UNC3886 is best read as an infrastructure-access actor model spanning network devices, security appliances, and virtualization control planes. It is not a single intrusion chronology or an endpoint-first malware brief.
The source pack directly supports Juniper routers and Junos OS, FortiGate, FortiManager, FortiAnalyzer, VMware ESXi, vCenter, VMware Tools, vSphere, and VMCI context.
TINYSHELL-family router backdoors, malicious ESXi VIBs, VMCI backdoors, Fortinet scripts, and guest operations all point to durable access inside infrastructure administrators trust.
The local context is a 13-file Google/Mandiant source pack. It is deep enough for a defensive model, but it is not a claim that every public UNC3886 source on the internet has been exhausted.
UNC3886 is best tested as a long-term infrastructure-access scenario. The highest-value exercise is not asking whether a workstation was compromised; it is asking whether routers, Fortinet management appliances, ESXi hosts, vCenter accounts, VMware Tools, and TACACS paths can prove what happened and what did not.
The local source pack also contains eight sector categories, five region categories, and five detection/log artifacts. Those values are useful for scoping hunts and tabletops, but the model keeps them separate from technical tradecraft so broad context does not become overconfident incident proof.
| Boundary | Included values | How to use it |
|---|---|---|
| Direct relationship corpus | 122 actor-scoped rows across uses, targets_product, targets_platform, exploits, abuses_service, detected_by, targets_sector, targets_region, and distinct_from. | Use these rows as the article's primary evidence inventory. |
| Modeled path | Initial access, management-plane pivot, and mission outcomes are ordered for defender testing. | Use the path as a tabletop and hunt model, not as a confirmed incident timeline. |
| Context-only sources | 2023-zero-day-trends, investigating-ivanti-exploitation-persistence, zero-days-exploited-2022, defensive hardening material, and broad sector reporting. | Use for caveats, response priorities, and scoping; do not convert to direct actor behavior without an UNC3886-scoped row. |
Green means directly extracted or quote-backed. Amber means modeled or caveated. Red means a useful validation gap. This page is an analyst-facing model for defenders, not a chronology.
Primary source anchors: Cloaked and Covert | Ghost in the Router | Fortinet malware ecosystem | ESXi hypervisor persistence
UNC3886 is treated as a China-nexus espionage actor with a demonstrated focus on stealthy, long-term access to network and virtualization technologies. Public reporting explicitly separates some activity from Volt Typhoon and Salt Typhoon overlap claims.
The core assets are management-plane systems: Juniper routers, Fortinet security appliances, ESXi hosts, vCenter, VMware Tools, VMCI, TACACS, and the credentials or service accounts that administer them.
The model centers on three boundaries: external or partner reachability into appliances, appliance-to-management-plane access, and ESXi-host-to-guest-VM operations through VMware Tools or VMCI.
This is the working threat model for UNC3886 across the source-pack articles. It converts normalized product, platform, detection, and hardening details into a defensive model while preserving caveats around broad trend context.
| Stage | Asset / surface | Entry point | Preconditions | Trust boundary crossed | Abuse case | Telemetry and controls |
|---|---|---|---|---|---|---|
| Caveated initial access | Internet-facing or partner-reachable appliances and virtualization services | Public-facing exploitation context including Juniper, Fortinet, VMware, and edge appliance reporting. | Management service reachable; vulnerable version or privileged access path exists. | External or semi-trusted path into infrastructure administration. | Convert a perimeter or appliance weakness into long-term management-plane access. | Exposure review, emergency patching, appliance access allowlists, edge/VPN correlation, and source-specific CVE validation. |
| Identity control | TACACS, vCenter service accounts, ESXi credentials, Fortinet administrator paths | Valid credentials, backdoored TACACS binary, or privileged service-account use. | Credentials are reusable or management authentication lacks strong monitoring. | Authenticated infrastructure identity into downstream control surfaces. | Blend into legitimate network and virtualization administration. | TACACS logs, vCenter events, ESXi authentication records, service-account review, MFA where supported, and privileged access separation. |
| Execution | Junos shell, Fortinet appliances, ESXi hosts, guest VMs | Shell commands, scripts, process injection, VMware Tools Guest Operations, or appliance file writes. | The actor has privileged device or management-plane access. | Management access into code execution on infrastructure systems. | Run commands where endpoint tooling may not exist or may be blind. | Junos shell audit, Fortinet file/process telemetry, ESXi hostd/vmsvc logs, VMware Tools debug logging, and guest process telemetry. |
