·       Cisco Talos recently discovered a campaign targeting Cisco AsyncOS Software for Cisco Secure Email Gateway, formerly known as Cisco Email Security Appliance (ESA), and Cisco Secure Email and Web Manager, formerly known as Cisco Content Security Management Appliance (SMA).

·       We assess with moderate confidence that the adversary, who we are tracking as UAT-9686, is a Chinese-nexus advanced persistent threat (APT) actor whose tool use and infrastructure are consistent with other Chinese threat groups.

·       As part of this activity, UAT-9686 deploys a custom persistence mechanism we track as “AquaShell” accompanied by additional tooling meant for reverse tunneling and purging logs.

·       Our analysis indicates that appliances with non-standard configurations, as described in Cisco’s advisory, are what we have observed as being compromised by the attack.

---

Cisco Talos is tracking the active targeting of Cisco AsyncOS Software for Cisco Secure Email Gateway, formerly known as Cisco Email Security Appliance (ESA), and Cisco Secure Email and Web Manager, formerly known as Cisco Content Security Management Appliance (SMA), enabling attackers to execute system-level commands and deploy a persistent Python-based backdoor, AquaShell. Cisco became aware of this activity on December 10, which has been ongoing since at least late November 2025. Additional tools observed include AquaTunnel (reverse SSH tunnel), chisel (another tunneling tool), and AquaPurge (log-clearing utility). Talos’ analysis indicates that appliances with non-standard configurations, as described in Cisco’s advisory, are what we have observed as being compromised by the attack.

The Cisco Secure Email and Web Manager centralizes management and reporting functions across multiple Cisco Email Security Appliances (ESAs) and Web Security Appliances (WSAs), offering centralized services such as spam quarantine, policy management, reporting, tracking, and configuration management to simplify administration and enhance security enforcement.

Customers are strongly advised to follow the guidance published in the security advisories discussed below. Additional recommendations specific to Cisco are available here.

Talos assesses with moderate confidence that this activity is being conducted by a Chinese-nexus threat actor, which we track as UAT-9686. We have observed overlaps in tactics, techniques and procedures (TTPs), infrastructure, and victimology between UAT-9686 and other Chinese-nexus threat actors Talos tracks. Tooling used by UAT-9686, such as AquaTunnel (aka ReverseSSH), also aligns with previously disclosed Chinese-nexus APT groups such as APT41 and UNC5174. Additionally, the tactic of using a custom-made web-based implant such as AquaShell is increasingly being adopted by highly sophisticated Chinese-nexus APTs.

 

AquaShell

AquaShell is a lightweight Python backdoor that is embedded into an existing file within a Python-based web server. The backdoor is capable of receiving encoded commands and executing them in the system shell. It listens passively for unauthenticated HTTP POST requests containing specially crafted data. If such a request is identified, the backdoor will then attempt to parse the contents using a custom decoding routine and execute them in the system shell.

AquaShell is delivered as an encoded data blob that is decoded and ultimately placed in “/data/web/euq_webui/htdocs/index.py”.

The result of decoding the data blob is the Python code that constitutes the AquaShell backdoor. AquaShell parses the HTTP POST request, decodes it using a combination custom algorithm and Base64 decoding and executes the resulting commands on the appliance.

AquaPurge

AquaPurge removes lines containing specific keywords from the log files specified. It uses the “egrep” command  to filter out (invert search) all content that doesn’t contain the keywords and then simply commits them to the log files:

AquaTunnel

AquaTunnel is a compiled GoLang ELF binary based on the open-source “ReverseSSH” backdoor. AquaTunnel creates a reverse SSH connection from the compromised system back to an attacker‑controlled server, enabling unauthorized remote access even when the system is behind firewalls or NAT.

Chisel

Chisel is an open‑source tunneling tool that supports creating TCP/UDP tunnels over a single‑port HTTP‑based connection. Chisel allows an attacker to proxy traffic through a compromised edge device, allowing them to easily pivot through that device into the internal environment.

Coverage and remediation

Recommendations for Cisco customers are available here. If your organization does find connections to the provided actor Indicators of Compromise (IOCs), please open a case with Cisco TAC.

All IOCs, including IPs and file hashes determined to be associated with this campaign have been blocked across the Cisco portfolio.

 

IOCs

 

The IOCs can also be found in our GihtHub repository here.

