Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 1 actorExploits 2 CVEs

SALTWATER

SALTWATER is a backdoor used by UNC4841 in exploitation of Barracuda Email Security Gateway (ESG) appliances, including attacks leveraging CVE-2023-2868 and later follow-on exploitation associated with CVE-2023-7102. It is implemented as a trojanized module for the Barracuda SMTP daemon (bsmtpd) and was deployed alongside other UNC4841 malware such as SEASPY and SEASIDE to establish persistence and maintain access on compromised appliances for extended periods.

Its core capabilities include arbitrary command execution, file upload and download, proxying, and tunneling. Technical analysis in the provided content states that SALTWATER hooks the send, recv, and close functions/syscalls using the open-source kubo/funchook library, obtaining original function addresses via dlsym and installing hooks during initialization. It intercepts socket activity, captures connection data, and spawns worker threads that connect to attacker-controlled VPS infrastructure over SSL/TLS. The malware exchanges structured 21-byte command messages with its C2 server and supports multiple functional channels identified as ShellChannel, DownloadChannel, UploadChannel, ProxyChannel, and TunnelArgs. ShellChannel executes attacker-supplied commands; DownloadChannel writes C2-supplied content to files on the device; UploadChannel exfiltrates files; ProxyChannel relays traffic through attacker-specified proxy endpoints; and TunnelArgs stores or clears remote IP and port parameters used for tunneling.

The content associates SALTWATER with UNC4841, which Mandiant assessed as likely China-nexus. UNC4841 was observed modifying SALTWATER-related components rapidly after Barracuda remediation efforts and using time-stomping to conceal deployment activity. Victimology in the provided material includes Barracuda ESG customers worldwide, with reporting noting impacts across government and private-sector organizations and specific reporting on compromise of Belgium's VSSE via Barracuda ESG. A cited analyzed SALTWATER sample has SHA256 1c6cad0ed66cf8fd438974e1eac0bc6dd9119f84892930cb71cb56a5e985f0a4.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

2 CVES
CVE-2023-2868Remote Command Injection in Barracuda Email Security Gateway ApplianceExploited in the wild

SALTWATER is a backdoor that has been used in the exploitation of the Barracuda 0-day vulnerability CVE-2023-2868.

via cybergeeks techcybergeeks.tech
CVE-2023-7102Parameter Injection in Barracuda ESG via Spreadsheet::ParseExcelExploited in the wild

Barracuda later disclosed follow-on exploitation of CVE-2023-7102 in the Spreadsheet::ParseExcel library, again via malicious Excel attachments, to reinstall updated SEASPY and SALTWATER variants...

via recorded future blogrecordedfuture.com
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
UNC4841

"UNC4841 then deployed custom malware, including SALTWATER (a trojanized Simple Mail Transfer Protocol [SMTP] module enabling command execution and tunneling)..."

via recorded future blogrecordedfuture.com
MITRE ATT&CK

Techniques & procedures

12 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques
T1190Exploit Public-Facing ApplicationEvidence2

SALTWATER is a backdoor that has been used in the exploitation of the Barracuda 0-day vulnerability CVE-2023-2868

T1566.001Spearphishing AttachmentEvidence1

“used malicious email attachments to trigger remote command injection… Crafted .tar archives… execute arbitrary system commands… follow-on… malicious Excel attachments”

Execution

2 techniques
T1059Command and Scripting InterpreterEvidence2

The server can specify a command that will be executed on the infected device... In any other case, the command is passed to the run_cmd function... The popen function is used to run the desired command on the device

T1574Hijack Execution FlowEvidence1

The malware hooked the recv, send, and close functions using an open-source hooking library called funchook... The malware implements hooks on the recv, send, and close functions

Stealth

2 techniques
T1070.006TimestompEvidence1

“UNC4841 has repeatedly utilized time-stomping to further hide their malicious activity.”

T1574Hijack Execution FlowEvidence1

The malware hooked the recv, send, and close functions using an open-source hooking library called funchook... The malware implements hooks on the recv, send, and close functions

Command and Control

5 techniques
T1071.003Mail ProtocolsEvidence1

“SALTWATER (a trojanized SMTP module enabling command execution and tunneling)… SEASIDE… turns SMTP HELO/EHLO data into reverse shells”

T1090ProxyEvidence2

ProxyChannel... The first 4 bytes are used to construct the Proxy IP address... The binary creates a new SSL structure... initiates the TLS/SSL handshake with the Proxy server

T1105Ingress Tool TransferEvidence1

DownloadChannel... The file name to be created is read using the MyReadAll function... The open64 routine is used to create the file on the device... The file is populated with content received from the C2 server

T1572Protocol TunnelingEvidence1

The following functionalities are implemented: execute arbitrary commands, download and upload files, proxy functionality, and tunneling functionality... TunnelArgs

T1573Encrypted ChannelEvidence1

It creates a new SSL structure and sets the socket descriptor as the input/output for network connections... SSL_read is utilized to read data from the connections... The malware implements a function called MyWriteAll, which calls the SSL_write method

Exfiltration

1 technique
T1041Exfiltration Over C2 ChannelEvidence1

UploadChannel... The file’s length is obtained... The malware opens the target file... Finally, the target file content is read using the lseek64 and read routines, and then sent to the C2 server

Other

1 technique
T1562.001Disable or Modify ToolsEvidence1

“UNC4841 quickly made modifications to both SEASPY and SALTWATER related components in order to prevent effective patching.”

INDICATORS OF COMPROMISE

IOCs tracked for this family

1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Hashes
1 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
hash.sha256●●●●●●●●●●●●View more in app3 years ago
ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
recorded future blogNews
Feb 19, 2026
2025 Cloud Threat Hunting and Defense Landscape

Trojanized SMTP module used on compromised Barracuda ESG appliances to enable command execution and tunneling (persistence/access and likely exfiltration support).

Read more
recorded future blogNews
Feb 19, 2026
2025 Cloud Threat Hunting and Defense Landscape

Custom implant described as a trojanized SMTP module on Barracuda ESG that enables command execution and tunneling, supporting persistence and data exfiltration from compromised email security gateways.

Read more
recorded future blogNews
Feb 19, 2026
2025 Cloud Threat Hunting and Defense Landscape

Custom implant for Barracuda ESG: a trojanized SMTP module used for command execution and tunneling, turning the email security gateway into a persistent access/exfiltration node.

Read more
bushidotoken blogNews
Nov 2, 2024
Top 10 Cyber Threats of 2023

SALTWATER is a backdoor malware deployed by Chinese APT UNC4841 after exploiting a zero-day in Barracuda Email Security Gateway appliances, used to maintain persistent access and facilitate espionage.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching1

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities2

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping12

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.