Home Threat Actors UNC3886
← All Threat Actors
Nation-State critical China (PRC)

UNC3886

Chinese state-sponsored (China-nexus, Mandiant designation) · Signals intelligence / telecoms infrastructure access

Reports 1
Active Since 2022
Last Reported 22 May 2026
Sectors Targeted communications, critical-infrastructure

Tactics, Techniques & Procedures (TTPs)

  • Zero-day exploitation of network edge devices — Fortinet FortiGate, VMware ESXi, Juniper routers
  • REPTILE Linux rootkit for deep kernel-level persistence
  • MEDUSA Linux rootkit for credential harvesting
  • VMware VMCI socket exploitation for hypervisor-to-guest lateral movement
  • Targeting of infrastructure outside standard EDR visibility (network appliances, hypervisors)
  • Living-off-the-land using native network device management tools

Known Targets

All four major Singapore telecommunications operatorsCritical infrastructure operators (Southeast Asia)Government networks accessible via compromised telecomsNetwork edge devices and hypervisor infrastructure globally

Analyst Notes

Responsible for the compromise of all four major Singapore telecommunications operators, triggering Operation CYBER GUARDIAN — the largest coordinated cyber defence operation in Singapore's history. UNC3886 is notable for its exclusive focus on network edge devices and hypervisors, which sit outside the visibility of most enterprise EDR tools. The dual-rootkit approach (REPTILE for persistence, MEDUSA for credential theft) creates deep, resilient implants that survive reboots and patching cycles. Zero-day stockpiling against Fortinet and VMware platforms indicates substantial pre-campaign investment.

Also Known As

UNC3886 (Mandiant uncategorised cluster)

MITRE ATT&CK Techniques

T1190 Exploit Public-Facing Application T1014 Rootkit T1082 System Information Discovery T1078 Valid Accounts T1133 External Remote Services

Intelligence Reports

Analysis communicationscritical-infrastructure

UNC3886: The China-Nexus Group That Breached All of Singapore's Major Telecoms

UNC3886, the China-linked APT responsible for zero-day exploitation of Fortinet, VMware, and Juniper systems, breached all four of Singapore's major telecommunications operators in a campaign that triggered the nation's largest ever coordinated cyber defence operation.

22 May 2026 · 11 min read