In a significant cybersecurity breach discovered in mid-2024, a sophisticated threat actor deployed custom backdoors on Juniper Networks’ Junos OS routers.
The intrusion represents an alarming development in the targeting of critical network infrastructure by nation-state actors, with potential implications for telecommunications and national security worldwide.
The affected Juniper MX routers were running end-of-life hardware and software, making them particularly vulnerable to such sophisticated attacks.
Analysts at Google’s Mandiant identified several TINYSHELL-based backdoors operating on the compromised routers and attributed these attacks to a China-nexus espionage group designated as UNC3886.
The group is known for its advanced capabilities and focus on targeting network devices and virtualization technologies with zero-day exploits.
Their interests appear primarily directed at defense, technology, and telecommunication organizations located in the United States and Asia.
The investigation revealed that UNC3886 leveraged legitimate credentials to gain privileged access to the routers and subsequently deployed six distinct malware variants across multiple Juniper MX devices.
These backdoors were designed to establish persistent access while evading detection, demonstrating the threat actor’s in-depth knowledge of Junos OS system internals.
Each backdoor implemented various capabilities including file transfer, remote shell access, and proxy functionalities.
One of the most concerning aspects of this attack was the group’s ability to circumvent Juniper’s Verified Exec (veriexec) protection system.
This kernel-based file integrity subsystem is designed to protect the operating system against unauthorized code execution.
However, UNC3886 successfully bypassed this protection using a process injection technique tracked as CVE-2025-21590.
Malware Analysis
The attackers employed a sophisticated approach by modifying open-source TINYSHELL backdoor code to create customized malware for the Junos OS environment.
One sample named “appid” communicated with hardcoded command and control servers including TCP://129.126.109.50:22 and TCP://116.88.34.184:22, encrypting all network traffic with AES using a hard-coded key.
The malware supported various commands for file transfer, shell access, and proxy establishment:-
tshd_get_file # Sends a file to the server
tshd_put_file # Downloads a file from the server
tshd_runshell # Launches an interactive /bin/sh shell session
tshd_setproxy # Establish a Socks proxy to a given IP+port
tshd_config # Change Configuration Menu
Particularly concerning was the “lmpad” backdoor that could execute an external script to inhibit logging by patching legitimate processes, effectively disabling auditing functions before operator activity and later restoring logs after disconnection.
This enabled the attackers to conduct hands-on activities without generating suspicious log entries, running commands like:-
sed -i ” ‘/root/d’ /var/log/interactive-commands
sed -i ” -e ‘/vi/d’ -e ‘/set/d’ -e ‘/gdb/d’ -e ‘/mgd/d’ /root/.history
sed -i ” ‘/root/d’ /var/log/messages
sed -i ” ‘/root/d’ /var/log/auth
The compromise of these critical routing devices highlights a dangerous trend in espionage operations, granting attackers long-term, high-level access to crucial infrastructure with potential for more disruptive actions in the future.
Organizations are strongly advised to upgrade their Juniper devices to the latest images and implement robust security measures to protect their network infrastructure.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
