AquaPurge
AquaPurge is a log-clearing and log-manipulation utility used post-compromise to remove evidence of attacker activity from system logs. Cisco Talos reporting ties it to exploitation of Cisco AsyncOS appliances, including Cisco Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM), in campaigns attributed with moderate confidence to the China-nexus threat actor UAT-9686. In the observed intrusions, attackers exploited CVE-2025-20393 in internet-exposed Spam Quarantine interfaces on affected appliances, then deployed AquaPurge alongside other tooling including the AquaShell Python backdoor, AquaTunnel/ReverseSSH, and Chisel. AquaPurge is described as selectively removing entries related to the attacker’s activity while leaving legitimate traffic intact, complicating incident response and forensic investigation. Reported behavior includes removing specific keywords from log files and scrubbing keyword-laden lines via egrep. The tool is associated with anti-forensics and indicator removal on compromised Cisco email security infrastructure, including organizations in sectors such as telecommunications and critical infrastructure. Reported indicators associated with the broader campaign include strings such as "AquaPurge," "AquaShell," "AquaTunnel," and "Chisel," and one reported SHA-256 for AquaPurge is 145424de9f7d5dd73b599328ada03aa6d6cdcee8d5fe0f7cb832297183dbe4ca.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Cisco revealed that a newly identified China-linked advanced persistent threat (APT), "UAT-9686," had been exploiting a zero-day vulnerability in Cisco email security appliances that run on its AsyncOS software. The vulnerability, tracked as CVE-2025-20393, has since been assigned a "critical" 10 out of 10 severity rating in the Common Vulnerability Scoring System (CVSS), and it has not yet been patched.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Recent activity
24 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Log manipulation/cleaning utility used to erase or tamper with logs to hinder detection and forensics.
Log-purging tool used to delete/clear logs on compromised appliances to hinder detection and incident response.
A log-clearing tool used to delete or tamper with logs to reduce forensic visibility and hinder incident response.
A utility used to delete/clean logs on compromised appliances to reduce forensic visibility and hinder incident response.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.