Full Report
Cisco Talos is tracking the active targeting of Cisco AsyncOS Software for Cisco Secure Email Gateway, formerly known as Cisco Email Security Appliance (ESA), and Cisco Secure Email and Web Manager, formerly known as Cisco Content Security Management Appliance (SMA).
Analysis Summary
# Threat Actor: UAT-9686
## Attribution & Identity
* **Identification:** Chinese-nexus Advanced Persistent Threat (APT) actor, tracked by Cisco Talos as UAT-9686.
* **Known Aliases and Associated Groups:** Tool use and infrastructure show overlap with other Chinese threat groups, specifically citing associations in TTPs/tools with **APT41** and **UNC5174**.
## Activity Summary
Cisco Talos discovered an active campaign targeting **Cisco AsyncOS Software for Cisco Secure Email Gateway (ESA)** and **Cisco Secure Email and Web Manager (SMA)**. The activity has been ongoing since at least late November 2025, with Talos gaining awareness on December 10, 2025. The actors exploit vulnerabilities in appliances with non-standard configurations to execute system-level commands and deploy persistent backdoors.
## Tactics, Techniques & Procedures
* **Initial Compromise:** Leveraging vulnerabilities in Cisco Email/Web software, enabling system-level command execution.
* **Persistence:** Deployment of a custom Python-based backdoor named **AquaShell**.
* **Defense Evasion:** Use of **AquaPurge**, a utility designed to remove lines containing specific keywords from log files.
* **C2/Remote Access:** Establishing reverse tunneling capabilities using custom tools:
* **AquaTunnel:** Custom tool based on open-source "ReverseSSH" (GoLang ELF binary) to create C2 connections back to attacker-controlled servers, bypassing network controls like firewalls/NAT.
* **Chisel:** Open-source tunneling tool configured to proxy traffic over HTTP, used for pivoting into internal networks.
* **[Specific TTPs Mentioned (General):]** Custom web-based implant adoption (AquaShell).
## Targeting
* **Sectors:** Not explicitly detailed, but targeting specific high-value network security/email management appliances suggests focused corporate or governmental espionage/access.
* **Geography:** Not explicitly detailed.
* **Victims:** Organizations utilizing **Cisco Secure Email Gateway (ESA)** and **Cisco Secure Email and Web Manager (SMA)** with non-standard configurations.
## Tools & Infrastructure
* **Malware Families/Custom Tools:**
* **AquaShell:** Lightweight Python backdoor embedded into an existing file within a Python-based web server (`/data/web/euq_webui/htdocs/index.py`). Executes encoded commands received via unauthenticated HTTP POST requests using custom decoding routines combined with Base64.
* **AquaTunnel:** Custom reverse SSH tunneling tool (GoLang ELF binary).
* **AquaPurge:** Log-clearing utility.
* **Chisel:** Open-source tunneling tool.
* **Infrastructure (IPs):**
* 172[.]233[.]67[.]176
* 172[.]237[.]29[.]147
* 38[.]54[.]56[.]95
## Implications
UAT-9686 poses a significant threat by targeting critical edge infrastructure (Email Security Gateways). Successful compromise allows the actor to establish persistent remote access (via AquaTunnel/Chisel) and maintain stealth by purging logs (AquaPurge). The actor's consistent use of sophisticated tunneling tools aligns them with established, high-capability Chinese APT groups.
## Mitigations
* Follow guidance published in relevant Cisco security advisories.
* Ensure Cisco Secure Email Gateway (ESA) and Secure Email and Web Manager (SMA) appliances are running compliant, standard configurations.
* Monitor for artifacts related to the custom tools (AquaShell, AquaTunnel, AquaPurge) and associated IP addresses.
* If IOCs are identified, customers are advised to open a case with Cisco TAC.