| Persistence | Routers, ESXi boot profiles, VMCI sockets, Fortinet scripts and services | TINYSHELL backdoors, malicious VIBs, VMCI backdoors, CASTLETAP/TABLEFLIP/THINCRUST components, or Fortinet script persistence. | Write access to durable appliance, host, or service paths. | Runtime compromise into persistent infrastructure foothold. | Maintain stealthy access inside devices that are hard to reimage, inspect, or instrument. | Known-good baselines, VIB inventory, VMCI socket review, Junos and Fortinet filesystem comparison, YARA scanning, and service-state hardening. |
| Discovery and lateral movement | vCenter, ESXi, guest VMs, network device management, authentication services | VMware Tools operations, VMCI, SSH, TACACS, Nmap, appliance-to-management paths. | Network segmentation permits management-plane reachability. | One infrastructure surface into another management or guest context. | Identify systems, move through virtualization paths, and reach protected workloads without normal endpoint paths. | East-west management flows, vCenter task history, ESXi shell/SSH logs, VMCI activity, and appliance-to-vCenter traffic. |
| Data access and mission impact | Protected workloads, guest VMs, telecom/technology/government environments, DIB targets | Management-plane privileges or host-to-guest control. | Compromised infrastructure has enough access to inspect, stage, or influence sensitive systems. | Infrastructure control plane into enterprise data or operational continuity. | Collect data, maintain covert access, or preserve strategic espionage reach. | Guest access logs, SaaS/document repository review, privileged session correlation, and containment paths that protect operations. |
| Detection and hardening layer | YARA rules, VMware logs, Junos/Fortinet integrity checks, ESXi services | Detection artifacts do not prove compromise by themselves; they define what should be queryable. | Logs and files are retained and can be collected without destroying evidence. | Evidence capture into response decision-making. | Turn source-pack artifacts into actionable hunt and hardening work. | M_Hunting_TINYSHELL_5, M_Utility_GHOSTTOWN_1, M_APT_VIRTUALPITA_1, M_Hunting_Backdoor_CASTLETAP_1, /var/log/hostd.log, /tmp/vmsvc.log, /Windows/Temp/vmsvc.log, and ESXi lockdown/firewall/SSH checks. |
Review shell access, process injection, Veriexec bypass context, disabled logging mechanisms, TACACS binary integrity, and TINYSHELL-family artifacts on router filesystems and memory.
Review vCenter tasks, ESXi authentication, boot profiles, VIB inventory, VMCI sockets, VMware Tools Guest Operations, /var/log/hostd.log, and guest process telemetry.
Review FortiGate, FortiManager, and FortiAnalyzer command execution, file writes, scripts, SSH connections, THINCRUST/CASTLETAP/TABLEFLIP artifacts, and follow-on ESXi access.
| Family / tool | Role in this model | Behavioral notes | Evidence boundary |
|---|---|---|---|
| TINYSHELL | Router backdoor family anchor. | Reported as TINYSHELL-based backdoors on Juniper Junos OS routers with active/passive capabilities and logging-disruption context. | Use for router persistence, memory review, YARA scanning, and TACACS/logging validation. |
| GHOSTTOWN | Anti-forensics utility. | Useful as a detection and log-integrity validation point in the Juniper router context. | Supports forensic review and YARA hunting; not a standalone initial access claim. |
| VIRTUALPITA / VIRTUALPIE / VIRTUALGATE | VMware ecosystem persistence and execution context. | Tied to ESXi/vCenter/VMware Tools tradecraft, malicious VIBs, guest operations, and host-to-guest control paths. | Use for ESXi boot profile, VIB inventory, VMCI, and VMware Tools investigations. |
| THINCRUST / CASTLETAP / TABLEFLIP | Fortinet malware ecosystem. | Supports Fortinet appliance exploitation, persistence, command execution, and follow-on virtualization access review. | Keep Fortinet appliance evidence separate from VMware-only detections unless logs connect the stages. |
| REPTILE / MEDUSA / SEAELF | Rootkit/loader and persistence context. | Appears in network-device and cross-platform UNC3886 reporting as part of a broader stealth ecosystem. | Use for host integrity and persistence review, not for over-promoting every observed host action. |
| MOPSLED / LOOKOVER / VIRTUALSHINE / VIRTUALSPHERE / VIRTUALPEER | Additional operations context. | Useful for tool clustering, source-pack memory, and hunting pivots across reports. | Treat as source-backed tool context; require incident logs before path-specific conclusions. |
| Timeframe | What it means for defenders | Evidence status |
|---|---|---|
| Late 2021 onward | VMware vCenter exploitation context includes CVE-2023-34048 and long-running access concerns. | source-backed context |
| 2022 | ESXi hypervisor persistence reporting describes malicious VIBs and VMware guest operations. | source-backed context |
| 2023 | Fortinet and VMware reporting expands the model into FortiGate/FortiManager/FortiAnalyzer and ESXi/vCenter paths. | source-backed context |
| Mid 2024 | Mandiant reports discovery of custom backdoors on Juniper Junos OS routers attributed to UNC3886. | source-backed context |
| 2025 source reporting | Juniper, VMware, and zero-day review material reinforces product/platform scoping and caveats. | current source-pack context |
This graph shows source-backed entity relationships and one modeled management-plane pivot. It is meant for analyst reasoning, not a timeline.
