkSecurity #APT #Infosec #Juniper #ChinaCyber

What does the rise of router-level implants mean for the future of network security? The perimeter model has been dead for years — but are we ready to defend the infrastructure beneath it? Drop your thoughts in the comments.

Follow for more breakdowns of active espionage campaigns and the technical detail that rarely makes the headlines.