G1048 Nation-stateour call,
not MITRE’s ATT&CK Group

UNC3886

How MITRE ATT&CK characterizes this group¹: UNC3886 is a China-nexus cyberespionage group that has been active since at least 2022, targeting defense, technology, and telecommunication organizations located in the United States and the Asia-Pacific-Japan (APJ) regions. UNC3886 has displayed a deep understanding of edge devices and virtualization technologies through the exploitation of zero-day vulnerabilities and the use of novel malware families and utilities.

Origin / sponsor: not established from a curated public advisory — see Coverage & confidence. Not asserted here.

Read this as · tier is our editorial call, not MITRE’s

Read as a state-directed operator, not a smash-and-grab.

A nation-state classification means patience, tradecraft, and an intelligence objective. When this name attaches to a vulnerability, the question shifts from “will someone exploit it” to “has a well-resourced service already built it into an operation.” All tradecraft below is sourced to MITRE ATT&CK.

Techniques

ATT&CK count¹

Named tools / malware

ATT&CK count²

Attributed campaigns

ATT&CK count¹

Tactics spanned

ATT&CK count¹

~2024–2025approx.

Activity bounds (campaign floor)

approximate¹

Known for

— signature moves, each sourced to ATT&CK

CampaignRedPenguin. ATT&CK tracks this attributed operation as C0056.⁶⁰

ArsenalNamed tooling. ATT&CK attributes 8 tools/malware to this group, including VIRTUALPITA, VIRTUALPIE, REPTILE, MEDUSA.⁵²

ReachFurthest outcome. This actor's cited tradecraft reaches as far as outcome 4 — Data at risk — exfiltration. (editorial mapping over ATT&CK tactics).

Tradecraft heatmap

— ATT&CK techniques mapped onto the five attacker-outcome narratives

Each row is a documented technique (MITRE ATT&CK). Each column is one of the five attacker-outcome narratives a defender funds against. A filled cell means this technique’s own ATT&CK tactic defensibly advances that outcome. The mapping of technique→outcome is our editorial alignment over ATT&CK's tactic data, not a separately-sourced MITRE edge. A filled cell means one of the technique's own ATT&CK tactics defensibly advances that outcome; enabler tactics (C2, Defense Evasion, Discovery) heat no column.

1Front door

2Keys to the kingdom

3Lateral reach

4Data at risk

5Lights out

T1003.001 LSASS MemoryCredential Access

●

T1008 Fallback ChannelsCommand & Control

T1014 RootkitDefense Evasion

T1021.004 SSHLateral Movement

●

T1027.005 Indicator Removal from ToolsDefense Evasion

T1036.004 Masquerade Task or ServiceDefense Evasion

T1037 Boot or Logon Initialization ScriptsPersistence / Privilege Escalation

●

T1037.004 RC ScriptsPersistence / Privilege Escalation

●

T1040 Network SniffingCredential Access / Discovery

●

T1057 Process DiscoveryDiscovery

T1059.001 PowerShellExecution

●

T1059.003 Windows Command ShellExecution

●

T1059.004 Unix ShellExecution

●

T1059.006 PythonExecution

●

T1059.012 Hypervisor CLIExecution

●

T1068 Exploitation for Privilege EscalationPrivilege Escalation

●

T1070.004 File DeletionDefense Evasion

T1070.006 TimestompDefense Evasion

T1070.007 Clear Network Connection History and ConfigurationsDefense Evasion

T1074.001 Local Data StagingCollection

●

T1078 Valid AccountsInitial Access / Persistence / Privilege Escalation / Defense Evasion

●

T1078.001 Default AccountsInitial Access / Persistence / Privilege Escalation / Defense Evasion