China-nexus espionage actor with a focus on virtualization technologies, network devices, and security appliances.
Direct product and platform relationships from operational articles.
Malware and utilities tied to router, Fortinet, ESXi, and VMware operations.
Movement into guest VMs, sensitive workloads, SaaS/document access, or exfiltration should only be promoted with environment-specific logs.
| Relationship | Source layer | Provenance | Confidence | Evidence note |
|---|---|---|---|---|
| UNC3886 targets Juniper routers / Junos OS | Juniper article | explicit | high | Backdoors operating on Juniper Networks Junos OS routers are attributed to UNC3886 in the source pack. |
| UNC3886 targets FortiGate / FortiManager / FortiAnalyzer | Fortinet article | explicit | high | Fortinet appliance exploitation and custom malware are direct product context for the actor. |
| UNC3886 targets VMware ESXi / vCenter / VMware Tools / VMCI | VMware articles | explicit | high | ESXi, vCenter, VMware Tools, vSphere, and VMCI appear as direct platform relationships. |
| UNC3886 abuses TACACS | Juniper article | explicit | high | TACACS daemon replacement and credential capture are identity-control evidence. |
| UNC5221 / BRICKSTORM context is separate | caveat | context only | n/a | Keep BRICKSTORM, CVE-2025-0282, and UNC5221 material out of direct UNC3886 rows unless a source explicitly scopes the relationship to UNC3886. |
Technique rows group source-pack behavior into validation work. Status describes how the row should be used by defenders, not whether it happened in every victim environment.
| ID | Technique | Status | Source layers | Validation note |
|---|---|---|---|---|
| T1190 | Exploit Public-Facing Application | caveated | Juniper / Fortinet / VMware exploit reporting | Use for exposure review and CVE scoping. Keep first entry caveated unless victim logs prove it. |
| T1078 | Valid Accounts | observed theme | Fortinet, Juniper, VMware context | Map TACACS, vCenter, ESXi, and appliance service accounts to owners and logs. |
| T1059 | Command and Scripting Interpreter | observed theme | Junos shell, Fortinet scripts, VMware Guest Operations | Correlate management authentication with shell, script, hostd/vmsvc, and guest process events. |
| T1547 / T1505 | Autostart or server software persistence | modeled from evidence | Router backdoors, ESXi VIBs, Fortinet persistence | Turn source artifacts into known-good baseline checks for routers, appliances, and ESXi hosts. |
| T1021 | Remote Services | modeled from evidence | SSH, ESXi/vCenter, appliance management paths | Use as a trust-boundary test; require flow and auth logs before labeling movement. |
| T1016 / T1082 / T1083 | Discovery | observed theme | Fortinet and VMware tradecraft | Compare discovery commands with normal admin activity on appliances and hosts. |
| T1074 / T1560 | Staging and archive behavior | validation target | VMware/Fortinet source context | Promote only when staging or archive evidence appears in the victim timeline. |
/var/log/hostd.log, /tmp/vmsvc.log, and /Windows/Temp/vmsvc.log.| Scenario | Logs needed | Analytic idea | Expected signal | False positives | Control that breaks it |
|---|---|---|---|---|---|
| VMware Tools Guest Operations from unexpected service account | vCenter events, ESXi authentication, hostd/vmsvc logs, guest process logs | Correlate service-account login to Guest Operations and guest process execution in a tight window. | Management-plane auth followed by VMware Tools activity and guest command execution. | Authorized backup, patching, or orchestration jobs. | Dedicated service accounts, least privilege, change-window correlation, and Guest Operations alerting. |
| Router logging disabled around TACACS activity | Junos logs, syslog config, TACACS logs, file integrity records, memory captures | Detect log configuration tampering or missing intervals around privileged shell activity. | Authentication activity plus log suppression, daemon replacement, or TINYSHELL hit. | Maintenance windows or logging pipeline outages. | Immutable log forwarding, TACACS binary integrity checks, and out-of-band router monitoring. |
| Fortinet appliance initiates ESXi access | Fortinet appliance logs, SSH records, ESXi auth, network flows | Alert when Fortinet management infrastructure reaches ESXi/vCenter outside approved patterns. | Suspicious file writes or commands on Fortinet followed by ESXi SSH/vCenter access. | Documented admin workflows or vendor support. | Segmentation, admin path allowlists, and appliance-to-virtualization access review. |
| Question | Evidence that would confirm | Evidence that would weaken |
|---|---|---|
| Was the first foothold external, partner-reachable, or already internal? | Edge/VPN/appliance logs tied to the first suspicious management action. | No perimeter or partner access records before authenticated internal activity. |
