Campaign · all campaigns
RedPenguinC0056 state
🇨🇳 CN
aka RedPenguin
Run by UNC3886
Last updated: 2026-07-03
1attributed CVEs
32ATT&CK techniques
4.3IDF score (tooling uniqueness)
1exclusive CVEs
2025years active
About this actor
The [RedPenguin](https://attack.mitre.org/campaigns/C0056) project was launched by Juniper in July 2024 to investigate reported malware infections of Juniper MX Series routers. [RedPenguin](https://attack.mitre.org/campaigns/C0056) activity was separately attributed to [UNC3886](https://attack.mitre.org/groups/G1048) and included the deployment of multiple custom versions of the publicly-available TINYSHELL backdoor on Juniper routers.(Citation: Juniper RedPenguin MAR 2025)(Citation: Mandiant UNC3886 Juniper Routers MAR 2025)
Source: MITRE ATT&CK
Activity timeline
- 2025 — 1 CVE published, 1 KEV added
Profile
| CVE | Risk | CVSS | EPSS | Published | Products |
|---|---|---|---|---|---|
CVE-2025-21590 KEV | 10.0 | 4.4 | 0.0274 | 2025-03-12 | see CVE |
Mitigating controls (NIST 800-53)
| Control | Techniques covered | Coverage |
|---|---|---|
SI-4 | 22 / 32 | 69% |
CM-6 | 21 / 32 | 66% |
SI-3 | 20 / 32 | 62% |
CM-2 | 18 / 32 | 56% |
CA-7 | 17 / 32 | 53% |
CM-7 | 16 / 32 | 50% |
AC-3 | 15 / 32 | 47% |
SC-7 | 13 / 32 | 41% |
AC-4 | 11 / 32 | 34% |
AC-6 | 11 / 32 | 34% |
SI-7 | 11 / 32 | 34% |
AC-2 | 10 / 32 | 31% |
SI-10 | 8 / 32 | 25% |
AC-5 | 6 / 32 | 19% |
AC-17 | 5 / 32 | 16% |
Co-occurring actors
None.
Similar actors
Similar TTPs
- KV Botnet Activity 0.25
- ArcaneDoor 0.24
- UNC3886 0.23
- Darkhotel 0.22
- Tropic Trooper 0.21
Active in same years
- ArcaneDoor 1.00
- SharePoint ToolShell Exploitation 1.00
- Kimsuky 1.00
- Volt Typhoon 1.00
Same nation-state
- Night Dragon 1.00
- FunnyDream 1.00
- Operation Wocao 1.00
- C0017 1.00
- Cutting Edge 1.00
Same category
- Night Dragon 1.00
- FunnyDream 1.00
- C0011 1.00
- Operation Wocao 1.00
- Operation Dream Job 1.00