Threat Actor Profile
High APT
Description

UNC3886 is a China-nexus cyberespionage group that has been active since at least 2022, targeting defense, technology, and telecommunication organizations located in the United States and the Asia-Pacific-Japan (APJ) regions. UNC3886 has displayed a deep understanding of edge devices and virtualization technologies through the exploitation of zero-day vulnerabilities and the use of novel malware families and utilities.(Citation: Mandiant Fortinet Zero Day)(Citation: Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023)

Confidence Score
90%
Known Aliases
UNC3886
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (49)
T1074.001 - Local Data Staging
Collection
T1560.001 - Archive via Utility
Collection
T1560.003 - Archive via Custom Method
Collection
T1008 - Fallback Channels
Command and Control
T1095 - Non-Application Layer Protocol
Command and Control
T1003.001 - LSASS Memory
Credential Access
T1040 - Network Sniffing
Credential Access
T1212 - Exploitation for Credential Access
Credential Access
T1555.005 - Password Managers
Credential Access
T1014 - Rootkit
Defense Evasion
T1027.005 - Indicator Removal from Tools
Defense Evasion
T1036.004 - Masquerade Task or Service
Defense Evasion
T1070.004 - File Deletion
Defense Evasion
T1070.006 - Timestomp
Defense Evasion
T1070.007 - Clear Network Connection History and Co…
Defense Evasion
T1078 - Valid Accounts
Defense Evasion
T1078.001 - Default Accounts
Defense Evasion
T1205 - Traffic Signaling
Defense Evasion
T1205.001 - Port Knocking
Defense Evasion
T1218.011 - Rundll32
Defense Evasion
T1562.001 - Disable or Modify Tools
Defense Evasion
T1562.003 - Impair Command History Logging
Defense Evasion
T1562.004 - Disable or Modify System Firewall
Defense Evasion
T1564.011 - Ignore Process Interrupts
Defense Evasion
T1057 - Process Discovery
Discovery
T1083 - File and Directory Discovery
Discovery
T1124 - System Time Discovery
Discovery
T1673 - Virtual Machine Discovery
Discovery
T1059.001 - PowerShell
Execution
T1059.003 - Windows Command Shell
Execution
T1059.004 - Unix Shell
Execution
T1059.006 - Python
Execution
T1059.012 - Hypervisor CLI
Execution
T1203 - Exploitation for Client Execution
Execution
T1675 - ESXi Administration Command
Execution
T1190 - Exploit Public-Facing Application
Initial Access
T1021.004 - SSH
Lateral Movement
T1570 - Lateral Tool Transfer
Lateral Movement
T1037 - Boot or Logon Initialization Scripts
Persistence
T1037.004 - RC Scripts
Persistence
T1505.006 - vSphere Installation Bundles
Persistence
T1554 - Compromise Host Software Binary
Persistence
T1068 - Exploitation for Privilege Escalation
Privilege Escalation
T1548 - Abuse Elevation Control Mechanism
Privilege Escalation
T1681 - Search Threat Vendor Data
Reconnaissance
T1587.001 - Malware
Resource Development
T1587.004 - Exploits
Resource Development
T1588.001 - Malware
Resource Development
T1588.004 - Digital Certificates
Resource Development
AI Threat Intelligence Report
April 29, 2026 14:31
Threat Intelligence Report: UNC3886

Automated AI-generated threat intelligence report for UNC3886.

View full AI report
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['UNC3886'],
 'created': '2025-05-29T20:48:42.051Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[UNC3886](https://attack.mitre.org/groups/G1048) is a '
                'China-nexus cyberespionage group that has been active since '
                'at least 2022, targeting defense, technology, and '
                'telecommunication organizations located in the United States '
                'and the Asia-Pacific-Japan (APJ) regions. '
                '[UNC3886](https://attack.mitre.org/groups/G1048) has '
                'displayed a deep understanding of edge devices and '
                'virtualization technologies through the exploitation of '
                'zero-day vulnerabilities and the use of novel malware '
                'families and utilities.(Citation: Mandiant Fortinet Zero '
                'Day)(Citation: Google Cloud Threat Intelligence VMWare ESXi '
                'Zero-Day 2023)',
 'external_references': [{'external_id': 'G1048',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G1048'},
                         {'description': 'Alexander Marvi, Brad Slaybaugh, Ron '
                                         'Craft, and Rufus Brown. (2023, June '
                                         '13). VMware ESXi Zero-Day Used by '
                                         'Chinese Espionage Actor to Perform '
                                         'Privileged Guest Operations on '
                                         'Compromised Hypervisors. Retrieved '
                                         'March 26, 2025.',
                          'source_name': 'Google Cloud Threat Intelligence '
                                         'VMWare ESXi Zero-Day 2023',
                          'url': 'https://cloud.google.com/blog/topics/threat-intelligence/vmware-esxi-zero-day-bypass/'},
                         {'description': 'Marvi, A. et al.. (2023, March 16). '
                                         'Fortinet Zero-Day and Custom Malware '
                                         'Used by Suspected Chinese Actor in '
                                         'Espionage Operation. Retrieved March '
                                         '22, 2023.',
                          'source_name': 'Mandiant Fortinet Zero Day',
                          'url': 'https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem'}],
 'id': 'intrusion-set--461b8e25-8f4a-4ea2-a4a8-e39df7ce6630',
 'modified': '2025-10-24T03:55:02.289Z',
 'name': 'UNC3886',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.3.0',
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '1.0'}
Quick Actions
View AI Report
Related TTPs (49)
Local Data Staging
Collection
Archive via Utility
Collection
Archive via Custom Method
Collection
Fallback Channels
Command and Control
Non-Application Layer Protocol
Command and Control
View All 49 TTPs
Related Reports (1)
Threat Intelligence Report: U…
Intelligence Report
Back to Threat Actors
Dashboard Home