New York, United States, March 15, 2025 — A cybersecurity breach in mid-2024 revealed that a China-linked espionage group implanted backdoors on Juniper Networks’ Junos OS routers, targeting vital network infrastructure. The attack involved outdated Juniper MX routers, which were vulnerable to the advanced attack methods used by the group, UNC3886.
The attackers gained access using legitimate credentials and deployed six different malware variants to maintain persistent access. These backdoors provided remote shell access, file transfer capabilities, and proxy functions, and evaded detection by bypassing Juniper’s Verified Exec protection system through a process injection method.
The group modified TINYSHELL backdoor code to create malware tailored for Junos OS, with one variant, “appid,” communicating with command servers and encrypting network traffic. Another backdoor, “lmpad,” enabled the attackers to erase logs, concealing their activities.
This attack highlights the growing threat to critical infrastructure. Organizations using Juniper devices are advised to update to the latest software versions and strengthen their network security to prevent similar breaches.
