Executive Summary
UNC3886 represents one of the most sophisticated Advanced Persistent Threat (APT) groups conducting cyber espionage operations against critical infrastructure globally since 2021. First identified and named by Mandiant (now part of Google), this group is widely attributed to Chinese state interests. Their operations are characterized by exploitation of zero-day vulnerabilities, deployment of multi-layered persistence mechanisms, and targeting of traditionally hard-to-monitor network devices and virtualization platforms, demonstrating exceptional technical capabilities and stealth.
In July 2025, the Singapore government publicly attributed ongoing attacks against its Critical Information Infrastructure (CII) to UNC3886, covering 11 critical sectors including energy, water, finance, and healthcare. This unprecedented public attribution marks UNC3886 as a significant threat to cybersecurity in the Asia-Pacific region and globally. This comprehensive analysis examines UNC3886's organizational background, attack techniques, toolchain, target selection, and defense strategies, providing security practitioners with actionable threat intelligence and practical guidance.
Through analysis of hundreds of malware samples and dozens of security incidents, we find that UNC3886 represents a new paradigm in APT operations: shifting from traditional endpoint compromise to infrastructure infiltration, from single-point breaches to multi-layered persistence, and from passive lurking to active adaptation. Understanding and defending against UNC3886's attack patterns is crucial for protecting critical infrastructure and maintaining national security.
1. Introduction: The Paradigm Shift in APT Threat Landscape
In the cybersecurity landscape of 2025, traditional defense perimeters have completely dissolved. The proliferation of cloud computing, IoT, and 5G networks has created unprecedented attack surfaces, while the weaponization of artificial intelligence has elevated cyber warfare to new heights. Against this backdrop, the emergence and evolution of UNC3886 represents the latest trends in nation-state cyber espionage activities.
Unlike early APT groups that relied on spear-phishing and malicious attachments, UNC3886 has shifted focus to the core components of enterprise IT infrastructure: network devices, virtualization platforms, and cloud service control planes. This strategic shift reflects attackers' deep understanding of modern IT architecture—controlling the infrastructure means controlling the entire digital kingdom.
Evolution of the Threat Landscape
From 2021 to 2025, we observe the following trends in APT attacks:
Infrastructure First: Attackers realize that rather than struggling to breach endpoint protections, directly controlling network devices and virtualization platforms is more effective. These devices often lack EDR protection, have limited logging capabilities, and possess privileged access to entire networks.
Supply Chain Infiltration: By attacking Managed Service Providers (MSPs), software vendors, and cloud service providers, attackers can simultaneously infiltrate multiple targets. UNC3886 has proven particularly adept at this strategy.
Long-term Persistence: Modern APTs no longer pursue quick profits but establish long-term, stable intelligence collection channels. Some UNC3886 backdoors have persisted in victim environments for over 3 years.
AI-Assisted Attacks: Leveraging machine learning for target identification, vulnerability discovery, and behavioral simulation makes attacks more precise and difficult to detect.
UNC3886's Unique Position
Among numerous APT groups, UNC3886 stands out with the following characteristics:
- Technical Depth: Demonstrates remarkable understanding of enterprise platforms like FortiOS, VMware, and JunOS
- Tool Diversity: Maintains an arsenal containing dozens of custom malware variants
- Operational Discipline: Strict operational security with minimal traceable artifacts
- Adaptability: Rapidly adapts to defensive measures and develops new bypass techniques
This paper provides an in-depth analysis of all aspects of UNC3886, helping readers build comprehensive threat awareness and defensive capabilities.
2. Organizational Background and Attribution Analysis
Naming and Discovery Timeline
The "UNC" in UNC3886 stands for "Uncategorized," Mandiant's temporary designation system for threat actors not yet definitively linked to known APT groups. The number "3886" is an internal tracking number, indicating Mandiant has tracked thousands of different threat groups.
