From a91734af6c630fddc09bbbaec5129cf90a979b13 Mon Sep 17 00:00:00 2001
From: Mathieu Beligon <mathieu@feedly.com>
Date: Fri, 3 Nov 2023 11:13:11 +0100
Subject: [PATCH] [threat-actors] Add UNC3886

---
 clusters/threat-actor.json | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 1b0f32e..c0da976 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -12153,6 +12153,20 @@
       },
       "uuid": "b7497d28-02de-4722-8b97-1fc53e1d1b68",
       "value": "Winter Vivern"
+    },
+    {
+      "description": "UNC3886 is an advanced cyber espionage group with unique capabilities in how they operate on-network as well as the tools they utilize in their campaigns. UNC3886 has been observed targeting firewall and virtualization technologies which lack EDR support. Their ability to manipulate firewall firmware and exploit a zero-day indicates they have curated a deeper-level of understanding of such technologies. UNC3886 has modified publicly available malware, specifically targeting *nix operating systems.",
+      "meta": {
+        "refs": [
+          "https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem",
+          "https://www.mandiant.com/resources/blog/esxi-hypervisors-malware-persistence",
+          "https://www.mandiant.com/resources/blog/vmware-esxi-zero-day-bypass",
+          "https://www.mandiant.com/resources/blog/vmware-detection-containment-hardening"
+        ],
+        "country": "CN"
+      },
+      "uuid": "8c08dbe7-3ed0-4d7d-b315-22d8774a5bd9",
+      "value": "UNC3886"
     }
   ],
   "version": 288