High

A highly active cyber campaign has been exploiting a zero-day vulnerability in Cisco AsyncOS software, targeting both the Secure Email Gateway (formerly ESA) and Secure Email and Web Manager (formerly SMA). First observed in late November 2025 and publicly disclosed on December 10, the flaw allows attackers to execute system-level commands and deploy a persistent Python backdoor named AquaShell. This vulnerability primarily affects appliances with non-standard configurations, enabling attackers to embed the backdoor into /data/web/euq_webui/htdocs/index.py using an encoded payload, which passively monitors for unauthenticated HTTP POST requests and executes shell commands after decoding them through a custom algorithm combined with Base64.

Cybersecurity researchers attribute this campaign with moderate confidence to UAT-9686, a Chinese-linked advanced persistent threat (APT) actor. Overlaps in tactics, techniques, procedures (TTPs), tooling, and infrastructure connect UAT-9686 with known groups like APT41 and UNC5174. The custom web implant AquaShell demonstrates sophisticated stealth and persistence techniques commonly observed in Chinese APT operations, highlighting the actor’s capability for long-term access and evasion. The campaign underscores the strategic targeting of email security platforms, which are critical for organizational communications and central oversight of policies, quarantine, and reporting.

The attackers enhance their intrusion capabilities with multiple supplementary tools. AquaTunnel, a GoLang ELF binary forked from ReverseSSH, establishes reverse SSH tunnels to bypass network defenses, while Chisel, an open-source tunneling tool, proxies TCP/UDP traffic over HTTP to facilitate internal pivoting. Additionally, AquaPurge is employed to scrub logs by filtering keyword-laden entries via egrep, helping the threat actors maintain operational stealth. These tools collectively allow attackers to maintain persistent, covert access and perform lateral movements without immediate detection.

Indicators of compromise (IOCs) for this campaign include SHA256 hashes for the deployed tools—AquaTunnel (2db8ad6e0f43e93cc557fbda0271a436f9f2a478b1607073d4ee3d20a87ae7ef), AquaPurge (145424de9f7d5dd73b599328ada03aa6d6cdcee8d5fe0f7cb832297183dbe4ca), Chisel (85a0b22bd17f7f87566bd335349ef89e24a5a19f899825b4d178ce6240f58bfc), along with attacker-controlled IP addresses (172.233.67[.]176, 172.237.29[.]147, and 38.54.56[.]95). Cisco strongly advises customers to review the official advisory for mitigation steps, patch affected appliances, and monitor for these IOCs. This campaign illustrates the growing APT focus on email security infrastructure and the associated supply chain risks, emphasizing the need for proactive monitoring and rapid remediation.