Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 1 actorExploits 2 CVEs

SEASPY

SEASPY is a backdoor used by the China-nexus espionage actor UNC4841 in the Barracuda Networks Email Security Gateway (ESG) intrusion campaign. It was deployed on compromised Barracuda ESG appliances after exploitation of Barracuda zero-day vulnerabilities, including CVE-2023-2868 via malicious email attachments and later CVE-2023-7102 to reinstall updated variants. Reporting describes SEASPY as a backdoor masquerading as "BarracudaMailService" and triggered by specially crafted "magic packets." UNC4841 deployed SEASPY alongside SALTWATER and SEASIDE to establish presence and maintain access on Barracuda ESG appliances, in some cases for up to eight months.

Mandiant reporting cited in the content states UNC4841 rapidly modified SEASPY and related components after Barracuda remediation efforts in May 2023, including changes across multiple SEASPY components between May 22 and May 24, 2023. The actor persistently executed SEASPY on appliance reboot by adding execution of "/sbin/BarracudaMailService eth0" to "/etc/init.d/rc" and time-stomping the file, and later maintained persistence by inserting a SEASPY execution command into an update_version Perl script executed by the appliance. UNC4841 also deployed the SANDBAR Linux rootkit, which Mandiant assessed was likely intended to hide SEASPY when it was deployed under the name "BarracudaMailService."

The malware was associated with broad espionage activity against Barracuda ESG customers worldwide, including government and private-sector organizations across at least 16 countries. The content links the campaign to exfiltration of email-related data from compromised appliances, with staged archives created under /mail/tmp/ and exfiltrated over TLS using openssl s_client, although those exfiltration mechanics are described at the campaign level rather than attributed exclusively to SEASPY. High-confidence identifiers directly mentioned in the content include the masquerade name "BarracudaMailService," execution path "/sbin/BarracudaMailService eth0," and its use on Barracuda ESG appliances compromised by UNC4841.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

2 CVES
CVE-2023-2868Remote Command Injection in Barracuda Email Security Gateway ApplianceExploited in the wild

...UNC4841 exploited Barracuda ESG zero-day vulnerabilities... malicious email attachments to trigger remote command injection in the ESG attachment-scanning component (CVE-2023-2868)... Crafted .tar archives abused Perl’s qx operator to execute arbitrary system commands...

via recorded future blogrecordedfuture.com
CVE-2023-7102Parameter Injection in Barracuda ESG via Spreadsheet::ParseExcelExploited in the wild

Barracuda later disclosed follow-on exploitation of CVE-2023-7102 in the Spreadsheet::ParseExcel library, again via malicious Excel attachments, to reinstall updated SEASPY and SALTWATER variants after initial remediation.

via recorded future blogrecordedfuture.com
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
UNC4841

"...SEASPY (a backdoor masquerading as BarracudaMailService triggered by “magic packets”)..."

via recorded future blogrecordedfuture.com
MITRE ATT&CK

Techniques & procedures

11 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques
T1190Exploit Public-Facing ApplicationEvidence1

“follow-on exploitation of CVE-2023-7102 in the Spreadsheet::ParseExcel library, again via malicious Excel attachments, to reinstall updated SEASPY and SALTWATER variants”

T1566.001Spearphishing AttachmentEvidence1

“used malicious email attachments to trigger remote command injection… Crafted .tar archives… execute arbitrary system commands… follow-on… malicious Excel attachments”

Execution

2 techniques
T1053.003CronEvidence1

“execution of their initial reverse shell via hourly and daily cron jobs… /etc/cron.hourly/… /etc/cron.daily/…”

T1059Command and Scripting InterpreterEvidence1

“remote command injection… Crafted .tar archives abused Perl’s qx operator to execute arbitrary system commands on the gateway”

Persistence

3 techniques
T1037.004RC ScriptsEvidence1

“persistently executed SEASPY on appliance reboot through…addition to /etc/init.d/rc…”

T1053.003CronEvidence1

“execution of their initial reverse shell via hourly and daily cron jobs… /etc/cron.hourly/… /etc/cron.daily/…”

T1543.003Windows ServiceEvidence1

“maintained persistent execution…by inserting…into the update_version Perl script… system('<PATH_TO_SEASPY> eth0')”

Privilege Escalation

3 techniques
T1037.004RC ScriptsEvidence1

“persistently executed SEASPY on appliance reboot through…addition to /etc/init.d/rc…”

T1053.003CronEvidence1

“execution of their initial reverse shell via hourly and daily cron jobs… /etc/cron.hourly/… /etc/cron.daily/…”

T1543.003Windows ServiceEvidence1

“maintained persistent execution…by inserting…into the update_version Perl script… system('<PATH_TO_SEASPY> eth0')”

Stealth

2 techniques
T1070.006TimestompEvidence1

“UNC4841 has repeatedly utilized time-stomping to further hide their malicious activity.”

T1564.001Hidden Files and DirectoriesEvidence1

“SANDBAR…contains hooks to hide processes…hides the process ID from being displayed when the /proc filesystem is queried.”

Command and Control

2 techniques
T1071.003Mail ProtocolsEvidence1

“SALTWATER (a trojanized SMTP module enabling command execution and tunneling)… SEASIDE… turns SMTP HELO/EHLO data into reverse shells”

T1090ProxyEvidence1

“SALTWATER… enabling command execution and tunneling)… SEASPY… backdoor… SEASIDE… turns SMTP HELO/EHLO data into reverse shells…”

Other

1 technique
T1562.001Disable or Modify ToolsEvidence1

“UNC4841 quickly made modifications to both SEASPY and SALTWATER related components in order to prevent effective patching.”

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
help net securityNews
Mar 26, 2026
Researchers release tool to detect stealthy BPFDoor implants in critical infrastructure networks - Help Net Security

A backdoor described as magic-packet malware targeting Barracuda Networks Email Security Gateway appliances.

Read more
recorded future blogNews
Feb 19, 2026
2025 Cloud Threat Hunting and Defense Landscape

Backdoor implant on Barracuda ESG appliances that masquerades as a legitimate service and is activated via specially crafted network traffic (“magic packets”).

Read more
recorded future blogNews
Feb 19, 2026
2025 Cloud Threat Hunting and Defense Landscape

Custom backdoor used on Barracuda ESG; masquerades as a legitimate service and is triggered via specially crafted network traffic (“magic packets”) to provide covert access.

Read more
recorded future blogNews
Feb 19, 2026
2025 Cloud Threat Hunting and Defense Landscape

Custom backdoor used on Barracuda ESG appliances; masquerades as a legitimate service and is activated via specially crafted network traffic (“magic packets”) to maintain covert persistence.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities2

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping11

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.