| Did appliance access become VMware control? | vCenter or ESXi tasks, Guest Operations, VMCI activity, or service-account actions after appliance compromise. | No vCenter/ESXi/guest activity connected to the appliance timeline. |
| Was persistence present on infrastructure systems? | Malicious VIBs, router backdoors, Fortinet scripts, VMCI listeners, or YARA hits. | Clean baselines, no unexplained service/file changes, and no detections in preserved evidence. |
| Did the actor reach data or mission systems? | Staging, archive, document access, guest workload access, or unusual privileged sessions. | No data-plane evidence after management-plane compromise. |
Repeated claims are grouped here so readers can see how each source layer changes the model without turning context into incident proof. The local source pack has 122 direct UNC3886 relationship rows; the rows below group them by defensive meaning rather than repeating every extraction.
| Claim group | Source layer | Relationship basis | Evidence boundary | How to use it |
|---|---|---|---|---|
| Juniper router targeting | Network device tradecraft | targets_product, targets_platform, uses, exploits, abuses_service, distinct_from | Juniper routers, Junos OS, TINYSHELL-family backdoors, GHOSTTOWN, TACACS, CVE-2025-21590, Salt Typhoon / Volt Typhoon distinction context. | Primary evidence for router-focused persistence, TACACS review, Junos OS hardening, and source-specific caveats. |
| VMware privileged operations | VMware tradecraft | targets_platform, uses, exploits, detected_by | VMware ESXi, vCenter, VMware Tools, vSphere, VMCI, malicious VIBs, VIRTUALPITA, VIRTUALPIE, VIRTUALGATE, VMCI backdoors, and host/guest log paths. | Primary evidence for hypervisor persistence, Guest Operations detection, host-to-guest validation, and management-plane containment exercises. |
| Fortinet appliance ecosystem | Fortinet tradecraft | targets_product, targets_platform, uses, exploits, targets_sector | FortiGate, FortiManager, FortiAnalyzer, THINCRUST, CASTLETAP, TABLEFLIP, REPTILE, and follow-on virtualization access context. | Use for appliance forensics, Fortinet-to-VMware pivot validation, and separation of appliance compromise from downstream ESXi evidence. |
| Direct CVE model | Actor-scoped exploit rows | exploits | Six direct CVEs are in the model: CVE-2022-22948, CVE-2022-41328, CVE-2022-42475, CVE-2023-20867, CVE-2023-34048, and CVE-2025-21590. | Use these for actor-scoped exposure review. Treat all other CVEs as context until directly scoped to UNC3886. |
| Targeting context | Sector and region rows | targets_sector, targets_region | Defense Industrial Base, aerospace, defense, energy, government, technology, telecommunications, utilities; Africa, Europe, North America, Oceania, Southeast Asia. | Use for scoping tabletops and prioritizing environments. Do not treat sector and region rows as technical tradecraft. |
| Context-only source layers | Excluded from direct claims | zero direct UNC3886 rows or operational companion context | 2023-zero-day-trends, zero-days-exploited-2022, investigating-ivanti-exploitation-persistence, and VMware defensive hardening content are useful but bounded. | Use for caveats, exclusions, and response guidance. Do not promote UNC5221, BRICKSTORM, CVE-2025-0282, or broad trend claims into UNC3886 behavior. |
| CVE | Status in this article | Source layer | Boundary note |
|---|---|---|---|
| CVE-2022-22948 | direct UNC3886 | VMware / operations source layers | Actor-scoped exploit row; keep in the direct exposure model. |
| CVE-2022-41328 | direct UNC3886 | Fortinet and operations source layers | Actor-scoped exploit row; use for Fortinet appliance exposure review. |
| CVE-2022-42475 | direct UNC3886 | Fortinet / zero-day review source layers | Actor-scoped exploit row; keep direct but cite source boundaries. |
| CVE-2023-20867 | direct UNC3886 | VMware source layers | Actor-scoped exploit row; use for VMware Tools / Guest Operations review. |
| CVE-2023-34048 | direct UNC3886 | VMware vCenter source layers | Actor-scoped exploit row; use for vCenter exposure and historical access checks. |
| CVE-2025-21590 | direct UNC3886 | Juniper router source layer | Actor-scoped exploit row; use for Junos OS and router integrity review. |
| CVE-2025-0282 | context only / excluded | Ivanti / UNC5221 context | Do not model as an UNC3886 exploit from this local pack. |
| Other broad zero-day rows | context only | 2022/2023/2025 trend reports | Useful for exploitation background and ownership caveats; not direct actor evidence unless scoped to UNC3886. |
These are operational response priorities derived from source-pack hardening and detection material. They are not additional actor relationships.
