{ "id": "ebfbe9c1-c1c8-4d1e-896a-c1fec0586c12", "created_at": "2026-04-06T00:10:28.673365Z", "updated_at": "2026-04-10T03:36:01.26738Z", "deleted_at": null, "sha1_hash": "434101591fa739498b8efd5b91c428b1dd938cc5", "title": "UAT-9686 actively targets Cisco Secure Email Gateway and Secure Email and Web Manager", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 162429, "plain_text": "UAT-9686 actively targets Cisco Secure Email Gateway and Secure\r\nEmail and Web Manager\r\nBy Cisco Talos\r\nPublished: 2025-12-17 · Archived: 2026-04-05 15:36:43 UTC\r\nWednesday, December 17, 2025 11:55\r\nCisco Talos recently discovered a campaign targeting Cisco AsyncOS Software for Cisco Secure Email\r\nGateway, formerly known as Cisco Email Security Appliance (ESA), and Cisco Secure Email and Web\r\nManager, formerly known as Cisco Content Security Management Appliance (SMA).\r\nWe assess with moderate confidence that the adversary, who we are tracking as UAT-9686, is a Chinese-nexus advanced persistent threat (APT) actor whose tool use and infrastructure are consistent with other\r\nChinese threat groups.\r\nAs part of this activity, UAT-9686 deploys a custom persistence mechanism we track as “AquaShell”\r\naccompanied by additional tooling meant for reverse tunneling and purging logs.\r\nOur analysis indicates that appliances with non-standard configurations, as described in Cisco's advisory,\r\nare what we have observed as being compromised by the attack.\r\nCisco Talos is tracking the active targeting of Cisco AsyncOS Software for Cisco Secure Email Gateway, formerly\r\nknown as Cisco Email Security Appliance (ESA), and Cisco Secure Email and Web Manager, formerly known as\r\nCisco Content Security Management Appliance (SMA), enabling attackers to execute system-level commands and\r\ndeploy a persistent Python-based backdoor, AquaShell. Cisco became aware of this activity on December 10,\r\nwhich has been ongoing since at least late November 2025. Additional tools observed include AquaTunnel\r\n(reverse SSH tunnel), chisel (another tunneling tool), and AquaPurge (log-clearing utility). Talos' analysis\r\nindicates that appliances with non-standard configurations, as described in Cisco's advisory, are what we have\r\nobserved as being compromised by the attack.\r\nThe Cisco Secure Email and Web Manager centralizes management and reporting functions across multiple Cisco\r\nEmail Security Appliances (ESAs) and Web Security Appliances (WSAs), offering centralized services such as\r\nspam quarantine, policy management, reporting, tracking, and configuration management to simplify\r\nadministration and enhance security enforcement.\r\nCustomers are strongly advised to follow the guidance published in the security advisories discussed below.\r\nAdditional recommendations specific to Cisco are available here.\r\nTalos assesses with moderate confidence that this activity is being conducted by a Chinese-nexus threat actor,\r\nwhich we track as UAT-9686. We have observed overlaps in tactics, techniques and procedures (TTPs),\r\ninfrastructure, and victimology between UAT-9686 and other Chinese-nexus threat actors Talos tracks. Tooling\r\nused by UAT-9686, such as AquaTunnel (aka ReverseSSH), also aligns with previously disclosed Chinese-nexus\r\nhttps://blog.talosintelligence.com/uat-9686/\r\nPage 1 of 3\n\nAPT groups such as APT41 and UNC5174. Additionally, the tactic of using a custom-made web-based implant\r\nsuch as AquaShell is increasingly being adopted by highly sophisticated Chinese-nexus APTs.\r\nAquaShell\r\nAquaShell is a lightweight Python backdoor that is embedded into an existing file within a Python-based web\r\nserver. The backdoor is capable of receiving encoded commands and executing them in the system shell. It listens\r\npassively for unauthenticated HTTP POST requests containing specially crafted data. If such a request is\r\nidentified, the backdoor will then attempt to parse the contents using a custom decoding routine and execute them\r\nin the system shell.