TLP:CLEAR — This version of the report is approved for public sharing and may be redistributed with attribution.
Cisco Warns of Active Attacks Exploiting Unpatched 0-Day in AsyncOS Email Security Appliances
Summary:
A China-nexus Advanced Persistent Threat (APT) actor, UAT-9686, is actively exploiting an unpatched, maximum-severity zero-day vulnerability (CVE-2025-20393) in Cisco AsyncOS software that impacts Secure Email Gateway (SEG) and Secure Email and Web Manager appliances. The zero-day, rated CVSS 10.0, is an improper input validation flaw that allows the threat actor to execute arbitrary commands with root privileges on the underlying operating system. The attack specifically targets appliances where the Spam Quarantine feature is configured and exposed to the internet. Once compromised, the actors deploy a custom persistence mechanism called AquaShell (a lightweight Python backdoor), log cleaning tool AquaPurge, and tunneling utilities like AquaTunnel (ReverseSSH) and Chisel to maintain control and facilitate remote access.
🔗 Link to article: Cisco Warns of Active Attacks Exploiting Unpatched 0-Day in AsyncOS Email Security Appliances
Why We Picked This:
This is critical, real-time intelligence concerning an active zero-day exploitation against a key enterprise security appliance for which no official patch currently exists. The technical overlaps of the tools used (AquaTunnel, Chisel) with known Chinese state-affiliated groups like APT41 and UNC5174 suggest either shared tooling or direct affiliation, elevating this activity from opportunistic scanning to targeted nation-state cyber espionage. Organizations must apply the recommended mitigations immediately, particularly restricting internet exposure of the Spam Quarantine feature, as this is currently the only defense.
Classification:
Category: Nation-State / Infrastructure Abuse
Verticals Impacted: Government, Enterprise, all sectors using Cisco SEG/Web Manager
Type of Intel: ⚡ Operational / 🎯 Strategic
Noted TTPs:
Unpatched zero-day exploitation (CVE-2025-20393, CVSS 10.0)
Deployment of custom Python backdoor (AquaShell) for persistence
Use of tunneling tools (AquaTunnel/ReverseSSH, Chisel) for remote access
Use of log-cleaning utility (AquaPurge)
Targeting appliances with the Spam Quarantine feature exposed to the internet
SMA1000 Vulnerability Actively Exploited
Summary:
Hackers are actively exploiting a new local privilege escalation (LPE) vulnerability (CVE-2025-40602, CVSS 6.6) in SonicWall Secure Mobile Access (SMA) 1000 series appliances. Although this LPE flaw typically requires existing management access, threat actors are chaining it with a previously disclosed critical pre-authentication vulnerability (CVE-2025-23006, CVSS 9.8) to achieve unauthenticated remote code execution (RCE) with root privileges. This chaining technique transforms a moderate-severity, authenticated flaw into a critical threat, granting attackers complete administrative control over unpatched devices.
🔗 Link to article: CVE-2025-40602: SonicWall SMA1000 Vulnerability Actively Exploited
Why We Picked This:
This incident demonstrates sophisticated vulnerability chaining, a critical lesson in patch management: even systems previously patched for a critical RCE (CVE-2025-23006) may still be vulnerable if subsequent, less severe flaws (CVE-2025-40602) are left unaddressed. CISA has added the latest flaw to its Known Exploited Vulnerabilities (KEV) catalog, underscoring the urgency for organizations to apply the newly released platform hotfixes and implement mitigations like restricting management console access.
Classification:
Category: Infrastructure Abuse / Breach
Verticals Impacted: Enterprise, Organizations using SMA1000 for remote access
Type of Intel: 🛡 Tactical / ⚡ Operational
Noted TTPs:
Vulnerability chaining (CVE-2025-23006 RCE + CVE-2025-40602 LPE)
Targeting SMA1000 Appliance Management Console (AMC)
Execution of malicious code with root privileges
Exploitation requires unpatched version 12.4.3-03093 or earlier/12.5.0-02002 or earlier
China-Aligned Threat Group Uses Windows Group Policy to Deploy Espionage Malware
Summary:
A previously undocumented China-aligned threat cluster named LongNosedGoblin has been linked to a cyber espionage campaign targeting governmental entities in Southeast Asia and Japan. The group employs novel tradecraft, primarily leveraging Windows Group Policy to deploy malware across compromised internal networks. For command and control (C2), LongNosedGoblin uses legitimate, trusted cloud services such as Microsoft OneDrive, Google Drive, and Yandex Disk, making network traffic difficult to detect. The campaign has been active since at least September 2023 and involves malware variants like NosyDoor and LuckyStrike Agent.
🔗 Link to article: China-Aligned Threat Group Uses Windows Group Policy to Deploy Espionage Malware
Why We Picked This:
This report provides vital intelligence on a new threat actor and their distinct evasion techniques. The use of cloud services for C2 is increasingly common but challenging to defend against without robust logging and behavioral analysis, as it blends in with normal business traffic. Furthermore, abusing Windows Group Policy for malware deployment offers an excellent point of reference for threat hunting teams focusing on identifying internal configuration manipulation in Microsoft Windows environments.
Classification:
Category: Nation-State / Cyber Espionage
Verticals Impacted: Government, Foreign Policy, Defense, Technology (in Southeast Asia and Japan)
Type of Intel: ⚡ Operational / 🎯 Strategic
Noted TTPs:
Malware distribution via Windows Group Policy
C2 infrastructure hosted on legitimate cloud services (OneDrive, Google Drive, Yandex Disk)
Use of NosyDoor and LuckyStrike Agent malware variants
Cyber espionage as the end goal
🛠 Final Notes
We write these for the analyst trying to triage 20 open tabs, the blue-teamer who needs to pivot fast, and the CISO who wants to understand why this matters without reading 3 emails or articles. If you’re one of them, you’re why we’re here.
We’ll be publishing deep-dive reports, enriched IOCs and more for paid members. Need a complete system to track threats and streamline your intelligence workflow
👉 https://indigoINT.io
👉 Check out the IndigoINT Threat Intelligence Marketplace
❤️🔥 Remember, in the dark we are all the same. ❤️🔥
— Yasmine | IndigoINT
📝 Disclaimer
IndigoINT may use AI tools to assist with formatting, grammar, and low-level analysis support. All content is reviewed by a human analyst and undergoes internal peer review to ensure accuracy and integrity.
