Cisco Email Gateways Under Attack by Chinese APT Group

Cisco Talos has uncovered an ongoing campaign compromising network security appliances used by organizations worldwide to filter email threats. The attacks target Cisco AsyncOS software running on Secure Email Gateway and Secure Email and Web Manager products, granting attackers system-level access and the ability to deploy sophisticated backdoors.

Cisco became aware of this activity on December 10, 2025, with the attack enabling system-level command execution and persistent backdoor deployment on compromised appliances. The campaign assessment carries moderate confidence regarding attribution to Chinese threat operations based on infrastructure overlaps, tooling similarities, and tactical patterns consistent with previously documented Chinese APT groups.

Understanding the Attack: A Multi-Tool Approach

Cisco Talos documented a sophisticated operation employing four distinct tools designed to establish persistent access, create covert communication channels, and erase evidence of intrusion. The research reveals a methodical approach to compromising and maintaining control over email security infrastructure.

AquaShell: The Primary Backdoor

At the center of the campaign sits AquaShell, a lightweight backdoor written in Python that attackers embed directly into existing files within the web server running on Cisco appliances. Rather than deploying a standalone malicious program that might trigger security alerts, the threat actor modified legitimate system files to hide their backdoor within normal operations. AquaShell waits silently for specially crafted web requests, processes encoded commands sent by the attackers, and executes those commands at the system level. This design allows the backdoor to blend into regular web traffic while providing comprehensive control over the compromised appliance.

Remote Access and Network Pivoting

Beyond the primary backdoor, UAT-9686 deployed additional tools to maintain access and expand their reach. The campaign utilized AquaTunnel, a tool based on open-source software that creates reverse connections back to attacker-controlled servers. This technique allows the threat actor to maintain access even when the compromised system sits behind firewalls, as the connection originates from inside the protected network. The research also identified use of Chisel, another tunneling tool that enables attackers to route traffic through the compromised email security gateway into the organization's internal network. This effectively transforms the security appliance into a permanent entry point for broader network compromise.

Covering Their Tracks

The fourth component, AquaPurge, demonstrates the threat actor's focus on operational security. This log-clearing utility removes specific entries from system logs that would reveal attacker activity. By sanitizing logs while operations are ongoing, UAT-9686 reduces the likelihood of detection by security monitoring systems and complicates forensic investigations if the breach is discovered.

Strategic Implications: Why Email Security Systems Matter

The targeting of email security appliances represents a calculated strategic choice by UAT-9686. These systems occupy a unique position in enterprise networks, sitting at the perimeter where they process all incoming and outgoing email communications. Compromising this infrastructure provides several advantages to attackers conducting espionage operations.

Email security gateways have visibility into organizational communications, including sensitive business discussions, proprietary information, and communications with partners and customers. Attackers controlling these systems can intercept messages, potentially modify them, or simply monitor communications for intelligence collection. The centralized management functions of Cisco Secure Email and Web Manager amplify this access, as compromise of management systems can provide insight into security policies and potentially facilitate attacks against multiple connected appliances.

The focus on appliances with non-standard configurations suggests UAT-9686 invested time in reconnaissance before launching attacks. This targeting specificity indicates the threat actor understands Cisco deployment patterns and can identify systems where configuration deviations might present reduced security monitoring or additional vulnerabilities. Such reconnaissance capabilities point to a well-resourced operation with experience targeting Cisco infrastructure.

Attribution and Context

Cisco Talos researchers identified several factors supporting their assessment that UAT-9686 operates as part of Chinese state-sponsored cyber operations. The tooling employed in the campaign, particularly the reverse SSH tunneling capability, aligns with tools used by previously documented Chinese threat groups including APT41 and UNC5174. The approach of deploying custom web-based backdoors embedded within legitimate system files represents a technique increasingly adopted by sophisticated Chinese operations.

The campaign's victimology and infrastructure characteristics also show overlaps with other Chinese threat actor operations tracked by Talos. While the researchers assign moderate confidence to this attribution, the convergence of multiple indicators paints a consistent picture of Chinese APT operations targeting Western enterprise infrastructure for intelligence collection purposes.

What Organizations Should Do Now

Organizations operating Cisco Secure Email Gateway or Secure Email and Web Manager face immediate risk from this campaign. Cisco Talos and Cisco have published detailed security advisories with specific guidance for customers. Organizations should treat these recommendations as urgent priorities.

Immediate Actions:

Security teams should immediately review Cisco's published security advisories and implement all recommended protections. Organizations that identify any indicators associated with this campaign should open cases with Cisco Technical Assistance Center for incident response support. Cisco has blocked all known indicators across its security portfolio and continues monitoring for additional compromise indicators.

Configuration and Monitoring:

Administrators should audit their email security appliance configurations against Cisco's standard hardening guidelines, paying particular attention to any non-standard settings. The research indicates these configuration deviations may have contributed to successful compromises. Organizations should also implement enhanced monitoring for unusual web traffic patterns directed at email security appliances, particularly looking for unexpected encoded data in web requests.

Log Management:

Given the threat actor's use of log-clearing utilities, organizations should establish real-time forwarding of logs from email security appliances to external systems. This prevents attackers from retroactively removing evidence of compromise from local logs. Security operations teams should review historical logs for gaps or anomalies that might indicate prior tampering.

For complete technical indicators of compromise, detailed detection guidance, and specific remediation steps, organizations should consult the full research published on the Cisco Talos Intelligence blog at blog.talosintelligence.com.

Conclusion

The UAT-9686 campaign against Cisco email security infrastructure demonstrates the continuing threat posed by state-sponsored actors to enterprise perimeter defenses. The threat actor's success in maintaining access from late November through mid-December before detection highlights the sophistication of their operational security and the effectiveness of embedding backdoors within legitimate system functionality. Organizations relying on email security appliances as critical perimeter defenses must recognize these systems as high-value targets requiring the same security scrutiny and rapid patching cycles as other critical infrastructure. The month-long compromise window before discovery underscores the importance of proactive threat hunting and comprehensive logging strategies that prevent attackers from concealing their activities. As Chinese APT groups continue refining their techniques for targeting security infrastructure itself, organizations must adapt their defensive postures accordingly, treating security appliances not as trusted systems but as potential compromise targets requiring continuous monitoring and validation.