| SYMBOL | COMMON_NAME | aka. SYNONYMS |
UAT-9686 is a Chinese state-sponsored APT known for targeting networking infrastructure and edge appliances through a sophisticated espionage campaign. They exploit a critical flaw in the Cisco AsyncOS Spam Quarantine interface to gain root access and deploy custom malware, including AquaShell, along with Python scripts that execute natively. Their operations involve reverse tunneling and log purging, demonstrating a methodical approach to compromising communication infrastructure. Talos has observed overlaps in TTPs and tooling with other Chinese-nexus threat actors, indicating a consistent operational pattern.
There are currently no families associated with this actor.
| 2025-12-23
⋅
secpod
⋅
Zero-Day Crisis: CVE-2025-20393 Unpatched on Cisco Email Gateways, Exploited by China-Linked Hackers UAT-9686 |
| 2025-12-17
⋅
Cisco Talos
⋅
UAT-9686 actively targets Cisco Secure Email Gateway and Secure Email and Web Manager UAT-9686 |