\r\nAquaShell is delivered as an encoded data blob that is decoded and ultimately placed in\r\n“/data/web/euq_webui/htdocs/index.py”.\r\nThe result of decoding the data blob is the Python code that constitutes the AquaShell backdoor. AquaShell parses\r\nthe HTTP POST request, decodes it using a combination custom algorithm and Base64 decoding and executes the\r\nresulting commands on the appliance.\r\nAquaPurge\r\nAquaPurge removes lines containing specific keywords from the log files specified. It uses the “egrep” command\r\n to filter out (invert search) all content that doesn’t contain the keywords and then simply commits them to the log\r\nfiles:\r\nAquaTunnel\r\nAquaTunnel is a compiled GoLang ELF binary based on the open-source “ReverseSSH” backdoor. AquaTunnel\r\ncreates a reverse SSH connection from the compromised system back to an attacker‑controlled server, enabling\r\nunauthorized remote access even when the system is behind firewalls or NAT.\r\nhttps://blog.talosintelligence.com/uat-9686/\r\nPage 2 of 3\n\nChisel\r\nChisel is an open‑source tunneling tool that supports creating TCP/UDP tunnels over a single‑port HTTP‑based\r\nconnection. Chisel allows an attacker to proxy traffic through a compromised edge device, allowing them to easily\r\npivot through that device into the internal environment.\r\nRecommendations for Cisco customers are available here. If your organization does find connections to the\r\nprovided actor indicators of compromise (IOCs), please open a case with Cisco TAC.\r\nAll IOCs, including IPs and file hashes determined to be associated with this campaign have been blocked across\r\nthe Cisco portfolio.\r\nIOCs\r\nThe IOCs can also be found in our GitHub repository here.\r\nAquaTunnel\r\n2db8ad6e0f43e93cc557fbda0271a436f9f2a478b1607073d4ee3d20a87ae7ef\r\nAquaPurge\r\n145424de9f7d5dd73b599328ada03aa6d6cdcee8d5fe0f7cb832297183dbe4ca\r\nChisel\r\n85a0b22bd17f7f87566bd335349ef89e24a5a19f899825b4d178ce6240f58bfc\r\n172[.]233[.]67[.]176\r\n172[.]237[.]29[.]147\r\n38[.]54[.]56[.]95\r\nSource: https://blog.talosintelligence.com/uat-9686/\r\nhttps://blog.talosintelligence.com/uat-9686/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://blog.talosintelligence.com/uat-9686/" ], "report_names": [ "uat-9686" ], "threat_actors": [ { "id": "b302cfdb-30c9-4dce-a968-d2398dda820d", "created_at": "2024-03-28T02:00:05.789775Z", "updated_at": "2026-04-10T02:00:03.611467Z", "deleted_at": null, "main_name": "UNC5174", "aliases": [ "Uteus" ], "source_name": "MISPGALAXY:UNC5174", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "8bcbeb8a-111b-4ea1-a72b-5c7abd8ef132", "created_at": "2025-11-01T02:04:53.050049Z", "updated_at": "2026-04-10T02:00:03.774442Z", "deleted_at": null, "main_name": "BRONZE SNOWDROP", "aliases": [ "UNC5174 " ], "source_name": "Secureworks:BRONZE SNOWDROP", "tools": [ "Metasploit", "SNOWLIGHT", "SUPERSHELL", "Sliver", "VShell" ], "source_id": "Secureworks", "reports": null }, { "id": "9c730914-2af2-4434-bd4c-55530664c4a2", "created_at": "2026-01-18T02:00:03.066637Z", "updated_at": "2026-04-10T02:00:03.905041Z", "deleted_at": null, "main_name": "UAT-9686", "aliases": [], "source_name": "MISPGALAXY:UAT-9686", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434228, "ts_updated_at": 1775792161, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/434101591fa739498b8efd5b91c428b1dd938cc5.pdf", "text": "https://archive.orkl.eu/434101591fa739498b8efd5b91c428b1dd938cc5.txt", "img": "https://archive.orkl.eu/434101591fa739498b8efd5b91c428b1dd938cc5.jpg" } }