Singapore says China-linked UNC3886 breached all four major telcos using a zero-day and stealth rootkits. Singapore’s Cyber Security Agency reported that UNC3886 compromised Singtel, StarHub, M1 and Simba at least once, gained limited access to critical systems, and in one case used a zero-day to bypass perimeter firewalls and steal technical data; in a separate intrusion, investigators found the actor used rootkits to remain stealthy and persist for an undisclosed period. Authorities said they found no evidence that sensitive customer data was accessed or stolen and that services were not disrupted, but the campaign was described as deliberate, targeted, and well-planned; the intrusions were disclosed in July 2025 and prompted “Operation Cyber Guardian,” wider monitoring, and rapid containment to prevent pivoting into other critical sectors such as banking, transport, and healthcare. From a Red Team services perspective, this is a textbook “quiet-access” operation: telcos are strategic terrain, and the combination of edge exploit + stealth persistence is exactly what we emulate to help clients validate whether their detection can catch low-noise footholds, lateral movement that avoids heavy tooling, and identity-centric pivots off network management planes—because the most dangerous outcome is often not an outage, but a durable position the defender never sees.