●

T1083 File and Directory DiscoveryDiscovery

T1095 Non-Application Layer ProtocolCommand & Control

T1124 System Time DiscoveryDiscovery

T1190 Exploit Public-Facing ApplicationInitial Access

●

T1203 Exploitation for Client ExecutionExecution

●

T1205 Traffic SignalingPersistence / Defense Evasion / Command & Control

●

T1205.001 Port KnockingPersistence / Defense Evasion / Command & Control

●

T1212 Exploitation for Credential AccessCredential Access

●

T1218.011 Rundll32Defense Evasion

T1505.006 vSphere Installation BundlesPersistence

●

T1548 Abuse Elevation Control MechanismPrivilege Escalation / Defense Evasion

●

T1554 Compromise Host Software BinaryPersistence

●

T1555.005 Password ManagersCredential Access

●

T1560.001 Archive via UtilityCollection

●

T1560.003 Archive via Custom MethodCollection

●

T1562.001 Disable or Modify ToolsDefense Evasion

T1562.003 Impair Command History LoggingDefense Evasion

T1562.004 Disable or Modify System FirewallDefense Evasion

T1564.011 Ignore Process InterruptsDefense Evasion

T1570 Lateral Tool TransferLateral Movement

●

T1587.001 MalwareResource Development

T1587.004 ExploitsResource Development

T1588.001 MalwareResource Development

T1588.004 Digital CertificatesResource Development

T1673 Virtual Machine DiscoveryDiscovery

T1675 ESXi Administration CommandExecution

●

T1681 Search Threat Vendor DataReconnaissance

Reach: this actor’s cited techniques light columns 1·2·3·4 — furthest is 4 · Data at risk. (furthest-position idiom, reused from the landing map).

A dot = this technique advances that outcomeColumn 5 (Lights out) is empty — Compare: a ransomware or wiper actor lights column 5.

Editorial: the technique→outcome alignment is our call over ATT&CK’s tactic data, not a separately-sourced MITRE edge — same basis the landing page declares. Enabler tactics (C2, defense evasion, discovery) heat no column.¹

Arsenal

— named tools & malware ATT&CK attributes to this group

VIRTUALPITAS1217 · Malware

ATT&CK S1217 ↗

VIRTUALPIES1218 · Malware

ATT&CK S1218 ↗

REPTILES1219 · Malware

ATT&CK S1219 ↗

MEDUSAS1220 · Malware

ATT&CK S1220 ↗

MOPSLEDS1221 · Malware

ATT&CK S1221 ↗

RIFLESPINES1222 · Malware

ATT&CK S1222 ↗

THINCRUSTS1223 · Malware

ATT&CK S1223 ↗

CASTLETAPS1224 · Malware

ATT&CK S1224 ↗

Campaign highlights

— attributed operations in the ATT&CK record

RedPenguin — ATT&CK Campaign C0056

Attributed operation

ATT&CK records RedPenguin (C0056) — roughly 2024–2025 as an operation attributed to this group.⁶⁰

Open ATT&CK C0056 ↗

Latest activity

— with explicit confidence, and what we cannot yet claim

ATT&CK
snapshot

The most recent cited activity in this card is the ATT&CK record itself. We do not paste a “last seen this week” line we cannot source. Recency from secondary reporting appears here only when attached to a named advisory.

ATT&CK snapshot, compiled 2026-06-22Coverage gap — live “currently active” status not asserted

CVE ↔ actor bridge: no confirmed CVE link is established for this group. ATT&CK provides no first-class group→CVE relationship, so this card does not claim specific CVEs as “exploited by this actor” unless a named advisory says so. Absence of a CVE here is a coverage gap, never a clean bill — confirmed links surface as a cited, linked list as the advisory bridge grows.

Coverage & confidence

— what we know, and what we don’t

Established (cited)

Group identity, aliases, description — MITRE ATT&CK group page

49 techniques — ATT&CK technique pages (linked per row)

8 software (arsenal) — ATT&CK software pages

1 attributed campaign(s) — ATT&CK campaign pages

2 third-party research citations — ATT&CK external references

Coverage gaps — stated, not hidden

Origin/sponsor not established from a curated public advisory. ATT&CK prose may imply attribution but is not asserted here — absence of a curated source is a coverage finding, not a clean bill of attribution.

Threat tier is OUR editorial classification (rule-based), not a MITRE field — labeled as such.

Technique → outcome heatmap is editorial alignment over ATT&CK tactic data, not a separately-sourced MITRE edge.

Activity bounds are a floor from attributed-campaign dates only — flagged approx., not a true active-since range.

ATT&CK has no first-class group→CVE relationship; this card asserts no specific CVE without a named advisory.

Empty heatmap column(s): Lights out — consistent with this actor's nature, stated as a finding.