Beginning in October 2022 (nearly eight months before disclosure), UNC4841 — a China-nexus espionage group assessed by Mandiant as acting in support of Chinese state interests — exploited CVE-2023-2868 in Barracuda’s Email Security Gateway hardware appliances. The vulnerability resided in the TAR file scanning module and was triggered by sending a specially crafted email to any recipient at an organisation using a Barracuda ESG — no authentication required. Barracuda discovered the zero-day on 19 May 2023 and released patches, but the attack had been ongoing for seven months. The attackers deployed multiple custom malware families — SALTWATER, SEASPY, SEASIDE — as persistent backdoors on ESG appliances. Even after Barracuda patched the vulnerability, UNC4841 deployed new malware variants (SUBMARINE, WHIRLPOOL) specifically to maintain persistence on patched devices. Barracuda took the unprecedented step in June 2023 of recommending all ESG appliance customers replace their physical hardware entirely — a highly unusual ‘replace, don’t patch’ recommendation indicating the depth of the firmware-level compromise. CISA and FBI issued a joint advisory (AA23-209A). Targeting was predominantly government-focused: approximately 55% of victims were government organisations including the US Department of Defense, EU member state foreign affairs ministries, and multiple Asian government entities. The attack affected organisations in approximately 16 countries. The operation demonstrated the strategic value of targeting internet-facing email security appliances — which process all inbound email with elevated privileges and are difficult to monitor — as persistent espionage footholds.