UAT-9686 actively targets Cisco Secure Email Gateway and Secure Email and Web Manager
The UAT-9686 advanced persistent threat (APT) group, linked to Chinese actors, is actively targeting Cisco Secure Email Gateway and Secure Email and Web Manager running AsyncOS software. Since late November 2025, the attackers exploit non-standard configurations to execute system-level commands and deploy a persistent Python-based backdoor named AquaShell. They also use tools like AquaTunnel for reverse SSH tunneling, chisel for TCP/UDP tunneling, and AquaPurge for log clearing, enabling stealthy command execution and persistent access. This campaign threatens email security infrastructure by allowing attackers to create reverse connections to their servers and evade detection through log purging. The attack techniques align with known Chinese APT tactics, raising concerns about potential widespread impact on organizations relying on Cisco email security products. No CVE or patches are currently available, and exploitation does not require user interaction but depends on misconfigurations. The threat is assessed as medium severity but could escalate if left unmitigated.
AI Analysis
Technical Summary
UAT-9686 is a sophisticated Chinese-nexus APT group conducting an ongoing campaign targeting Cisco Secure Email Gateway and Secure Email and Web Manager devices running AsyncOS software. The attackers leverage non-standard or misconfigured deployments to execute arbitrary system-level commands, bypassing normal security controls. Central to their operation is the deployment of AquaShell, a Python-based backdoor that maintains persistence on compromised devices. AquaShell allows execution of encoded shell commands and facilitates communication with attacker-controlled infrastructure. Complementary tools include AquaTunnel, which establishes reverse SSH tunnels to enable remote access; chisel, a tool for TCP/UDP tunneling to bypass network restrictions; and AquaPurge, which clears logs to cover attacker activity and maintain stealth. The campaign uses techniques mapped to MITRE ATT&CK tactics such as T1190 (exploitation of remote services), T1133 (external remote services), T1562.002 (impair defenses: disabling or evading logs), T1572 (protocol tunneling), T1505.003 (server software component: web shell), T1090.002 (proxy: SSH proxy), T1059.006 (command and scripting interpreter: Python), and T1071.001 (application layer protocol: Web protocols). No specific vulnerable versions or CVEs have been disclosed, and no known exploits in the wild have been confirmed yet. The campaign's reliance on misconfigurations rather than zero-day vulnerabilities suggests that proper configuration and monitoring are critical defenses. The threat actor’s use of advanced tunneling and log clearing tools indicates a high level of operational security and intent to maintain long-term access to targeted email security infrastructure.
Potential Impact
European organizations using Cisco Secure Email Gateway and Secure Email and Web Manager are at risk of persistent compromise, leading to potential interception, manipulation, or disruption of email communications. Successful exploitation could result in unauthorized access to sensitive email data, enabling espionage, intellectual property theft, or further network infiltration. The use of reverse tunnels and log purging complicates detection and incident response, increasing dwell time and potential damage. Disruption of email security infrastructure could degrade organizational communication reliability and trust. Given the critical role of email gateways in enterprise security, this threat could impact confidentiality, integrity, and availability of email services. The campaign’s medium severity rating reflects the current lack of known exploits and reliance on misconfigurations, but the potential for escalation and lateral movement within networks remains significant. European sectors with high reliance on Cisco email security products, such as government, finance, and critical infrastructure, face elevated risks of targeted espionage or sabotage.
Mitigation Recommendations
1. Conduct immediate audits of Cisco Secure Email Gateway and Secure Email and Web Manager configurations to identify and remediate non-standard or insecure settings that could be exploited. 2. Implement strict access controls and network segmentation to limit exposure of management interfaces and reduce attack surface. 3. Deploy enhanced monitoring and logging with integrity checks to detect anomalous command executions, reverse tunnels, and log tampering attempts. 4. Use network intrusion detection systems (NIDS) and endpoint detection and response (EDR) solutions tuned to identify AquaShell, AquaTunnel, chisel, and AquaPurge indicators. 5. Regularly update and patch Cisco AsyncOS software as updates become available, even though no patches are currently released for this campaign. 6. Employ multi-factor authentication (MFA) and strong credential management to prevent unauthorized access. 7. Conduct threat hunting exercises focusing on the identified hashes and IP indicators to detect early signs of compromise. 8. Establish incident response plans specifically addressing email gateway compromises, including forensic analysis of logs and network traffic. 9. Collaborate with Cisco and cybersecurity communities for timely intelligence sharing and mitigation guidance. 10. Restrict outbound network connections from email gateway devices to only trusted destinations to hinder reverse tunneling.
Affected Countries
Germany, United Kingdom, France, Netherlands, Italy, Spain, Belgium, Sweden
Indicators of Compromise
- hash: 145424de9f7d5dd73b599328ada03aa6d6cdcee8d5fe0f7cb832297183dbe4ca
- hash: 2db8ad6e0f43e93cc557fbda0271a436f9f2a478b1607073d4ee3d20a87ae7ef
- hash: 85a0b22bd17f7f87566bd335349ef89e24a5a19f899825b4d178ce6240f58bfc
- ip: 38.54.56.95
UAT-9686 actively targets Cisco Secure Email Gateway and Secure Email and Web Manager
Description
The UAT-9686 advanced persistent threat (APT) group, linked to Chinese actors, is actively targeting Cisco Secure Email Gateway and Secure Email and Web Manager running AsyncOS software. Since late November 2025, the attackers exploit non-standard configurations to execute system-level commands and deploy a persistent Python-based backdoor named AquaShell. They also use tools like AquaTunnel for reverse SSH tunneling, chisel for TCP/UDP tunneling, and AquaPurge for log clearing, enabling stealthy command execution and persistent access. This campaign threatens email security infrastructure by allowing attackers to create reverse connections to their servers and evade detection through log purging. The attack techniques align with known Chinese APT tactics, raising concerns about potential widespread impact on organizations relying on Cisco email security products. No CVE or patches are currently available, and exploitation does not require user interaction but depends on misconfigurations. The threat is assessed as medium severity but could escalate if left unmitigated.
