UNC4841 / Barracuda ESG Exploiter (also known as UNC4841) is a state-sponsored advanced persistent threat group attributed to China (PRC nexus), active since 2022. The group primarily targets government, telecom via Barracuda ESG appliances sectors.
Overview & Attribution
Chinese-nexus APT exploiting CVE-2023-2868 in Barracuda Email Security Gateway appliances to deploy custom backdoors across government and critical infrastructure globally.
UNC4841 has been active since 2022, attributed to China (PRC nexus). The group is known for targeting government, telecom via Barracuda ESG appliances using a combination of custom malware, living-off-the-land techniques, and sophisticated social engineering.
- Attribution: China (PRC nexus)
- Active since: 2022
- Primary targets: government, telecom via Barracuda ESG appliances
- Also known as: UNC4841
Arsenal & Tools
UNC4841 employs a diverse arsenal of custom and shared tooling:
- SALTWATER: Custom/shared tooling used in operations
- SEASPY: Custom/shared tooling used in operations
- SEASIDE: Custom/shared tooling used in operations
- SUBMARINE: Custom/shared tooling used in operations
- DEPTHCHARGE: Custom/shared tooling used in operations
Targeting & Operations
The group focuses on government, telecom via Barracuda ESG appliances sectors, with operations spanning multiple geographic regions. Their campaigns typically involve carefully crafted spearphishing, strategic watering holes, and exploitation of public-facing applications.
UNC4841 is characterized by persistent, long-term access operations. Once inside a target network, the group establishes multiple redundant persistence mechanisms and moves laterally to high-value systems before beginning data exfiltration.
MITRE ATT&CK Mapping
| Tactic | Technique | Usage |
|---|---|---|
| Initial Access | T1190 Exploit Public-Facing App | CVE-2023-2868 zero-day |
| Execution | T1059.004 Unix Shell | Linux shell commands |
| Persistence | T1505.003 Web Shell | SALTWATER/SEASPY persistence |
| Defense Evasion | T1070.004 File Deletion | Anti-forensic cleanup |
| Collection | T1114 Email Collection | Email interception |
| C2 | T1071.001 Web Protocols | HTTPS C2 |
Notable Campaigns
UNC4841 has been linked to multiple significant campaigns targeting government, telecom via Barracuda ESG appliances organizations. The group continuously evolves its tooling and infrastructure to evade detection while maintaining persistent access to compromised networks.
- Long-term espionage: Multi-year intrusions into government and defense networks
- Supply chain targeting: Compromise of technology providers and managed service providers
- Zero-day exploitation: Use of previously unknown vulnerabilities for initial access
Detection & Defense
- Threat intelligence integration: Monitor for known UNC4841 IOCs and TTPs in SIEM/EDR platforms
- Network monitoring: Detect C2 patterns associated with SALTWATER and related tooling
- Email security: Implement advanced phishing detection for spearphishing campaigns
- Endpoint detection: Deploy behavioral detection rules for known UNC4841 TTPs
- Patch management: Prioritize patching of vulnerabilities known to be exploited by this group
- Lateral movement detection: Monitor for suspicious authentication patterns and admin tool usage
Defend Against UNC4841
Mjolnir Security provides specialized capabilities to detect and respond to UNC4841 operations.
- APT Threat Hunting Proactive hunting for UNC4841 TTPs, tooling artifacts, and infrastructure indicators within your environment.
- Threat Intelligence Continuous monitoring of UNC4841 campaigns and infrastructure changes with actionable intelligence for your defense team.
- 24/7 Incident Response Rapid containment and forensic investigation. Call +1 833 403 5875.
Stay ahead of emerging threats. Get notified when we publish new intelligence reports and advisories.
Subscribe to Alerts