June 20, 2024 By Bill Toulas
A suspected Chinese threat actor tracked as UNC3886 uses publicly available open-source rootkits named 'Reptile' and 'Medusa' to remain hidden on VMware ESXi virtual machines, allowing them to conduct credential theft, command execution, and lateral movement.
Mandiant has been tracking the threat actor for a long time, previously reporting attacks on government organizations leveraging a Fortinet zero-day and two VMware zero-day vulnerabilities exploited for extended periods.
A new report by Mandiant unveils UNC3886's use of the mentioned rootkits on virtual machines for long-term persistence and evasion, as well as custom malware tools such as 'Mopsled' and 'Riflespine,' which leveraged GitHub and Google Drive for command and control.
The most recent attacks by UNC3886, according to Mandiant, targeted organizations in North America, Southeast Asia, and Oceania, with additional victims identified in Europe, Africa, and other parts of Asia.