Inventory internet-facing, partner-reachable, VPN-reachable, and broadly internal Juniper, Fortinet, ESXi, vCenter, and Ivanti management paths.
Track Juniper, Fortinet, VMware, and Ivanti product ownership separately from endpoint patch programs. Infrastructure owners need clear containment authority.
Routers and hypervisors may lose volatile evidence quickly. Preserve logs, memory, VIB inventories, service states, and VMCI indicators before remediation.
| Response item | Operational context | How this changes the model |
|---|---|---|
| Router integrity | Upgrade Juniper devices, run malware/integrity checks, and preserve TACACS/logging evidence. | Turns Juniper context into a concrete triage and containment workflow. |
| ESXi hardening | Review ESXi Shell, SSH, firewall exceptions, lockdown mode, VIBs, VMCI, and VMware Tools operations. | Converts VMware source-pack artifacts into a repeatable control backlog. |
| Fortinet containment | Review Fortinet management appliance logs, scripts, file writes, and downstream ESXi/vCenter access. | Prevents appliance response from stopping before follow-on virtualization checks. |
This appendix keeps the heavier UNC3886 material: source roles, deduped products and platforms, CVE boundaries, log paths, YARA names, sectors, regions, and exclusions. It preserves rigor without slowing down the main threat model.
| Local source file | Role | Direct UNC3886 rows | Predicates present | Use in this model |
|---|---|---|---|---|
| 2023-zero-day-trends | context only | 0 | none | Use only for broad zero-day trend context and attribution caution. |
| 2025-zero-day-review | limited direct CVE context | 1 | exploits:1 | Use for one actor-scoped exploit row and broader trend caveats. |
| china-nexus-espionage-targets-juniper-routers | network device tradecraft | 14 | uses:6, targets_product:1, targets_platform:1, exploits:2, targets_sector:1, abuses_service:1, distinct_from:2 | Primary Juniper/Junos/TACACS/TINYSHELL source and Salt Typhoon / Volt Typhoon distinction anchor. |
| chinese-espionage-tactics | actor capability context | 14 | uses:7, exploits:2, targets_sector:4, distinct_from:1 | Use for broader China-nexus tradecraft context while preserving actor-specific boundaries. |
| chinese-vmware-exploitation-since-2021 | VMware exploitation context | 4 | targets_platform:2, exploits:2 | Use for VMware/vCenter exploit timing and historical exposure review. |
| esxi-hypervisors-malware-persistence | hypervisor persistence | 8 | uses:3, targets_platform:5 | Primary ESXi, vCenter, VMware Tools, VMCI, malicious VIB, and virtualized persistence source. |
| fortinet-malware-ecosystem | Fortinet tradecraft | 19 | uses:7, targets_product:3, targets_platform:3, exploits:1, targets_sector:5 | Primary FortiGate/FortiManager/FortiAnalyzer source and appliance-to-VMware pivot context. |
| investigating-ivanti-exploitation-persistence | context only | 0 | none | Use for Ivanti and UNC5221 exclusion context; do not promote CVE-2025-0282 into UNC3886. |
| threats-to-defense-industrial-base | sector context | 7 | targets_sector:7 | Use for Defense Industrial Base and sector scoping only, not technical path evidence. |
| uncovering-unc3886-espionage-operations | primary operations | 36 | uses:15, targets_product:1, targets_platform:4, exploits:5, targets_sector:5, targets_region:5, abuses_service:1 | Primary source-pack spine for cross-platform actor behavior, tools, products, platforms, regions, and caveats. |
| vmware-detection-containment-hardening | defensive companion | 5 | detected_by:5 | Use for log paths, containment, and hardening checks; not direct target attribution. |
