UAT-9686 actively targets Cisco Secure Email Gateway and Secure Email and Web Manager

Dec. 21, 2025, 7:35 p.m.

Description

A Chinese-nexus advanced persistent threat actor, UAT-9686, is actively targeting Cisco AsyncOS Software for Secure Email Gateway and Secure Email and Web Manager. The campaign, ongoing since late November 2025, exploits non-standard configurations to execute system-level commands and deploy a persistent Python-based backdoor called AquaShell. Additional tools observed include AquaTunnel for reverse SSH tunneling, chisel for TCP/UDP tunneling, and AquaPurge for log clearing. The attackers can execute encoded commands in the system shell and create reverse connections to attacker-controlled servers. This sophisticated attack aligns with tactics used by other Chinese APT groups, raising concerns about potential widespread impact on email security infrastructure.

External References

https://otx.alienvault.com/pulse/69430d7cff09ca0ae82947d2
https://blog.talosintelligence.com/uat-9686/
Tags
backdoor
apt
chinese threat actor
email security
2025-12-17
aquapurge
aquashell
aquatunnel
cisco asyncos
log purging
reverse tunneling

Date

  • Created: Dec. 17, 2025, 8:07 p.m.
  • Published: Dec. 17, 2025, 8:07 p.m.
  • Modified: Dec. 21, 2025, 7:35 p.m.

Indicators

  • 2db8ad6e0f43e93cc557fbda0271a436f9f2a478b1607073d4ee3d20a87ae7ef
  • 145424de9f7d5dd73b599328ada03aa6d6cdcee8d5fe0f7cb832297183dbe4ca
  • 85a0b22bd17f7f87566bd335349ef89e24a5a19f899825b4d178ce6240f58bfc
  • 38.54.56.95
Download all indicators here!

Attack Patterns

  • UAT-9686