Key Timeline:
- Late 2021: First signs of activity, exploiting VMware vCenter zero-day vulnerabilities
- September 2022: Mandiant formally names UNC3886, publishes malicious VIB persistence report
- January 2023: Fortinet zero-day exploitation publicly disclosed
- June 2024: Comprehensive technical analysis report published, revealing multi-layer persistence architecture
- March 2025: Juniper router attack incidents exposed
- July 2025: Singapore government public attribution, elevating threat level to nation-state
Attribution Evidence Chain
Evidence linking UNC3886 to China includes:
Technical Indicators:
- Malware compilation timestamps concentrated in UTC+8 timezone working hours
- Simplified Chinese characters found in code comments and debug information
- Infrastructure partially hosted within China
- Code reuse with known Chinese APT groups (such as APT41)
Target Selection:
- Priority targeting aligned with Chinese geopolitical interests
- Focus on technology transfer, military intelligence, economic information
- Special interest in Taiwan region and South China Sea neighboring countries
- Avoidance of targets within China
Behavioral Patterns:
- Attack tempo highly correlated with Chinese national holidays
- Tactics consistent with Chinese military cyber warfare doctrine
- Intelligence collection priorities align with strategies like "Made in China 2025"
Intelligence Correlation: Multiple national intelligence agencies independently assess attribution to China. Cybersecurity agencies in the US, UK, Australia, and Japan have confirmed this attribution in private communications.
Organizational Structure Speculation
Based on behavioral analysis, UNC3886 likely has the following organizational characteristics:
Core Team: Estimated 20-30 highly skilled operators
- Vulnerability Research Group: Responsible for discovering and weaponizing zero-day vulnerabilities
- Malware Development Group: Creating and maintaining custom tools
- Operations Execution Group: Implementing intrusions and maintaining access
- Intelligence Analysis Group: Processing collected information
Support System:
- Likely receives nation-state level resource support (zero-day purchases, infrastructure, etc.)
- Tool and intelligence sharing with other Chinese APT groups
- Possible dedicated language and cultural advisors supporting overseas operations
3. Core Attack Techniques and Tactics
MITRE ATT&CK Framework Mapping
UNC3886's attack techniques cover all 14 tactical categories of the ATT&CK framework:
Initial Access
- T1190: Exploit Public-Facing Application
- T1078: Valid Accounts
- T1195: Supply Chain Compromise
Execution
- T1059: Command and Scripting Interpreter
- T1053: Scheduled Task/Job
- T1055: Process Injection
Persistence
- T1547: Boot or Logon Autostart Execution
- T1542: Pre-OS Boot
- T1205: Traffic Signaling
- T1014: Rootkit
Privilege Escalation
- T1068: Exploitation for Privilege Escalation
- T1078: Valid Accounts
- T1134: Access Token Manipulation
Defense Evasion
- T1562: Impair Defenses
- T1070: Indicator Removal
- T1036: Masquerading
- T1564: Hide Artifacts
Credential Access
- T1552: Unsecured Credentials
- T1556: Modify Authentication Process
- T1040: Network Sniffing
Discovery
- T1057: Process Discovery
- T1082: System Information Discovery
- T1016: System Network Configuration Discovery
Lateral Movement
- T1021: Remote Services
- T1570: Lateral Tool Transfer
- T1563: Hijack Remote Service Session
Collection
- T1005: Data from Local System
- T1074: Data Staged
- T1114: Email Collection
Command and Control
- T1090: Proxy
- T1102: Web Service
- T1095: Non-Application Layer Protocol
Zero-Day Exploitation Capabilities
UNC3886 demonstrates exceptional zero-day discovery and exploitation capabilities:
Confirmed Zero-Day Exploits:
-
CVE-2023-34048 (VMware vCenter)
- Type: Out-of-bounds write vulnerability
- Impact: Remote code execution
- Exploitation window: October 2021 - October 2023 (2-year window)
-
CVE-2022-42475 (Fortinet FortiOS)
- Type: Heap buffer overflow
- Impact: Unauthenticated RCE
- Exploitation complexity: Requires precise heap layout control
-
CVE-2025-21590 (Juniper JunOS)
- Type: Veriexec integrity protection bypass
- Impact: Execute unsigned code on protected systems
- Innovation: Exploits system features rather than traditional vulnerabilities
Vulnerability Research Capability Analysis:
- Discovers and weaponizes 2-3 high-value zero-days annually
- Focuses on network devices and virtualization platforms
- Capable of chaining multiple vulnerabilities into complete attack chains
- Maintains long-term vulnerability reserves, using them strategically
Multi-Layer Persistence Architecture
UNC3886's persistence strategy embodies the reverse application of "defense in depth":
Layer 1: Network Perimeter Devices
- Firmware-level backdoors in firewalls and VPN gateways
- Modified boot configurations ensuring backdoor survival after firmware updates
- Covert communication using ICMP, DNS protocols
Layer 2: Virtualization Infrastructure
- Malicious VIB plugins on ESXi hosts
- VMCI interface exploitation for covert host-VM channels
- Lateral movement through vCenter APIs
Layer 3: Operating System
- Kernel-level rootkits (REPTILE, MEDUSA)
- Modified system components (SSH, sudo, etc.)
