The Cyber Security Agency (CSA) of Singapore on Monday revealed that the China-nexus cyber espionage group known as UNC3886 targeted its telecommunications sector.
"UNC3886 had launched a deliberate, targeted, and well-planned campaign against Singapore's telecommunications sector," CSA said. "All four of Singapore's major telecommunications operators ('telcos') – M1, SIMBA Telecom, Singtel, and StarHub – have been the target of attacks."
The development comes more than six months after Singapore's Coordinating Minister for National Security, K. Shanmugam, accused UNC3886 of striking high-value strategic threat targets. UNC3886 is assessed to be active since at least 2022, targeting edge devices and virtualization technologies to obtain initial access.
In July 2025, Sygnia disclosed details of a long-term cyber espionage campaign attributed to a threat cluster it tracks as Fire Ant and which shares tooling and targeting overlaps with UNC3886, stating the adversary infiltrates organizations' VMware ESXi and vCenter environments as well as network appliances.
Describing UNC3886 as an advanced persistent threat (APT) with "deep capabilities," CSA said the threat actors deployed sophisticated tools to gain access into telco systems, in one instance even weaponizing a zero-day exploit to bypass a perimeter firewall and siphon a small amount of technical data to further its operational objectives. The exact specifics of the flaw were not disclosed.
In a second case, UNC3886 is said to have deployed rootkits to establish persistent access and conceal their tracks to fly under the radar. Other activities undertaken by the threat actor include gaining unauthorized access to "some parts" of telco networks and systems, including those deemed critical, although it's assessed that the incident was not severe enough to disrupt services.
CSA said it mounted a 11-month-long cyber operation dubbed CYBER GUARDIAN to counter the threat and limit the attackers' movement into telecom networks. It also emphasized that there is no evidence that the threat actor exfiltrated personal data such as customer records or cut off internet availability.
"Cyber defenders have since implemented remediation measures, closed off UNC3886’s access points, and expanded monitoring capabilities in the targeted telcos," the agency said.
The campaign targeting European government institutions coincides with the discovery of what appears to be a coordinated activity targeting EPMM instances to upload a dormant payload following the exploitation of CVE-2026-1281 and CVE-2026-1340, creating a pathway for future attacks. The main responsibility of the loader is to receive, load, and execute a second Java class delivered via HTTP.
"This campaign deployed a dormant in-memory Java class loader to /mifs/403.jsp -- a somewhat lesser common web shell path," the company said. "The implant can only be activated with a specific trigger parameter, and no follow-on exploitation has yet been observed. This is suggestive of initial access broker (IAB) tradecraft: gain a foothold, then sell or hand off access later."
