UAT-9686 Actively Targets Cisco Secure Email Gateway and Secure Email and Web Manager
Summary:
Cisco Talos has identified a targeted campaign against Cisco Secure Email Gateway (formerly ESA) and Cisco Secure Email and Web Manager (formerly SMA) running Cisco AsyncOS. The activity, which began in late November 2025, involves the exploitation of appliances with non-standard configurations to execute system-level commands. Once initial access is achieved, the threat actor deploys a suite of custom tools, most notably AquaShell, a persistent Python-based backdoor. This implant is embedded into legitimate web server files specifically index[.]py and allows for unauthenticated command execution via specially crafted HTTP POST requests. To maintain access and obscure their presence, the attackers utilize AquaTunnel (a modified version of the open-source ReverseSSH) and Chisel for network pivoting and reverse tunneling. Additionally, they employ a utility called AquaPurge, which leverages egrep to surgically remove specific keywords from system logs, effectively sanitizing the appliance of forensic traces. Cisco Talos became aware of the intrusion on December 10, 2025, and continues to monitor the campaign's progression.
Security Officer Comments:
Cisco Talos researchers assess with moderate confidence that this activity is the work of a Chinese-nexus advanced persistent threat (APT) designated as UAT-9686. This assessment is based on significant overlaps in infrastructure and TTPs with established groups like APT41 and UNC5174, particularly the reliance on the "ReverseSSH" framework. The deployment of a custom, web-based Python implant like AquaShell is a hallmark of sophisticated Chinese espionage operations, which increasingly prioritize "living-off-the-land" within edge device environments to bypass traditional endpoint detection. Cisco Talos researchers further assess that the focus on appliances with "non-standard configurations" suggests that the threat actor is specifically hunting for environmental weaknesses—such as exposed management interfaces or disabled security features, rather than relying solely on 0-day vulnerabilities.
Suggested Corrections:
Recommendations for Cisco customers are available here. If your organization does find connections to the provided actor indicators of compromise (IOCs), please open a case with Cisco TAC.
All IOCs, including IPs and file hashes determined to be associated with this campaign have been blocked across the Cisco portfolio.
Link(s):
https://blog.talosintelligence.com/uat-9686/
Cisco Talos has identified a targeted campaign against Cisco Secure Email Gateway (formerly ESA) and Cisco Secure Email and Web Manager (formerly SMA) running Cisco AsyncOS. The activity, which began in late November 2025, involves the exploitation of appliances with non-standard configurations to execute system-level commands. Once initial access is achieved, the threat actor deploys a suite of custom tools, most notably AquaShell, a persistent Python-based backdoor. This implant is embedded into legitimate web server files specifically index[.]py and allows for unauthenticated command execution via specially crafted HTTP POST requests. To maintain access and obscure their presence, the attackers utilize AquaTunnel (a modified version of the open-source ReverseSSH) and Chisel for network pivoting and reverse tunneling. Additionally, they employ a utility called AquaPurge, which leverages egrep to surgically remove specific keywords from system logs, effectively sanitizing the appliance of forensic traces. Cisco Talos became aware of the intrusion on December 10, 2025, and continues to monitor the campaign's progression.
Security Officer Comments:
Cisco Talos researchers assess with moderate confidence that this activity is the work of a Chinese-nexus advanced persistent threat (APT) designated as UAT-9686. This assessment is based on significant overlaps in infrastructure and TTPs with established groups like APT41 and UNC5174, particularly the reliance on the "ReverseSSH" framework. The deployment of a custom, web-based Python implant like AquaShell is a hallmark of sophisticated Chinese espionage operations, which increasingly prioritize "living-off-the-land" within edge device environments to bypass traditional endpoint detection. Cisco Talos researchers further assess that the focus on appliances with "non-standard configurations" suggests that the threat actor is specifically hunting for environmental weaknesses—such as exposed management interfaces or disabled security features, rather than relying solely on 0-day vulnerabilities.
Suggested Corrections:
Recommendations for Cisco customers are available here. If your organization does find connections to the provided actor indicators of compromise (IOCs), please open a case with Cisco TAC.
All IOCs, including IPs and file hashes determined to be associated with this campaign have been blocked across the Cisco portfolio.
Link(s):
https://blog.talosintelligence.com/uat-9686/