AI-Powered Analysis
Technical Analysis
UAT-9686 is a sophisticated Chinese-nexus APT group conducting an ongoing campaign targeting Cisco Secure Email Gateway and Secure Email and Web Manager devices running AsyncOS software. The attackers leverage non-standard or misconfigured deployments to execute arbitrary system-level commands, bypassing normal security controls. Central to their operation is the deployment of AquaShell, a Python-based backdoor that maintains persistence on compromised devices. AquaShell allows execution of encoded shell commands and facilitates communication with attacker-controlled infrastructure. Complementary tools include AquaTunnel, which establishes reverse SSH tunnels to enable remote access; chisel, a tool for TCP/UDP tunneling to bypass network restrictions; and AquaPurge, which clears logs to cover attacker activity and maintain stealth. The campaign uses techniques mapped to MITRE ATT&CK tactics such as T1190 (exploitation of remote services), T1133 (external remote services), T1562.002 (impair defenses: disabling or evading logs), T1572 (protocol tunneling), T1505.003 (server software component: web shell), T1090.002 (proxy: SSH proxy), T1059.006 (command and scripting interpreter: Python), and T1071.001 (application layer protocol: Web protocols). No specific vulnerable versions or CVEs have been disclosed, and no known exploits in the wild have been confirmed yet. The campaign's reliance on misconfigurations rather than zero-day vulnerabilities suggests that proper configuration and monitoring are critical defenses. The threat actor’s use of advanced tunneling and log clearing tools indicates a high level of operational security and intent to maintain long-term access to targeted email security infrastructure.
Potential Impact
European organizations using Cisco Secure Email Gateway and Secure Email and Web Manager are at risk of persistent compromise, leading to potential interception, manipulation, or disruption of email communications. Successful exploitation could result in unauthorized access to sensitive email data, enabling espionage, intellectual property theft, or further network infiltration. The use of reverse tunnels and log purging complicates detection and incident response, increasing dwell time and potential damage. Disruption of email security infrastructure could degrade organizational communication reliability and trust. Given the critical role of email gateways in enterprise security, this threat could impact confidentiality, integrity, and availability of email services. The campaign’s medium severity rating reflects the current lack of known exploits and reliance on misconfigurations, but the potential for escalation and lateral movement within networks remains significant. European sectors with high reliance on Cisco email security products, such as government, finance, and critical infrastructure, face elevated risks of targeted espionage or sabotage.
Mitigation Recommendations
1. Conduct immediate audits of Cisco Secure Email Gateway and Secure Email and Web Manager configurations to identify and remediate non-standard or insecure settings that could be exploited. 2. Implement strict access controls and network segmentation to limit exposure of management interfaces and reduce attack surface. 3. Deploy enhanced monitoring and logging with integrity checks to detect anomalous command executions, reverse tunnels, and log tampering attempts. 4. Use network intrusion detection systems (NIDS) and endpoint detection and response (EDR) solutions tuned to identify AquaShell, AquaTunnel, chisel, and AquaPurge indicators. 5. Regularly update and patch Cisco AsyncOS software as updates become available, even though no patches are currently released for this campaign. 6. Employ multi-factor authentication (MFA) and strong credential management to prevent unauthorized access. 7. Conduct threat hunting exercises focusing on the identified hashes and IP indicators to detect early signs of compromise. 8. Establish incident response plans specifically addressing email gateway compromises, including forensic analysis of logs and network traffic. 9. Collaborate with Cisco and cybersecurity communities for timely intelligence sharing and mitigation guidance. 10. Restrict outbound network connections from email gateway devices to only trusted destinations to hinder reverse tunneling.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://blog.talosintelligence.com/uat-9686/"]
- Adversary
- UAT-9686
- Pulse Id
- 69430d7cff09ca0ae82947d2
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash145424de9f7d5dd73b599328ada03aa6d6cdcee8d5fe0f7cb832297183dbe4ca | — | |
hash2db8ad6e0f43e93cc557fbda0271a436f9f2a478b1607073d4ee3d20a87ae7ef | — | |
hash85a0b22bd17f7f87566bd335349ef89e24a5a19f899825b4d178ce6240f58bfc | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip38.54.56.95 | — |
Threat ID: 69433981058703ef3fd473c8
Added to database: 12/17/2025, 11:15:13 PM
Last enriched: 12/17/2025, 11:26:42 PM
Last updated: 12/18/2025, 1:35:51 PM
Views: 14
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
Parked Domains Become Weapons with Direct Search Advertising
MediumBlueDelta’s Persistent Campaign Against UKR.NET
MediumNuGet malware targets crypto wallets, OAuth tokens
MediumGachiLoader: Defeating Node.js Malware with API Tracing
MediumFrom Linear to Complex: An Upgrade in RansomHouse Encryption
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.