UAT-9686 Actively Targets Cisco Secure Email Gateway and Secure Email and Web Manager

    Thursday, December 18, 2025 In: Threat Research Print

    Date: 12/18/2025

    Severity: High

    Summary

    UAT-9686, a suspected Chinese-nexus APT actor, is actively targeting Cisco Secure Email Gateway (AsyncOS/ESA) and Cisco Secure Email and Web Manager (SMA). The group exploits non-standard appliance configurations to deploy a custom persistence tool called AquaShell, along with reverse tunneling and log-cleaning utilities to maintain stealthy, long-term access.

    Indicators of Compromise (IOC) List

    IP Address

    172.233.67.176 

    172.237.29.147 

    38.54.56.95

    Hash

    2db8ad6e0f43e93cc557fbda0271a436f9f2a478b1607073d4ee3d20a87ae7ef 

    145424de9f7d5dd73b599328ada03aa6d6cdcee8d5fe0f7cb832297183dbe4ca

    85a0b22bd17f7f87566bd335349ef89e24a5a19f899825b4d178ce6240f58bfc

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    dstipaddress IN ("172.233.67.176","172.237.29.147","38.54.56.95") or srcipaddress IN ("172.233.67.176","172.237.29.147","38.54.56.95")

    Detection Query 2 :

    sha256hash IN ("2db8ad6e0f43e93cc557fbda0271a436f9f2a478b1607073d4ee3d20a87ae7ef","145424de9f7d5dd73b599328ada03aa6d6cdcee8d5fe0f7cb832297183dbe4ca","85a0b22bd17f7f87566bd335349ef89e24a5a19f899825b4d178ce6240f58bfc")

    Reference: 

    https://blog.talosintelligence.com/uat-9686/


    Tags

    Threat ActorUAT-9686APTChina-NexusCisco Secure Email GatewayExploit

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.