SEASIDE
SEASIDE is a Lua-based malicious module targeting Barracuda Networks Email Security Gateway (ESG) appliances by integrating with the Barracuda SMTP daemon (bsmtpd). It monitors SMTP HELO/EHLO commands to receive an encoded command-and-control (C2) IP address and port, decodes the C2 parameters, and passes them as arguments to an external binary, WHIRLPOOL, which then establishes a reverse shell (including TLS reverse shell capability as described for WHIRLPOOL). SEASIDE was deployed by the China-nexus espionage actor UNC4841 following exploitation of Barracuda ESG zero-day vulnerabilities (notably CVE-2023-2868, a remote command injection in the attachment-scanning component triggered via crafted .tar archives and Perl’s qx operator). Reporting indicates UNC4841 used SEASIDE alongside other custom payloads (SALTWATER and SEASPY) to establish and maintain long-term access on Barracuda ESG appliances, with observed dwell time up to approximately eight months. UNC4841 has been observed time-stomping when deploying SEASIDE to hinder detection and timeline analysis. No specific host/network indicators (hashes, domains, IPs) for SEASIDE are provided in the content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
...UNC4841 exploited Barracuda ESG zero-day vulnerabilities... malicious email attachments to trigger remote command injection in the ESG attachment-scanning component (CVE-2023-2868)... Crafted .tar archives abused Perl’s qx operator to execute arbitrary system commands...
"...and SEASIDE (a Lua module that turns SMTP HELO/EHLO data into reverse shells)..."
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"...and SEASIDE (a Lua module that turns SMTP HELO/EHLO data into reverse shells)..."
Techniques & procedures
7 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
2 techniques
Execution
Stealth
1 technique
Stealth
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Lua-based implant/module on Barracuda ESG that converts SMTP protocol fields (HELO/EHLO) into a command channel enabling reverse shells.
Lua-based implant/module on Barracuda ESG that abuses SMTP protocol fields (HELO/EHLO) to trigger reverse shells, enabling remote access and command execution.
Lua-based implant/module on Barracuda ESG that abuses SMTP protocol fields (HELO/EHLO) to trigger reverse shells, enabling remote command execution and persistence.
SEASIDE is a backdoor malware deployed by Chinese APT UNC4841 on Barracuda ESG appliances, enabling persistent access and data exfiltration after exploitation of a zero-day vulnerability.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.