= UNC3886 =

UNC3886 is an advanced persistent threat group affiliated with the government of the People's Republic of China. First publicly identified in mid‑2023, it has been active since at least late 2021, targeting critical infrastructure globally.

== History ==
UNC3886 was first described by cybersecurity firm Mandiant in early 2023, following multiple global intrusions predominantly targeting virtualization and network security technologies. Subsequent investigations attributed the group to campaigns involving state‑sponsored espionage objectives GovInsider+2Google Cloud+2Computer Weekly+2. In July 2025, K. Shanmugam, Singapore's Coordinating Minister for National Security, stated that the country's critical infrastructure was attacked by UNC3886, confirming ongoing operations by July 2025. Singapore's Cyber Security Agency was deployed in the response to the attacks.

In February 2026, CSA and the Infocomm Media Development Authority (IMDA) revealed that telecommunication companies in Singapore had come under attack from the group.

== Notable campaigns ==

=== VMware and Fortinet Campaigns (2022–2023) ===
UNC3886 exploited multiple zero‑day vulnerabilities in FortiGate devices and VMware vCenter/Tools to establish footholds, deploy backdoors, and move laterally across enterprise virtualization infrastructure. Rootkits and credential theft facilitated long‑term hidden access industrialcyber.co+3Google Cloud+3Vectra AI+3.

=== Juniper Routers (Mid‑2024 / 2025) ===
In mid‑2024, UNC3886 compromised EOL Juniper MX routers using TinyShell variants to disable logs, inject code into trusted processes, and remain persistent even past device reboots. These attacks highlight the group's ability to tailor malware for embedded network devices.

=== Fire Ant Campaign (Early 2025) ===
Sygnia's investigation into the “Fire Ant” campaign found substantial overlaps with UNC3886's tooling, techniques, and victim profiles. Targets included VMware infrastructure, with deployment of persistent backdoors post-exploitation of CVE‑2023‑34048 and CVE‑2023‑20867 vulnerabilities. Fire Ant's adaptive capabilities reflect ongoing UNC3886 operations in 2025.

== Reactions ==
The Chinese embassy in Singapore criticized local media for reporting that UNC3886 is linked to the Chinese government, accusing them of relying on unverified claims from a foreign cybersecurity firm.
