Threats

Chinese APT UNC3886 Targeted All Four Singapore Telecoms in Espionage Campaign

Zero Day Wire

1 min read
Chinese APT UNC3886 Targeted All Four Singapore Telecoms in Espionage Campaign

Singapore's Cyber Security Agency (CSA) has disclosed that the China-linked cyber espionage group UNC3886 conducted a deliberate campaign against the country's entire telecommunications sector, targeting all four major operators — M1, SIMBA Telecom, Singtel, and StarHub.

The disclosure follows comments made over six months ago by Singapore's Coordinating Minister for National Security, who publicly attributed the activity to UNC3886. The group has been active since at least 2022 and is known for targeting edge devices and virtualization technologies to gain initial access to high-value networks.

Zero-Day Exploit and Rootkit Deployment

CSA described UNC3886 as an APT with "deep capabilities" and outlined multiple intrusion techniques observed across the campaign.

In one case, the group weaponized a zero-day exploit to bypass a perimeter firewall and exfiltrate a small amount of technical data to support further operations. The specific vulnerability was not disclosed.

In a second instance, UNC3886 deployed rootkits to establish persistent access and conceal their presence within compromised networks. The attackers gained unauthorized access to portions of telco networks and systems, including infrastructure classified as critical, though the CSA assessed the intrusions were not severe enough to disrupt services.

Operation CYBER GUARDIAN

CSA launched a coordinated defensive operation dubbed CYBER GUARDIAN to counter the threat and restrict the attackers' lateral movement across telecom networks. Defenders have since closed off UNC3886's access points and expanded monitoring capabilities across all four targeted operators.

The agency stated there is no evidence that the group exfiltrated personal data such as customer records or disrupted internet availability.

Overlap with Known Campaigns

UNC3886's tactics align with previous reporting. In July 2025, Sygnia published details of a long-running espionage campaign attributed to a cluster it tracks as Fire Ant, which shares tooling and targeting overlaps with UNC3886. That research documented the group's pattern of infiltrating VMware ESXi and vCenter environments as well as network appliances — infrastructure commonly found in telecommunications providers.

The campaign reinforces the group's focus on strategic targets within critical infrastructure, particularly telecommunications and virtualization platforms that provide broad visibility into network traffic and communications.

Read more

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

Elastic Security Labs has disclosed a new ClickFix campaign that leverages compromised legitimate websites as delivery infrastructure to deploy a previously undocumented remote access trojan dubbed MIMICRAT (also tracked as AstarionRAT). The campaign, discovered earlier this month, demonstrates significant operational sophistication — from multi-stage PowerShell chains that bypass Windows security controls

By Zero Day Wire
ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse

ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse

A new wave of attacks is combining voice phishing (vishing) with OAuth 2.0 device authorization abuse to compromise Microsoft Entra accounts at technology, manufacturing, and financial organizations — bypassing traditional phishing infrastructure entirely. Sources told BleepingComputer they believe the ShinyHunters extortion gang is behind the campaigns, which the threat actors

By Zero Day Wire