Threat actors utilize Operational Relay Box (ORB) networks, which are obfuscated mesh configurations, to conceal the source of cyberattacks This article explores orb networks obfuscated. . In order to route malicious traffic through what appear to be genuine residential or broadband connections, these networks combine compromised IoT devices, SOHO routers, and VPS servers.

By imitating private proxy networks and fusing malicious traffic with legitimate user activity on actual devices, such as home routers, ORBs allow for strong evasion. This makes it difficult to trace attacks and increases the possibility of collateral damage if defenders block IPs, which could affect innocent users or services. Pre-positioning close to targets helps with long-term reconnaissance and avoids geofencing, while attackers can easily scale them by switching nodes, guaranteeing resilience.

Campaign Goals for UNC3886 Telecoms in Singapore Operation CYBER GUARDIAN, a significant multi-agency operation against APT group UNC3886, was described by Singapore's Cyber Security Agency (CSA) in February 2026. It targeted all four major telcos: M1, SIMBA Telecom, Singtel, and StarHub. The campaign, which was discovered in July 2025, used rootkits for covert persistence and a zero-day to get past firewalls and steal small amounts of network data.

UNC3886 is linked by Mandiant to China-sponsored espionage, which is responsible for zero-days in Fortinet, VMware, and Juniper edge devices as well as custom malware for extended access in the energy, finance, and telecommunications industries. M1 and StarHub were the targets of a 2025 Mandiant report on Juniper router attacks that shared IOCs based in Singapore connected to GOBRAT ORB nodes. An explanation IP: Team Cymru's Port WHOIS and GeoIP 129.126.109.50:22 TINYSHELL C2 Alibaba Technology Co., Ltd. (US).

TINYSHELL C2 116.88.34.184:22 M1 NET LTD, Singapore TINYSHELL C2 Singapore 223.25.78.136:22 MobileOne, Ltd. TINYSHELL C2 Singapore 45.77.39.28:22 MyRepublic, Ltd. TINYSHELL C2 101.100.182.122:22 Singapore MyRepublic, Ltd. TINYSHELL C2 Singapore 118.189.188.122:22 MyRepublic, Ltd. 158.140.135.244:22 Singapore TINYSHELL C2 Starhub Ltd. TINYSHELL C2 Singapore 8.222.225.8:22 The Constant Company, LLC According to data from the Singapore Team Cymru Scout, there were 12 ORB-tagged IPs on victim ISPs in the 90-day period and 44 in Singapore overall, primarily on AWS, StarHub, and Singtel ASNs. According to NetFlow analysis, 62 victim IPs (mostly D-Link/Asus routers) connected to ORBs within 30 days, and 42 ORBs were in communication with victim networks. Since 2022, Singapore has required secure-by-default routers through IMDA's TS RG-SEC, which includes auto-patches and CLS Level 1 labeling with distinct passwords and vuln policies.

However, UNC3886 takes advantage of the gaps created by imports and legacy devices. Description of the Indicator Last Seen: ASN GeoIP 8.218.212.173 GOBRAT C2 Server AS45102 (Alibaba) Singapore 2025-12-28 8.218.127.103 GOBRAT C2 Server AS45102 (Alibaba) Singapore 2025-12-30 47.82.7.142 GOBRAT C2 Server AS45102 (Alibaba) Singapore 2026-02-11 Team Cymru claims that operation CYBER GUARDIAN increased monitoring among more than 100 defenders and eliminated the threat without causing service interruptions or losing customer data. To combat such prepositioned espionage, defenders must hunt ORBs using threat intelligence, zero-trust, and edge device patches.