An advanced persistent threat group linked to China has been injecting persistent backdoors in end-of-life routers after gaining root access

Threat researchers have released findings showing that a China advanced persistent threat (APT) group has been deploying custom malware on a line of Juniper Network routers.

In July 2024, the espionage group UNC3886 linked to China had been attributed to the deployment of custom TINYSHELL-based backdoors found on Junos OS routers (made by Juniper Networks) that had caused complaints in the field.

The backdoors had varying custom capabilities, including active and passive backdoor functions, as well as an embedded script that could disable logging mechanisms on the target device.

Subsequently, the affected routers had been found to be running end-of-life hardware and software. Other findings in the post-mortem, conducted in conjunction with Mandiant, include:

  • How could attackers have planted the malware on the routers that were secured by a file-signing scheme called Veriexec? It appears that a root credential may have been previously compromised as a prelude to implantation. At least one vulnerability contributed to the successful attack: a process memory injection issue, CVE-2025-21590.
  • The search for other vulnerabilities that may have been exploited was constrained by the forensic evidence available to the team, and complicated by the fact that the target devices were running out-of-support versions of the Junos OS.
  • UNC3886 was linked to the espionage group as similar malware code injections had been reported by Mandiant in 2022 and 2024 deployed on virtualization technologies and network edge devices. The group shows a deep understanding of the underlying technology of the appliances it targets.
  • No evidence had indicated successful exploitation of veriexec bypass techniques already addressed by Juniper in supported software and hardware. However, a novel process injection technique was found, which involved infection of compromised end-of-life routers running out-of-support Junos OS. The threat actors had obtained root access to the impacted devices.
  • This latest attack demonstrates UNC3886  are now also targeting internal networking infrastructure, such as Internet Service Provider (ISP) routers, which could have significant implications if successful.
  • The attacks are deemed unrelated to a typhoon of other China-linked attacked named Volt Typhoon and Salt Typhoon.

This campaign also highlights the importance of keeping network devices updated. In this instance, Juniper Networks has issued patches to secure the out-of-support devices.