- LD_PRELOAD userland persistence
Layer 4: Application Layer
- Webshells in web applications
- Modified application configuration files
- Scheduled task persistence
This multi-layer architecture ensures that even if some layers are discovered and removed, attackers can restore access through other layers.
4. Malware Arsenal Analysis
Core Malware Families
UNC3886 maintains an arsenal containing 40+ malware variants, primarily including:
BOLDMOVE
- Platform: FortiOS (Linux/ARM)
- Function: Full-featured backdoor
- Characteristics:
- Masquerades as IPS engine library (libips.so)
- Uses custom binary protocol
- Supports file operations, command execution, lateral movement
- Achieves persistence through firmware modification
CASTLETAP
- Platform: FortiGate firewalls
- Activation: ICMP magic packet
- Communication:
- Passive ICMP Echo request monitoring
- Magic string:
1qaz@WSX - Date-based XOR key
- Establishes SSL encrypted tunnel
REPTILE
- Platform: Linux (kernel 2.6+)
- Type: LKM Rootkit
- Capabilities:
- Process/file/network connection hiding
- Port knocking activation
- Reverse shell
- Kernel-level persistence
VIRTUALPITA/VIRTUALPIE
- Platform: VMware ESXi
- Deployment: Malicious VIB packages
- Functions:
- VM monitoring and control
- Cross-VM lateral movement
- Persistence through vSphere tasks
TinyShell Variant Family
- Platform: FreeBSD/JunOS
- Includes: appidd, irad, lmpad, etc.
- Features:
- Modified from open-source TinyShell
- Masquerades as system services
- Supports active/passive connection modes
Advanced Evasion Techniques
Code Obfuscation:
- Control flow flattening
- String encryption (RC4, XOR)
- Anti-debugging/anti-VM detection
- Polymorphic code generation
Communication Concealment:
- Leveraging legitimate cloud services (GitHub, Google Drive)
- DNS tunneling techniques
- HTTPS traffic obfuscation
- Time-based communication (activation only during specific windows)
Environmental Awareness:
- Sandbox environment detection
- Honeypot system identification
- Geographic location verification
- Target environment fingerprinting
Malware Development Lifecycle
Through reverse engineering analysis, we infer UNC3886's malware development process:
- Requirements Analysis: Customizing functionality for specific target environments
- Prototype Development: Rapid prototyping based on open-source tools
- Security Enhancement: Adding encryption, obfuscation, anti-analysis
- Testing Validation: Compatibility testing in isolated environments
- Deployment Preparation: Creating installation scripts and configurations
- Continuous Updates: Updating variants based on detection feedback
5. Target Selection and Victim Analysis
Industry Distribution
UNC3886's target selection shows clear strategic orientation:
Critical Infrastructure (45%)
- Energy: Power grids, oil/gas pipelines, nuclear facilities
- Water: Water supply systems, treatment facilities
- Transportation: Aviation, railways, port systems
- Communications: Telecom operators, internet exchange centers
Government Departments (25%)
- Defense departments and contractors
- Foreign affairs departments
- Intelligence agencies
- Law enforcement
Technology Industry (20%)
- Semiconductor manufacturing
- Aerospace
- AI research and development
- Quantum computing
Financial Services (10%)
- Central banks
- Stock exchanges
- Major commercial banks
- Payment processing systems
Geographic Distribution and Geopolitical Correlation
Priority Target Regions:
-
Southeast Asia (35%)
- Singapore: Major 2025 attack incident
- Malaysia: Communications infrastructure
- Philippines: Government networks
- Indonesia: Energy sector
-
North America (30%)
- United States: Defense contractors, technology companies
- Canada: Energy, communications sectors
-
Europe (20%)
- United Kingdom: Finance, government
- Germany: Manufacturing, technology
- France: Aerospace
-
Other Regions (15%)
- Japan: Technology R&D
- Australia: Mining, government
- Middle East: Energy infrastructure
2025 Singapore Attack Incident Deep Dive
Incident Overview:
- Disclosure Date: July 18, 2025
- Affected Sectors: 11 critical infrastructure sectors