AquaTunnel

2db8ad6e0f43e93cc557fbda0271a436f9f2a478b1607073d4ee3d20a87ae7ef

 

AquaPurge

145424de9f7d5dd73b599328ada03aa6d6cdcee8d5fe0f7cb832297183dbe4ca

 

Chisel

85a0b22bd17f7f87566bd335349ef89e24a5a19f899825b4d178ce6240f58bfc

  

172[.]233[.]67[.]176

172[.]237[.]29[.]147

38[.]54[.]56[.]95

Cisco Talos Blog – ​Read More

The Australian Cyber Security Centre (ACSC) has published a new guide, Quantum Technology Primer: Overview, aimed at helping organizations understand the field of quantum technologies for cybersecurity. The publication is part of a bigger effort to raise awareness and preparedness as quantum capabilities move closer to practical deployment across digital systems and organizational infrastructure. 

The primer provides a foundational understanding of key quantum technologies, the scientific principles behind them, and the cybersecurity considerations organizations need to address today to prepare for a quantum-enabled future. According to the ACSC, this guidance is essential for cybersecurity leaders, IT managers, and decision-makers responsible for technology strategy and risk management. 

Foundations of Quantum Technology 

Quantum technologies rely on principles of quantum mechanics, the branch of physics that describes the behavior of matter and energy at atomic and subatomic scales. Two core concepts underpin these technologies: superposition and entanglement. 

Superposition allows a particle to exist in multiple states simultaneously, collapsing to a single state only when measured. In practical terms, this property enables quantum systems to evaluate many potential outcomes at once, offering computational advantages far beyond classical computers. 

Entanglement occurs when particles share a quantum state, creating correlations that persist even across great distances. Measuring one particle instantaneously provides information about the other. This capability underpins emerging quantum communication methods and has significant implications for secure data transmission. 

The ACSC emphasizes that understanding these principles is no longer relevant only to quantum specialists. Decision-makers must grasp the basics to integrate quantum cybersecurity considerations into organizational planning effectively. 

Implications for Cybersecurity and Business Functions 

While many quantum technologies remain in development, their potential impact on digital systems, data protection, and organizational resilience is significant. The ACSC’s Technology Primer notes that quantum computing could render some current cryptographic methods obsolete. 

“Preparing now for quantum technologies is crucial,” the ACSC states. “Adopting post-quantum cryptography is a key step, as capable quantum computers will break some existing encryption. Organizations that delay preparation risk vulnerabilities and costly remediation.” 

The primer outlines several proactive steps organizations can take: 

• Ensure cybersecurity plans are current and aligned with industry best practices. 

• Develop and implement strategies for PQC across networks. 

• Assess risks across data lifecycles and safeguard sensitive information. 

• Verify that service providers and vendors comply with quantum readiness plans. 

• Continue staff training to reinforce good cybersecurity practices. 

By incorporating these measures, organizations can strengthen their resilience and reduce potential threats from new quantum technologies. 

Types of Quantum Technologies Covered 

The ACSC primer details several categories of quantum technologies that could affect business and cybersecurity landscapes: 

• Quantum Computing: From noisy intermediate-scale quantum computers to cryptographically relevant systems capable of challenging classical encryption. 

• Quantum Information Sciences: Includes quantum communications using quantum key distribution (QKD) and quantum networking, which could redefine secure data transfer. 

• Quantum Sensors: Devices that leverage quantum mechanics to achieve unprecedented precision in measurement and sensing applications. 

Although most quantum technologies are still in the early stages, some are already integrated into research, development, and pilot implementations. The ACSC notes that as these technologies mature, they will become part of organizational supply chains and digital infrastructure, making awareness and preparedness essential. 

Quantum Cybersecurity as a Strategic Necessity 

The ACSC’s Technology Primer highlights quantum cybersecurity as a strategic priority, weighing on both the risks and opportunities of quantum technologies. Organizations that plan for quantum today will be better prepared for a future where these technologies are standard. Cyble’s AI-powered threat intelligence and autonomous security solutions help identify new cyber threats, protect data, and maintain resilience.  

Schedule a free demo to see how Cyble can protect your organization better! 

References: 

• https://www.cyber.gov.au/business-government/secure-design/quantum/quantum-technology-primer-overview#:~:text=Quantum%20technology%20applies%20quantum%20physics,more%20accurately%20than%20classical%20physics. 

• https://www.cyber.gov.au/about-us/view-all-content/news/new-publication-released-quantum-technology-primer-overview 

The post Australia’s ACSC Releases Quantum Technology Primer for Cybersecurity Leaders  appeared first on Cyble.

Cyble – ​Read More