high_confidence
RedPenguin
The [RedPenguin](https://attack.mitre.org/campaigns/C0056) project was launched by Juniper in July 2024 to investigate reported malware infections of Juniper MX Series routers. [RedPenguin](https://attack.mitre.org/campaigns/C0056) activity was separately attributed to [UNC3886](https://attack.mitre.org/groups/G1048) and included the deployment of multiple custom versions of the publicly-available TINYSHELL backdoor on Juniper routers.(Citation: Juniper RedPenguin MAR 2025)(Citation: Mandiant UNC3886 Juniper Routers MAR 2025)
Start date
1 July 2024
End date
1 March 2025
Techniques
26
Attributed actors
Techniques (26)
command-and-control8
T1090Proxy
T1205Traffic Signaling
T1573.001Symmetric Cryptography
T1104Multi-Stage Channels
T1095Non-Application Layer Protocol
T1105Ingress Tool Transfer
T1571Non-Standard Port
T1090.003Multi-hop Proxy
credential-access1
T1040Network Sniffing
defense-impairment1
T1690Prevent Command History Logging
discovery3
T1057Process Discovery
T1016System Network Configuration Discovery
T1040Network Sniffing
execution3
T1059.008Network Device CLI
T1203Exploitation for Client Execution
T1059.004Unix Shell
exfiltration1
T1041Exfiltration Over C2 Channel
initial-access1
T1078Valid Accounts
persistence3
T1078Valid Accounts
T1205Traffic Signaling
T1554Compromise Host Software Binary
privilege-escalation2
T1078Valid Accounts
T1055Process Injection
resource-development1
T1587.001Malware
stealth9
T1014Rootkit
T1070.007Clear Network Connection History and Configurations
T1036.005Match Legitimate Resource Name or Location
T1078Valid Accounts
T1140Deobfuscate/Decode Files or Information
T1070.004File Deletion
T1205Traffic Signaling
T1055Process Injection
T1027.013Encrypted/Encoded File
Indicators of compromise
No IOCs linked to this campaign yet.