Third Novel Backdoor Discovered in Barracuda ESG Attacks: ‘Whirlpool’ Malware Exposed

In recent months, a series of attacks targeting users of Barracuda Email Security Gateway (ESG) appliances has come to light. Security researchers have continually been uncovering new layers of sophistication in these attacks, and their latest discovery is a third novel backdoor, dubbed ‘Whirlpool’ malware. The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a detailed advisory regarding this malicious software, highlighting its capabilities and potential risks. This article provides an in-depth analysis of the Whirlpool malware and how it fits into the larger picture of the Barracuda ESG attacks.

Discovery of third novel backdoor

The cybersecurity community has been working diligently to unravel the inner workings of the attacks on Barracuda ESG users. During their investigation, security researchers stumbled upon a previously unknown backdoor, now known as the “Whirlpool” malware. This discovery adds another layer of complexity to the already sophisticated attack campaign.

CISA’s advisory on the malware

To aid organizations in their defense against such threats, the US Cybersecurity and Infrastructure Security Agency has released a comprehensive advisory on the Whirlpool malware. The advisory provides technical details on the functionality of the malware, shedding light on the methods employed by the attackers.

Using arguments to establish a TLS reverse shell

One of the key features of the Whirlpool malware is its utilization of arguments to establish a Transport Layer Security (TLS) reverse shell. By taking two arguments, namely a C2 (Command and Control) IP and a port number, the malware creates a secure channel for communication between the attacker and the compromised device. This approach allows the attackers to maintain remote access and control over the targeted systems.

Addition of ‘Submarine’ Backdoor

This latest discovery comes on the heels of another backdoor known as ‘Submarine,’ which was revealed in a previous CISA update. The existence of multiple backdoors highlights the complexity and sophistication of the attack campaign targeting Barracuda ESG users. It is believed that the Whirlpool and Submarine malware may have been developed by the same threat actor or used in coordination to exploit vulnerabilities.

Barracuda Networks’ response

Barracuda Networks, the provider of the ESG appliances, has responded proactively to the attack campaign. In June, the company made the unusual decision to offer all users of their Email Security Gateway appliance a replacement device. This approach was taken to ensure that customers could protect themselves against the ongoing attacks and potential future threats.

Exploitation of zero-day vulnerability

The Barracuda ESG attacks were made possible by the exploitation of a zero-day vulnerability, tracked as CVE-2023-2868. This vulnerability allowed the threat actor to gain unauthorized access to the appliances and execute malicious actions. The attacks, which had been ongoing since October 2022, were brought to the attention of Barracuda on May 19. The company promptly patched the zero-day vulnerability two days later.

Identification of threat actor

Following a thorough investigation, the cybersecurity firm Mandiant revealed that the likely perpetrator behind the Barracuda ESG attacks is a Chinese Advanced Persistent Threat (APT) group known as UNC4841. This attribution sheds light on the motives and potential political or economic objectives of the attackers.

Barracuda’s response and patching of zero-day vulnerabilities

Barracuda Networks took swift action upon discovering the attacks and promptly patched the zero-day vulnerability. The company’s response demonstrated its commitment to the security and protection of its customers. By addressing the vulnerability and urging customers to replace their appliances, Barracuda took proactive steps to mitigate the risks posed by the attack campaign.

Utilization of other malware variants

In addition to the Whirlpool and Submarine backdoors, the threat actor behind the Barracuda ESG attacks also deployed other malware variants. Among these were the Seaside malware, which had been previously identified, and two previously unknown variants named Saltwater and Seaspy. The utilization of multiple malware variants highlights the sophisticated nature of the attack campaign, aimed at exploiting as many vulnerabilities as possible.

Urging customers to replace their appliances

Recognizing the persistent and evolving nature of the attacks, Barracuda Networks has made the decision to urge all customers to replace their Email Security Gateway appliances. This measure is recommended to ensure that customers have the latest secure devices to protect against present and future threats.

The discovery of the Whirlpool malware as the third novel backdoor in the Barracuda ESG attacks showcases the complexity and sophistication of the threat actor behind the campaign. The involvement of multiple backdoors, the exploitation of a zero-day vulnerability, and the utilization of various malware variants highlight the group’s relentless pursuit of compromising Barracuda ESG appliances. Organizations must remain vigilant, update their security measures, and follow the recommendations provided by Barracuda Networks and security authorities to protect themselves against this and similar threats in the future.

Explore more

Can a Unified ERP System Future-Proof Levi Strauss?

Establishing a seamless digital environment for a brand that spans over a hundred nations is a monumental undertaking that requires more than just standard software updates. Currently, Levi Strauss & Co. is navigating a profound transformation of its digital infrastructure, aiming for a mid-2027 completion of a fully integrated global enterprise resource planning system. This strategic overhaul is not merely

Ethereum Faces $10 Billion Liquidation Risk Near $2,000

The current trajectory of Ethereum suggests a massive collision between aggressive retail speculation and sophisticated institutional sell-side pressure as the asset hovers near the $2,000 psychological threshold. This specific price point has historically served as a pivot for broader market sentiment, influencing the behavior of various decentralized finance protocols and secondary layer-two scaling solutions. Currently, the market exhibits a state

ClickLock Malware Coerces macOS Users to Surrender Passwords

Traditional macOS security architectures have long been celebrated for their robust sandboxing and gated execution, yet a new strain of malware is proving that the human element remains the most vulnerable entry point in any digital ecosystem. This threat, known as ClickLock, has emerged as a particularly aggressive evolution in the macOS threat landscape by prioritizing psychological pressure and social

Stalled Windows 11 Migration Poses Growing Security Risks

The global landscape of enterprise computing is currently grappling with a persistent digital divide as a significant segment of users continues to rely on Windows 10 despite the availability of more secure alternatives. The current ecosystem of digital infrastructure remains tethered to legacy architecture, with recent telemetry indicating that approximately one in six workstations worldwide continues to operate on Windows

How Is OpenAI Redefining AI With Precision Engineering?

The shift from experimental conversationalists to precise engineering tools has fundamentally altered the landscape of digital productivity and high-performance computing in 2026. This transition is marked by a move away from the early excitement surrounding generative models toward a rigorous framework centered on deep optimization and granular control. OpenAI has spearheaded this movement with the introduction of the GPT-5.6 Sol