UNC3886: Unmasking the Stealthy Cyber Espionage. Here is what we know about it. A Quick look.


UNC3886: Unmasking the Stealthy Cyber Espionage. Here is what we know about it. A Quick look.

In the shadowy realm of cyber espionage, UNC3886 stands out as a formidable adversary. This highly adept Chinese threat actor has honed its skills in exploiting zero-day vulnerabilities, leaving no room for complacency. Our investigation sheds light on their latest maneuvers, where they employ Linux rootkits to remain hidden within VMware ESXi VMs. Let’s dissect their tactics and implications.


The Reptile Connection

UNC3886’s toolkit includes two open-source Linux rootkits: Reptile and Medusa. These stealthy companions allow the threat actor to maintain undetected access to compromised systems. Today, we focus on Reptile, a user-mode component with multifaceted capabilities:

  1. Hiding Files, Processes, and Network Connections: Reptile deftly conceals its tracks, ensuring that its presence remains elusive. Whether it’s files, processes, or network activity, this rootkit operates in the shadows.

The Zero-Day Vulnerability (CVE-2023-20867)

UNC3886’s pièce de résistance is a zero-day vulnerability (CVE-2023-20867) that grants them privileged command execution across Windows, Linux, and PhotonOS guest VMs on compromised ESXi hosts. The absence of guest credentials authentication and default logging on guest VMs provides them with a cloak of invisibility.

VMCI Communication Sockets: Lateral Movement Unleashed

But UNC3886 doesn’t stop there. They leverage VMCI (Virtual Machine Communication Interface) communication sockets for lateral movement. This alternative address family allows direct reconnection from any guest VM to the compromised ESXi host’s backdoor, bypassing network segmentation and firewall rules.

Tampering with Logging Services

To further confound investigators, UNC3886 tampers with and disables logging services on impacted systems. Their persistence lies in these subtle yet effective maneuvers, presenting additional challenges to those seeking to unmask them.


As we peel back the layers of UNC3886’s cyber espionage operations, we recognize their sophistication. Reptile, the zero-day vulnerability, and VMCI sockets form a potent trifecta, enabling UNC3886 to operate undetected. Organizations must remain vigilant, fortifying their defenses against such stealthy adversaries.

Remember, in the ever-evolving landscape of cyber threats, knowledge is our best armor. Stay informed, stay secure! 

You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it.

Share this content:

Post Comment