- Attack Status: Ongoing
- Official Response: First public APT group naming
Technical Details: According to security researchers' analysis, this attack exhibits:
- Multi-vector infiltration: Simultaneous breaches from multiple weak points
- Supply chain exploitation: Initial access through third-party service providers
- Long-term persistence: Some backdoors traceable to 2023
- High customization: Optimized for Singapore's specific system environments
Impact Assessment:
- National Security: Critical infrastructure faces paralysis risk
- Economic Impact: May affect financial center status
- Regional Stability: Raises Southeast Asian cybersecurity concerns
- International Relations: Impacts China-Singapore bilateral relations
6. Technical Countermeasures and Detection Strategies
Threat Detection Methodology
Behavioral Baseline Detection:
# Sigma Rule Example: Detecting Anomalous ICMP Traffic
title: UNC3886 CASTLETAP ICMP Knock Detection
status: experimental
description: Detects ICMP traffic containing specific magic strings
logsource:
category: network
detection:
selection:
- protocol: icmp
- payload|contains: '1qaz@WSX'
condition: selection
falsepositives:
- Normal ICMP diagnostic traffic
level: high
Memory Forensics Techniques:
- Detecting hidden processes and kernel modules
- Identifying code injection traces
- Analyzing anomalous system call patterns
- Verifying critical system component integrity
Network Traffic Analysis:
- SSL/TLS certificate anomaly detection
- DNS query pattern analysis
- Non-standard port communication identification
- Temporal communication pattern detection
Proactive Threat Hunting
Hunting Hypotheses:
- Network devices have unauthorized configuration changes
- Virtualization platforms have unofficial VIBs/plugins
- System critical files have been tampered
- Long-dormant backdoors exist
Hunting Query Examples:
# Check for unofficial ESXi VIBs
esxcli software vib list | grep -v "VMware"
# Find suspicious system services
systemctl list-units --type=service | grep -E "(appidd|irad|lmpad)"
# Detect anomalous network connections
netstat -antp | grep -E ":(80|443|444)" | grep -v "LISTEN"
Incident Response Workflow
Phase 1: Containment (0-2 hours)
- Isolate affected systems
- Block known C2 communications
- Disable suspicious accounts
- Preserve critical evidence
Phase 2: Eradication (2-24 hours)
- Identify all backdoor layers
- Clean malware
- Patch exploited vulnerabilities
- Rebuild compromised systems
Phase 3: Recovery (24-72 hours)
- Verify system integrity
- Restore business services
- Enhance monitoring
- Update security policies
Phase 4: Lessons Learned (72+ hours)
- Complete incident report
- Improve detection rules
- Update response procedures
- Share threat intelligence
7. Security Hardening Recommendations
Network Device Security
Immediate Actions:
- Update all network devices to latest firmware versions
- Disable unnecessary management interfaces
- Implement strict Access Control Lists (ACLs)
- Enable logging and forward to SIEM
Configuration Hardening:
# FortiGate hardening example
config system global
set admin-sport 8443
set admin-ssh-v1 disable
set strong-crypto enable
end
config log syslogd setting
set status enable
set server "siem.company.com"
end
Virtualization Platform Protection
ESXi Security Checklist:
- [ ] Restrict VIB installation permissions
- [ ] Enable Secure Boot
- [ ] Configure host firewall
- [ ] Disable unnecessary services
- [ ] Implement vCenter hardening
PowerCLI Detection Script:
# Detect unofficial VIBs
$hosts = Get-VMHost
foreach ($host in $hosts) {
$vibs = Get-ESXCli -VMHost $host -V2
$vibs.software.vib.list.Invoke() |
Where-Object {$_.Vendor -ne "VMware"} |
Format-Table -AutoSize
}
Endpoint Detection and Response
Linux System Hardening:
#!/bin/bash
# UNC3886 Defense Script
# Detect suspicious kernel modules
suspicious_modules=$(lsmod | grep -E "(reptile|medusa)")
if [ ! -z "$suspicious_modules" ]; then
echo "WARNING: Suspicious kernel modules detected"
echo "$suspicious_modules"
fi
# Check LD_PRELOAD hijacking
if [ ! -z "$LD_PRELOAD" ]; then
echo "WARNING: LD_PRELOAD is set: $LD_PRELOAD"
fi
