AquaTunnel
AquaTunnel is a reverse SSH backdoor/tunneling implant observed by Cisco Talos in exploitation of Cisco AsyncOS appliances, including Cisco Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM), during campaigns attributed with moderate confidence to the China-nexus threat actor UAT-9686. It is described as a compiled Go/Golang ELF binary and a Go-based variant or fork of the open-source ReverseSSH backdoor. AquaTunnel creates a reverse SSH connection from a compromised system to an attacker-controlled server, enabling persistent unauthorized remote access even when the device is behind firewalls or NAT, and supporting tunneling/internal pivoting. It was deployed post-compromise alongside AquaShell, Chisel, and AquaPurge in attacks exploiting CVE-2025-20393 against internet-exposed appliances with Spam Quarantine enabled and non-standard configurations. The content also notes that AquaTunnel and related tooling have previously been linked to Chinese state-backed groups including APT41 and UNC5174. High-confidence indicators directly mentioned in the content include the SHA-256 hash 2db8ad6e0f43e93cc557fbda0271a436f9f2a478b1607073d4ee3d20a87ae7ef and attacker command-and-control IPs 172.233.67.176, 172.237.29.147, and 38.54.56.95.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Cisco revealed that a newly identified China-linked advanced persistent threat (APT), "UAT-9686," had been exploiting a zero-day vulnerability in Cisco email security appliances that run on its AsyncOS software. The vulnerability, tracked as CVE-2025-20393, has since been assigned a "critical" 10 out of 10 severity rating in the Common Vulnerability Scoring System (CVSS), and it has not yet been patched.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"...and AquaTunnel, a Go-based variant of the OSS 'ReverseSSH' backdoor."
Recent activity
18 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Reverse-SSH backdoor used to establish remote access/tunneling from the compromised appliance back to attacker-controlled infrastructure.
A reverse-SSH tunneling implant used to establish covert remote access channels from compromised appliances back to attacker-controlled infrastructure.
A Go-based ReverseSSH variant used to establish persistent reverse SSH access from compromised Cisco AsyncOS appliances back to attacker-controlled servers, supporting stealthy remote access and pivoting.
Custom tool used to establish reverse SSH tunnels for persistent remote access, even when appliances are behind firewalls.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.