Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ UNC3886

🌐UNC3886

🌐 UNC3886 is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Unknown. We map 14 detection use cases to this actor across 49 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G1048) ↗
14Use cases
0Articles
49Techniques
0IOCs

About this actor (MITRE)

[UNC3886](https://attack.mitre.org/groups/G1048) is a China-nexus cyberespionage group that has been active since at least 2022, targeting defense, technology, and telecommunication organizations located in the United States and the Asia-Pacific-Japan (APJ) regions. [UNC3886](https://attack.mitre.org/groups/G1048) has displayed a deep understanding of edge devices and virtualization technologies through the exploitation of zero-day vulnerabilities and the use of novel malware families and utilities.(Citation: Mandiant Fortinet Zero Day)(Citation: Google Cloud Threat Intelligence VMWare ESXi Ze

Known aliases

UNC3886

Top techniques

T1003.001 · LSASS MemoryT1008 · Fallback ChannelsT1014 · Rootkit

All other tracked techniques

T1021.004 · SSHT1027.005 · Indicator Removal from ToolsT1036.004 · Masquerade Task or ServiceT1037 · Boot or Logon Initialization ScriptsT1037.004 · RC ScriptsT1040 · Network SniffingT1057 · Process DiscoveryT1059.001 · PowerShellT1059.003 · Windows Command ShellT1059.004 · Unix ShellT1059.006 · PythonT1059.012 · Hypervisor CLIT1068 · Exploitation for Privilege EscalationT1070.004 · File DeletionT1070.006 · TimestompT1070.007 · Clear Network Connection History and ConfigurationsT1074.001 · Local Data StagingT1078 · Valid AccountsT1078.001 · Default AccountsT1083 · File and Directory DiscoveryT1095 · Non-Application Layer ProtocolT1124 · System Time DiscoveryT1190 · Exploit Public-Facing ApplicationT1203 · Exploitation for Client ExecutionT1205 · Traffic SignalingT1205.001 · Port KnockingT1212 · Exploitation for Credential AccessT1218.011 · Rundll32T1505.006 · vSphere Installation BundlesT1548 · Abuse Elevation Control MechanismT1554 · Compromise Host Software BinaryT1555.005 · Password ManagersT1560.001 · Archive via UtilityT1560.003 · Archive via Custom MethodT1564.011 · Ignore Process InterruptsT1570 · Lateral Tool TransferT1587.001 · MalwareT1587.004 · ExploitsT1588.001 · MalwareT1588.004 · Digital CertificatesT1673 · Virtual Machine DiscoveryT1675 · ESXi Administration CommandT1681 · Search Threat Vendor DataT1685 · Disable or Modify ToolsT1686 · Disable or Modify System FirewallT1690 · Prevent Command History Logging

Detection use cases (14)

UNC3886 Linux rootkit (REPTILE / MEDUSA) install via /etc/ld.so.preload hook AI · profile SΣ UNC3886 ESXi/Linux rc.local persistence implant after SSH lateral movement from vCenter AI · profile S 1Password impossible-travel sign-in MITRE match Auth-Bypass on Public-Facing Service → Post-Exploit Action on Same Host (≤10 min) MITRE match Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Language-runtime server (node/python/java) spawns OS shell shortly after inbound request — eval / sandbox-escape exploitation chain MITRE match Linux LPE chain — anomalous algif_aead/esp4/esp6/rxrpc kernel-module load followed by same-user root transition MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Package Manager Install Hook Spawns Scripting Interpreter Then Touches Credential Files or Egresses Off-Registry MITRE match