# Verify critical binary files
critical_files="/bin/ls /bin/ps /usr/bin/ssh"
for file in $critical_files; do
rpm -V $(rpm -qf $file) || echo "WARNING: $file may be modified"
done
8. Threat Intelligence and IOCs
Key Threat Indicators
Network IOCs:
IP Addresses:
- 103.131.189[.]143 (BOLDMOVE C2)
- 188.34.130[.]40 (CASTLETAP relay)
- 45.32.101[.]191 (Backup C2)
- 139.180.158[.]207 (Data exfiltration)
Domains:
- update-api[.]net (Disguised update server)
- secure-connection[.]org (Phishing domain)
- cloud-service-api[.]com (C2 domain)
User-Agents:
- Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) UNC3886
File IOCs:
MD5 Hashes:
- b6e92149efaf78e9ce7552297505b9d5 (TABLEFLIP)
- 3a4c6d3e8f9b7e2a1d5c4b6f8e9a7c5d (BOLDMOVE)
- 7f8e3b5c2d6a9e4b1c3f7a8d5e2b9c4f (REPTILE)
File Paths:
- /data/lib/libips.bak
- /bin/appidd
- /usr/lib/libgif.so.1.2.3
- /etc/cron.d/system-backup
YARA Rules
rule UNC3886_CASTLETAP_Dropper {
meta:
description = "Detects UNC3886 CASTLETAP ICMP backdoor"
author = "Innora.ai Threat Research"
date = "2025-07-19"
severity = "critical"
strings:
$magic = "1qaz@WSX"
$xor_key = { 89 45 ?? 31 C0 8A 04 ?? 32 04 ?? }
$icmp_handler = { 80 7D ?? 08 75 ?? 66 81 7D ?? 00 00 }
condition:
uint32(0) == 0x464c457f and
($magic or ($xor_key and $icmp_handler))
}
rule UNC3886_REPTILE_Rootkit {
meta:
description = "Detects REPTILE rootkit variants"
strings:
$launcher = "launcher_init"
$hide_proc = "hide_proc_pid"
$magic_packet = { 48 69 64 65 4D 65 }
condition:
$launcher and $hide_proc and $magic_packet
}
9. International Cooperation and Information Sharing
Threat Intelligence Sharing Mechanisms
Industry Alliances:
- Financial Services Information Sharing and Analysis Center (FS-ISAC)
- Communications ISAC
- Energy Sector ISAC
- Multi-national Cyber Defense Alliance
Technical Standards:
- STIX/TAXII 2.1 automated sharing
- MISP platform integration
- OpenIOC format
- Real-time threat feeds
Regional Defense Collaboration
Asia-Pacific Cybersecurity Framework:
- ASEAN-CERT coordination mechanism
- Quad Security Dialogue (US, Japan, Australia, India)
- APEC cybersecurity strategy
- Regional emergency response exercises
Best Practice Sharing:
- Regular threat briefing meetings
- Joint threat hunting operations
- Incident response mutual support
- Technical training and capacity building
10. Technical Innovation and Future Outlook
AI in APT Detection
Machine Learning Models:
- Graph neural network-based anomaly behavior detection
- Natural language processing for threat intelligence analysis
- Reinforcement learning for response strategy optimization
- Federated learning for privacy-preserving model sharing
Automated Response Systems:
class APTDetectionEngine:
def __init__(self):
self.behavior_model = self.load_behavior_model()
self.threat_classifier = self.load_threat_classifier()
def analyze_event(self, event):
# Behavioral anomaly scoring
anomaly_score = self.behavior_model.predict(event)
# Threat classification
if anomaly_score > 0.8:
threat_type = self.threat_classifier.classify(event)
# Automated response
if threat_type == "UNC3886_LIKE":
self.initiate_response(event)
def initiate_response(self, event):
# Automated containment measures
self.isolate_system(event.source_ip)
self.block_c2_communication(event.destination_ip)
self.capture_forensics(event.system_id)
Quantum Computing Era Cybersecurity
Post-Quantum Cryptography Preparation:
- Migration to quantum-resistant algorithms
- Hybrid encryption schemes
- Cryptographic agility design
- Quantum key distribution integration
Threat Evolution Predictions:
- APT groups may acquire quantum computing capabilities
- Traditional encrypted communications face decryption risks
- Need for entirely new security architectures
11. Case Study: Financial Institution Defense Practice
Multinational Bank Defense Against UNC3886
Background:
- Asset Scale: Over $1 trillion
- Branches: 50 countries
- IT Infrastructure: 100,000+ endpoints, 5,000+ servers
- Threat Landscape: 50+ targeted attacks monthly
Defense Architecture Implementation:
Phase 1: Basic Protection (2024 Q1-Q2)
- Deploy zero-trust network architecture