| vmware-esxi-zero-day-bypass | VMware zero-day tradecraft | 14 | uses:4, targets_platform:5, exploits:2, targets_sector:3 | Use for ESXi/vCenter platform exposure, VMware bypass tradecraft, and related actor-scoped rows. |
| zero-days-exploited-2022 | context only | 0 | none | Use only for historical zero-day trend context and over-promotion control. |
| Relationship type | Count | Values | Boundary |
|---|---|---|---|
| tools / malware | 19 | CASTLETAP; GHOSTTOWN; INTFS; LOOKOVER; MEDUSA; MOPSLED; Nmap; REPTILE; RIFLESPINE; SEAELF; TABLEFLIP; THINCRUST; TINYSHELL; VIRTUALGATE; VIRTUALPEER; VIRTUALPIE; VIRTUALPITA; VIRTUALSHINE; VIRTUALSPHERE | Direct actor-scoped uses rows. These can drive hunts and family-specific evidence checks. |
| products | 4 | FortiAnalyzer; FortiGate; FortiManager; Juniper routers | Direct target product rows. Use for asset inventory and owner assignment. |
| platforms | 6 | Junos OS; VMCI; VMware ESXi; VMware Tools; VMware vCenter; vSphere | Direct platform rows. Use for management-plane and virtualization control checks. |
| services and detection paths | 6 | TACACS; /Windows/Temp/vmsvc.log; /tmp/vmsvc.log; /var/log; /var/log/hostd.log; /var/log/secure | TACACS is direct abuse-service evidence; log paths are detection/hardening artifacts. |
| sectors | 8 | Defense Industrial Base; aerospace; defense; energy; government; technology; telecommunications; utilities | Targeting context. Use for prioritization, not as technical tradecraft. |
| regions | 5 | Africa; Europe; North America; Oceania; Southeast Asia | Targeting context. Use for scoping and reporting, not as path evidence. |
| distinct-from context | 2 | Salt Typhoon; Volt Typhoon | Distinction rows only. Do not treat as aliases or merged activity. |
| Type | Value | Use |
|---|---|---|
| product | Juniper routers | Router targeting and Junos OS forensic review. |
| platform | Junos OS | Shell, Veriexec, process injection, and logging integrity. |
| product | FortiGate / FortiManager / FortiAnalyzer | Fortinet appliance compromise and management-plane pivot review. |
| platform | VMware ESXi / VMware vCenter / VMware Tools / vSphere / VMCI | Hypervisor persistence, Guest Operations, VMCI backdoors, and service-account controls. |
| service | TACACS | Authentication review and credential-capture validation. |
| Type | Value | Source layer |
|---|---|---|
| yara_rule | M_Hunting_TINYSHELL_5 | Juniper router context |
| yara_rule | M_Utility_GHOSTTOWN_1 | Juniper router context |
| yara_rule | M_APT_VIRTUALPITA_1 | VMware context |
| yara_rule | M_Hunting_Backdoor_CASTLETAP_1 | Fortinet context |
| log_path | /var/log/hostd.log | VMware hardening companion |
| log_path | /tmp/vmsvc.log | VMware hardening companion |
| log_path | /Windows/Temp/vmsvc.log | VMware hardening companion |
| log_path | /var/log/secure | VMware/Linux authentication review |
| log_path | /var/log | VMware/Linux and appliance log review root. |
| Context value | Status | Why it stays separate |
|---|---|---|
| Ivanti exploitation reporting | context only | The local Ivanti source has zero direct UNC3886 relationship rows. |
| UNC5221 | excluded from UNC3886 | Use as separate actor context, not as an UNC3886 alias. |
| BRICKSTORM | excluded from direct tooling | Do not add to the UNC3886 tools list from this local pack. |
| CVE-2025-0282 | excluded from direct exploit model | Keep with Ivanti / UNC5221 context unless a direct UNC3886 row exists. |
| broad zero-day trend rows | context only | Use for background and caveats; promote only when the relationship is explicitly scoped to UNC3886. |