{
	"id": "529de6cd-ba6b-47dc-8167-031e806b8285",
	"created_at": "2026-04-06T00:10:56.599266Z",
	"updated_at": "2026-04-10T03:21:15.990888Z",
	"deleted_at": null,
	"sha1_hash": "6c26c43df0879f84de3349e47cb2bb09c8d66a75",
	"title": "CISA Releases Malware Analysis Reports on Barracuda Backdoors | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 56832,
	"plain_text": "CISA Releases Malware Analysis Reports on Barracuda Backdoors\r\n| CISA\r\nPublished: 2023-09-07 · Archived: 2026-04-05 22:44:24 UTC\r\nUpdated September 7, 2023\r\nCISA has published an additional malware analysis report associated with malicious Barracuda activity. The\r\nreport provides analysis on the following malware samples:  \r\nSUBMARINE – SUBMARINE is a backdoor that exploits a vulnerability on the target environment where\r\nthe base64 string within the file name will be executed on the Linux shell. Note: Also see description and\r\nadditional MAR below.\r\nSKIPJACK – SKIPJACK is a backdoor that enumerates file system information.\r\nSEASPRAY – SEASPRAY is a backdoor that registers an event handler for all incoming email attachments\r\nand is a launcher for WHIRLPOOL.\r\nWHIRLPOOL – WHIRLPOOL is a backdoor that can connect to a remote address then create a new\r\nprocess. Note: Also see description and additional MAR below.\r\nSALTWATER – SALTWATER is a backdoor that can perform DNS resolution and establish\r\ncommunications, over the network, using a TLS version 1 connection. The malware can execute any shell\r\ncommand with the same privileges as its calling process.\r\nFor more information, including indicators of compromise and YARA rules for detection, see the following\r\nmalware analysis report:\r\nSUBMARINE, SKIPJACK, SEASPRAY, WHIRLPOOL, and SALTWATER Backdoors MAR-10454006.r5.v1.CLEAR\r\nEnd of September 7, 2023 update\r\nUpdated August 18, 2023 \r\nCISA has published an additional malware analysis report associated with malicious Barracuda activity. The\r\nreport provides analysis on the following malware sample:  \r\nWHIRLPOOL – WHIRLPOOL is a backdoor that establishes a Transport Layer Security (TLS) reverse\r\nshell to the Command-and-Control (C2) server. \r\nFor more information, including indicators of compromise and YARA rules for detection, see the following\r\nmalware analysis report: \r\nWHIRLPOOL Backdoor MAR-10459736.r1.v1.CLEAR \r\nEnd of August 18, 2023 update \r\nhttps://www.cisa.gov/news-events/alerts/2023/07/28/cisa-releases-malware-analysis-reports-barracuda-backdoors\r\nPage 1 of 3\n\nUpdated August 9, 2023 \r\nCISA has published an additional malware analysis report associated with malicious Barracuda activity. The\r\nreport provides analysis on four malware samples, including:  \r\nWHIRLPOOL – WHIRLPOOL is a backdoor that establishes a Transport Layer Security (TLS) reverse\r\nshell to the Command-and-Control (C2) server. \r\nFor more information, including indicators of compromise and YARA rules for detection, see the following\r\nmalware analysis report: \r\nSEASPY and WHIRLPOOL Backdoors MAR-10454006.r4.v2.CLEAR \r\nEnd of August 9, 2023 update \r\nCISA has published three malware analysis reports on malware variants associated with exploitation of CVE-2023-2868. CVE-2023-2868 is a remote command injection vulnerability affecting Barracuda Email Security\r\nGateway (ESG) Appliance, versions 5.1.3.001-9.2.0.006. It was exploited as a zero day as early as October\r\n2022 to gain access to ESG appliances. According to industry reporting , the actors exploited the vulnerability to\r\ngain initial access to victim systems and then implanted backdoors to establish and maintain persistence.\r\nCISA analyzed backdoor malware variants obtained from an organization that had been compromised by threat\r\nactors exploiting the vulnerability.\r\nBarracuda Exploit Payload and Backdoor – The payload exploits CVE-2023-2868, leading to dropping\r\nand execution of a reverse shell backdoor on ESG appliance. The reverse shell establishes communication\r\nwith the threat actor’s command and control (C2) server, from where it downloads the SEASPY backdoor\r\nto the ESG appliance. The actors delivered the payload to the victim via a phishing email with a malicious\r\nattachment.\r\nSEASPY – SEASPY is a persistent and passive backdoor that masquerades as a legitimate Barracuda\r\nservice. SEASPY monitors traffic from the actor’s C2 server. When the right packet sequence is captured,\r\nit establishes a Transmission Control Protocol (TCP) reverse shell to the C2 server. The shell allows the\r\nthreat actors to execute arbitrary commands on the ESG appliance.\r\nSUBMARINE – SUBMARINE is a novel persistent backdoor executed with root privileges that lives in a\r\nStructured Query Language (SQL) database on the ESG appliance. SUBMARINE comprises multiple\r\nartifacts—including a SQL trigger, shell scripts, and a loaded library for a Linux daemon—that together\r\nenable execution with root privileges, persistence, command and control, and cleanup. CISA also analyzed\r\nartifacts related to SUBMARINE that contained the contents of the compromised SQL database. This\r\nmalware poses a severe threat for lateral movement.\r\nFor more information, including indicators of compromise and YARA rules for detection, on the exploit payload,\r\nSEASPY, and SUBMARINE backdoor, see the following Malware Analysis Reports:\r\nExploit Payload Backdoor MAR-10454006-r3.v1.CLEAR\r\nSEASPY Backdoor MAR-10454006-r2.v1.CLEAR\r\nSUBMARINE Backdoor MAR-10454006-r1.v2.CLEAR\r\nhttps://www.cisa.gov/news-events/alerts/2023/07/28/cisa-releases-malware-analysis-reports-barracuda-backdoors\r\nPage 2 of 3\n\nFor more information on CVE-2023-2868 see, Barracuda’s page Barracuda Email Security Gateway Appliance\r\n(ESG) Vulnerability and Mandiant’s blogpost Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868)\r\nExploited Globally by Aggressive and Skilled Actor .\r\nTo report suspicious or criminal activity related to information found in these malware analysis reports, contact\r\nCISA’s 24/7 Operations Center at Report@cisa.gov or 1-844-Say-CISA (1-844-729-2472).\r\nSource: https://www.cisa.gov/news-events/alerts/2023/07/28/cisa-releases-malware-analysis-reports-barracuda-backdoors\r\nhttps://www.cisa.gov/news-events/alerts/2023/07/28/cisa-releases-malware-analysis-reports-barracuda-backdoors\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.cisa.gov/news-events/alerts/2023/07/28/cisa-releases-malware-analysis-reports-barracuda-backdoors"
	],
	"report_names": [
		"cisa-releases-malware-analysis-reports-barracuda-backdoors"
	],
	"threat_actors": [],
	"ts_created_at": 1775434256,
	"ts_updated_at": 1775791275,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6c26c43df0879f84de3349e47cb2bb09c8d66a75.pdf",
		"text": "https://archive.orkl.eu/6c26c43df0879f84de3349e47cb2bb09c8d66a75.txt",
		"img": "https://archive.orkl.eu/6c26c43df0879f84de3349e47cb2bb09c8d66a75.jpg"
	}
}