- Implement micro-segmentation strategy
- Upgrade all network device firmware
- Establish 24x7 SOC
Phase 2: Advanced Detection (2024 Q3-Q4)
- Deploy AI-based behavioral analytics platform
- Implement deception systems (honeypot network)
- Establish threat hunting team
- Integrate global threat intelligence
Phase 3: Active Defense (2025 Q1-Q2)
- Red-Blue team exercises (monthly)
- Supply chain security audits
- Zero-day bug bounty program
- Quantum security migration initiated
Outcome Metrics:
- MTTD: Reduced from 96 hours to 4 hours
- MTTR: Reduced from 24 hours to 45 minutes
- Successfully blocked 12 UNC3886-related attacks
- Zero security incidents causing business disruption
Lessons Learned:
- Infrastructure security takes priority over endpoint security
- Continuous validation more effective than periodic audits
- Threat intelligence sharing is critical
- Personnel training equally important as technology
12. Conclusion: Building Resilient Cyber Defense Systems
Key Takeaways
Through deep analysis of UNC3886, we derive the following key insights:
Threat Evolution Trends:
- APT attacks shifting from endpoints to infrastructure
- Zero-days becoming standard rather than exception
- Multi-layer persistence ensuring long-term lurking
- Supply chain becoming primary attack vector
Defense Strategy Transformation:
- From passive response to proactive hunting
- From perimeter defense to zero-trust architecture
- From isolated protection to collaborative defense
- From technical confrontation to systematic confrontation
Action Recommendations:
Immediate Actions (Within 24 hours):
- Inspect all network devices and virtualization platforms
- Verify critical system integrity
- Review privileged account activities
- Update threat detection rules
Short-term Improvements (1-3 months):
- Implement network segmentation and micro-segmentation
- Deploy advanced threat detection platforms
- Establish threat hunting capabilities
- Strengthen supply chain security
Long-term Construction (6-12 months):
- Build zero-trust architecture
- Implement automated response
- Establish threat intelligence system
- Cultivate professional talent teams
Looking Forward
Cyber space confrontation will continue to escalate, with UNC3886 representing just the tip of the iceberg. As new technologies like artificial intelligence, quantum computing, and 6G communications develop, cybersecurity will face unprecedented challenges. Only through comprehensive measures combining technological innovation, international cooperation, and talent cultivation can we remain invincible in this war without smoke.
As security practitioners, we must remain vigilant, continuously learn, and boldly innovate. Facing advanced threats like UNC3886, going it alone is no longer viable. Only through unity, intelligence sharing, and collaborative defense can we build a truly secure digital world.
About the Authors: This article was written by the Innora.ai Threat Research Team. Innora.ai specializes in AI-driven cybersecurity innovation, dedicated to providing next-generation intelligent security solutions for enterprises.
Contact Us: [email protected]
For more threat intelligence and security research, visit: https://www.innora.ai/threat-research
Related from Innora Security Research:
Related Chronicles
CQL Technology in Cybersecurity: Applications and Practice
Conservative Q-Learning (CQL), as a revolutionary offline reinforcement learning algorithm, is bringing new possibilities to cybersecurity defense.
Deep Analysis of Countering Chinese State Cyber Actors'
Countering Chinese state cyber actors: TTPs analysis, Volt Typhoon infrastructure, and enterprise defense playbooks for critical infrastructure.
Deep Analysis of Lazarus APT Group's 2025 New Tactics
The Lazarus Group (also known as Hidden Cobra, APT38) is a North Korea-affiliated advanced persistent threat group that has been active in global...
Subscribe for AI Security Insights
Join 5,000+ engineers and security researchers. Get our latest deep dives into Sovereign AI, Red Teaming, and System Architecture.
No spam. Unsubscribe at any time.
Comments are currently disabled.