Chinese UNC3886 Actors Exploiting VMware, Fortinet 0-days For Spying

In 2021, UNC3886, a suspected China nexus cyber espionage actor, was found to be targeting strategic organizations on a large scale, utilizing multiple vulnerabilities in FortiOS and VMware to install backdoors on the infected machines.

Fortinet and VMware have released patches to fix the vulnerabilities.

However, further investigations on the threat actor’s attack vector revealed the threat actor’s sophisticated, cautious, and evasive nature as they employed several layers of organized persistence over compromised machines.

This includes maintaining access to network devices, hypervisors, and virtual machines to gain alternative channel access.

Once they gained access to the compromised environment, they used publicly available rootkits for long-term persistence and also deployed malware to establish a connection with the C&C server.

Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot

Further, they also extracted information from TACACS+ (Terminal Access Controller Access Control Server) authentication using custom malware.

Zero-Day Exploitation

According to the reports shared with Cyber Security News, the UNC3886 threat actor has been exploiting VMware vCenter vulnerability CVE-2023-34048 since 2021, which allows unauthenticated remote command execution on vulnerable vCenter machines.

Adding to this, there were several other vulnerabilities, such as:

  • CVE-2022-41328 – Path Traversal – used to download and execute backdoors on FortiGate devices
  • CVE-2022-22948 – Information Disclosure – Used to obtain encrypted credentials in vCenter’s postgresDB
  • CVE-2023-20867 – Authentication Bypass – Used to execute unauthenticated Guest operations from compromised ESXi host
  • CVE-2022-42475 – Heap-based Buffer Overflow – Used to execute unauthenticated arbitrary code or commands via specially crafted requests.

Further, several publicly available rootkits were used to establish long-term persistence. The rootkits used by UNC3886 are REPTILE, MEDUSA, and SEAELF.


This is an open-source linux rootkit that provides backdoor access to a system.

Additionally, this rootkit offered several functionalities, including actions like hiding files, processes, and network connections, the option to listen to specialized packets like TCP, UDP, or ICMP for activation, and an LKM launcher, which can be used to decrypt the actual kernel module code from the file and load it into memory.

Though this was an open-source rootkit, the threat actor made several code changes to customize it to their needs.

Most of the code changes were observed to be before version 2.1, introduced on March 1, 2020.

One of the important changes that was identified was inside the LKM launcher, which included a new function to daemonize a process.


MEDUSA was another open-source rootkit that was implemented with dynamic linker hijacking via LD_PRELOAD.

The loader of MEDUSA was termed SEAELF. Two versions of MEDUSA were identified, both of which used XOR encryption keys to encrypt configuration strings.

Further, several additional changes were seen in the MEDUSA configuration, which can be used to create multiple MEDUSA artifacts.

Malware Usage

In addition to rootkits, the threat actor used several malware, such as MOPSLED and RIFLESPINE. MOPSLED is a shellcode-based modular backdoor that is capable of communicating over HTTP or a custom binary protocol over TCP to the C2. 

The main core functionality of this backdoor was its capability to retrieve plugins from the C2 server, and it also uses the ChaCha20 encryption algorithm.

Moreover, UNC3886 was found to be using a Linux variant of this backdoor to deploy on vCenter servers and on some compromised endpoints that already had REPTILE installed. 

RIFLESPINE is another cross-platform backdoor that uses Google Drive to transfer files and execute commands.

This backdoor uses CryptoPP library to implement the AES algorithm to encrypt the data transmitted between the compromised machine and the threat actor.

The deployment of this backdoor starts with creating an encrypted file on Google Drive with instructions to RIFLESPINE when getting executed on the compromised endpoint.

Further, the execution outputs will be encrypted, stored in a temporary file, and then uploaded to Google Drive again.

The instructions on the RIFLESPINE include the following:

  • Download the file with the get command.
  • Upload file with put command.
  • Set the next call out time in milliseconds with settime.
  • Execution of arbitrary commands with /bin/sh

Indicators Of Compromise

gl.py381b7a2a6d581e3482c829bfb542a7de UTILITY
install-20220615.py876787f76867ecf654019bd19409c5b8 INSTALLER
lsuv2_nv.v01827d8ae502e3a4d56e6c3a238ba855a7 ARCHIVE
payload1.v009ea86dccd5bbde47f8641b62a1eeff07 ARCHIVE
rdtfcb742b507e3c074da5524d1a7c80f7f ARCHIVE
sendPacket.py129ba90886c5f5eb0c81d901ad10c622 UTILITY
sendPacket.py0f76936e237bd87dfa2378106099a673 UTILITY
u.pyd18a5f1e8c321472a31c27f4985834a4 UTILITY
vmware_ntp.sh4ddca39b05103aeb075ebb0e03522064 LAUNCHER

Network-Based Indicators

IPv4ASNNetblock, LLC, LLC, LLC, LLC Hosting Sdn Bhd Hosting Sdn Bhd Hosting Sdn Bhd Hosting Sdn Bhd Hosting Sdn Bhd Enterprise Solutions Limited Enterprise Solutions Limited Enterprise Solutions Limited Information Technology Hk Limited Information Technology Hk Limited Information Technology Hk Limited Information Technology Hk Limited Information Technology Hk Limited Information Technology Hk Limited Information Technology Hk Limited Information Technology Hk Limited Information Technology Hk Limited Information Technology Hk Limited Information Technology Hk Limited Information Technology Hk Limited

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free


Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Hackers Claiming Dettol Data Breach: 453,646 users Impacted

A significant data breach has been reported by a threat actor known as 'Hana,' who claims to have compromised the…

2 days ago

CrowdStrike Update Triggers Widespread Windows BSOD Crashes

A recent update from cybersecurity firm CrowdStrike has caused significant disruptions for Windows users, leading to widespread reports of Blue…

2 days ago

Operation Spincaster Disrupts Approval Phishing Technique that Drains Victim’s Wallets

Chainalysis has launched Operation Spincaster, an initiative to disrupt approval phishing scams that have drained billions from victims' wallets. This…

2 days ago

Octo Tempest Know for Attacking VMWare ESXi Servers Added RansomHub & Qilin to Its Arsenal

Threat actors often attack VMware ESXi servers since they accommodate many virtual machines, which link to a variety of systems…

3 days ago

TAG-100 Actors Using Open-Source Tools To Attack Gov & Private Orgs

Hackers exploit open-source tools to execute attacks because they are readily available, well-documented, and often have extensive community support, making…

3 days ago

macOS Users Beware Of Weaponized Meeting App From North Korean Hackers

Meeting apps are often targeted and turned into weapons by hackers as they are largely employed for communication and collaboration,…

3 days ago