ReverseSSH
ReverseSSH, also referred to as AquaTunnel, is a tunneling/backdoor utility used to establish encrypted reverse SSH tunnels from compromised systems to attacker-controlled infrastructure, enabling remote access, command-and-control, and data exfiltration while bypassing network security controls and firewalls. In the provided reporting, AquaTunnel is described as a Go-based variant of the open-source ReverseSSH backdoor. It was deployed post-exploitation on Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances running AsyncOS after compromise via the Spam Quarantine remote code execution vulnerabilities CVE-2025-20393 and, in related reporting, CVE-2024-20353, when the feature was enabled and internet-exposed. Cisco attributed this activity to the China-nexus threat actor UAT-9686, and the use of AquaTunnel/ReverseSSH was also noted as previously associated with Chinese threat groups including APT41 and UNC5174. In the observed campaigns, ReverseSSH was used alongside Chisel, AquaPurge, and the Python backdoor AquaShell to maintain persistent remote access and support follow-on intrusion activity. High-confidence indicators from the content are the malware names/aliases ReverseSSH and AquaTunnel and its role as an SSH tunneling utility used on compromised Cisco AsyncOS appliances in UAT-9686 operations.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Cisco revealed that a newly identified China-linked advanced persistent threat (APT), "UAT-9686," had been exploiting a zero-day vulnerability in Cisco email security appliances that run on its AsyncOS software. The vulnerability, tracked as CVE-2025-20393, has since been assigned a "critical" 10 out of 10 severity rating in the Common Vulnerability Scoring System (CVSS), and it has not yet been patched.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"...AquaTunnel, a Go-based variant of the OSS 'ReverseSSH' backdoor."
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Utility used to establish encrypted reverse SSH tunnels from the compromised device to attacker infrastructure for remote access and potential data exfiltration.
A tunneling utility deployed post-exploitation to establish remote access/traffic tunneling from compromised Cisco appliances.
Backdoor malware used for remote access, delivered via exploitation of Cisco AsyncOS vulnerabilities.
Open-source reverse SSH backdoor/tooling used to create reverse SSH access from victim to attacker for remote control.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.