SYMBOLCOMMON_NAMEaka. SYNONYMS
elf.seaspy (Back to overview)

SEASPY

According to CISA, this malware is a persistent backdoor that masquerades as a legitimate Barracuda Networks service. The malware is designed to listen to commands received from the Threat Actor’s Command-and-Control through TCP packets. When executed, the malware uses libpcap sniffer to monitor traffic for a magic packet on TCP port 25 (SMTP) and TCP port 587. It checks the network packet captured for a hard-coded string. When the right sequence of packet is captured, it establishes a TCP reverse shell to the C2 server for further exploitation. This allows the TA to execute arbitrary commands on the compromised system.
The malware is based on an open-source backdoor program named "cd00r".

References
2025-01-23LumenBlack Lotus Labs
The J-Magic Show: Magic Packets and Where to find them
J-Magic SEASPY
2024-08-24YouTube (Black Hat)Charles Li, Che Chang, Greg Chen
Chinese APT: A Master of Exploiting Edge Devices (Video)
SEASPY UNC4841
2024-04-19TEAMT5Charles Li, Che Chang, Greg Chen
Chinese APT: A Master of Exploiting Edge Devices
SEASPY UNC4841
2023-09-23MandiantFernando Tomlinson, Nader Zaveri
Special Delivery: Defending and Investigating Advanced Intrusions on Secure Email Gateways
SALTWATER SEASPY WHIRLPOOL UNC4841
2023-08-23MandiantFernando Tomlinson, Nader Zaveri
Special Delivery! Defending and Investigating Advanced Intrusions on Secure Email Gateways
SALTWATER SEASPY WHIRLPOOL UNC4841
2023-08-08CISACISA
MAR-10454006.r4.v2 SEASPY and WHIRLPOOL Backdoors
SEASPY WHIRLPOOL UNC4841
2023-07-28CISACISA
CISA Releases Malware Analysis Reports on Barracuda Backdoors
SEASPY
2023-07-28CISACISA
MAR-10454006-r2.v1 SEASPY Backdoor
SEASPY
2023-07-27CISACISA
MAR-10454006-r2.v1 SEASPY Backdoor
SEASPY UNC4841
2023-07-18MandiantMandiant Intelligence
Stealth Mode: Chinese Cyber Espionage Actors Continue to Evolve Tactics to Avoid Detection
BPFDoor SALTWATER SEASPY SideWalk ZuoRAT Daxin HyperBro HyperSSL Waterbear
2023-06-15MandiantAustin Larsen, John Palmisano, John Wolfram, Mathew Potaczek, Matthew McWhirt
Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor, Suspected Links to China
SALTWATER SEASPY UNC4841
2023-06-15GoogleAlyssa Glickman, Austin Larsen, Fernando Tomlinson, Jakub Jozwiak, John Palmisano, John Wolfram, Josh Villanueva, Mathew Potaczek, Matthew McWhirt
Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor, Suspected Links to China
SALTWATER SEASPY WHIRLPOOL UNC4841

There is no Yara-Signature yet.