FIRESTARTER Backdoor Burrows Into Federal Cisco Firewall, Survives Patches and Reboots

A federal civilian agency's Cisco Firepower device carried a hidden backdoor for roughly six months before anyone noticed. The malware, dubbed FIRESTARTER, was planted by the state-sponsored threat actor UAT-4356 (also tracked as Storm-1849) before September 25, 2025 (exact date unknown) [1]. The attackers returned as recently as March 2026 to deploy a secondary implant called LINE VIPER [2]. CISA and the UK's NCSC published a joint analysis report on April 23, 2026, and federal agencies now face a hard deadline: submit malware check confirmations by midnight tonight, April 25, and provide a full Cisco Firepower device inventory by May 1 [3].

The core problem is persistence. FIRESTARTER hooks into the LINA process, the heart of Cisco's ASA and FTD software, and survives firmware updates, security patches, and standard reboots [1]. Standard patching doesn't remove it. Cisco's own recommendation is to reimage and upgrade the device entirely [6]. CISA has indicated it may instruct agencies to physically unplug compromised devices [3].

UAT-4356 and the ArcaneDoor Lineage

UAT-4356 is not a new actor. Cisco Talos attributed this group to the ArcaneDoor campaign, which targeted networking devices between July 2023 and April 2024 using the Line Runner and Line Dancer backdoors [9]. That earlier campaign established the group's preference for living inside network infrastructure rather than endpoints. FIRESTARTER represents a direct evolution of that tradecraft.

Talos noted that FIRESTARTER "considerably overlaps" with RayInitiator's Stage 3 shellcode capabilities [5]. The resilience aside, it also shares some level of overlap with previously documented malware referred to as RayInitiator [7]. The progression from Line Runner/Line Dancer to RayInitiator to FIRESTARTER shows a sustained, multi-year investment in Cisco-specific implant development.

The group continues to actively target Cisco Firepower FXOS, according to Talos, which updated its blog with additional IOCs as recently as March 10, 2026 [5].

Initial Access: Two Zero-Days

FIRESTARTER's deployment exploited two previously unknown vulnerabilities: CVE-2025-20333 and CVE-2025-20362 [1][10]. Both affect Cisco ASA and FTD software. The specifics of each flaw haven't been fully detailed in public advisories, but Tenable's FAQ confirms UAT-4356 chained them for initial access [10].

Once the attackers had code execution on the device, they didn't need to re-exploit those vulnerabilities again. FIRESTARTER's persistence mechanism meant patching the CVEs did nothing to evict the actor [2][3]. This is the detail that makes the campaign particularly dangerous: organizations that followed responsible patch management practices still had an active threat on their perimeter.

Persistence Mechanism: Hooking LINA

FIRESTARTER achieves persistence through several interlocking techniques:

Boot sequence manipulation. The malware modifies the CSP_MOUNT_LIST configuration file to embed itself into the device's startup sequence [1][4]. It maintains a temporary copy (CSP_MOUNTLIST.tmp) to restore the original mount list and cover its tracks [1].

LINA process hooking. FIRESTARTER hooks directly into the LINA process, which is the core datapath engine in ASA/FTD [1][6]. It uses signal handlers to monitor its own state. The backdoor relaunches automatically if terminated [6].

Self-backup on shutdown. During graceful shutdowns and reboots, FIRESTARTER backs itself up and rewrites its components, ensuring it's ready when the device comes back online [4]. The backup is stored at /opt/cisco/platform/logs/var/log/svc_samcore.log [1].

Shared library injection. FIRESTARTER injects shellcode into libstdc++.so, a standard shared library, to blend with legitimate system components [5].

The only way to fully remove the persistence mechanism is a complete reimage and upgrade [6]. A cold restart (physically disconnecting power) will clear the malware from memory, but Cisco warns this risks database corruption [6].

Activation and Command-and-Control

FIRESTARTER doesn't beacon out to a C2 server on its own. It waits. The backdoor is triggered by a "magic packet" delivered via a specially crafted WebVPN authentication request [4]. When the malware recognizes the secret sequence, it executes shellcode directly in memory [4].

Once activated, the operators deployed LINE VIPER, a user-mode shellcode loader with modular payloads [10]. LINE VIPER communicates with C2 infrastructure through two channels: WebVPN client authentication sessions over HTTPS, or via ICMP with responses sent over raw TCP [7][10]. This dual-channel approach gives the operators flexibility to maintain communications even when one protocol is blocked or monitored.

LINE VIPER was used to establish VPN sessions and access device configuration details [6]. The ArcaneDoor campaign historically relied on dedicated, adversary-controlled VPS infrastructure for C2 [9].

IOC Table

MITRE ATT&CK Mapping

Detection and Hunting

Detection is difficult by design. The only confirmed indicator of compromise on the device itself is the presence of the lina_cs process [4]. Here's what defenders can do:

On-device checks. SSH into Cisco Firepower/ASA devices and look for /usr/bin/lina_cs. Check for modifications to CSP_MOUNT_LIST that weren't part of authorized changes. Examine /opt/cisco/platform/logs/var/log/svc_samcore.log for unexpected content [1].

YARA rules. CISA published two YARA rules for FIRESTARTER detection [6]. Apply these against any forensic images or file extractions from Cisco devices.

Network monitoring. Watch for anomalous WebVPN authentication patterns, particularly requests that don't correspond to legitimate user sessions. LINE VIPER's ICMP-based C2 channel is another detection opportunity: look for ICMP traffic from firewall management interfaces followed by outbound raw TCP connections to external IPs [7].

VPN session anomalies. LINE VIPER establishes VPN sessions using authentication bypass [6]. Correlate VPN session logs with expected user activity. Sessions originating from the firewall itself (rather than through it) are a strong indicator.

Process monitoring. On devices that support it, monitor for unexpected child processes spawned by the lina binary. The automatic relaunch behavior means killing lina_cs once will result in it reappearing [6].

Analysis

UAT-4356 has spent at least three years building capabilities specifically for Cisco network infrastructure. The ArcaneDoor campaign in 2023-2024 [9] was the opening act. FIRESTARTER is the refined product: a persistence mechanism so deeply embedded that the standard incident response playbook (patch, reboot, monitor) is useless.

Based on the timeline - with FIRESTARTER deployed before September 25, 2025 and LINE VIPER deployed in March 2026 - the attackers maintained access for at least six months [1][2]. During that window, the compromised Firepower device was processing all traffic that passed through it. The March 2026 deployment of LINE VIPER suggests the operators were actively extracting value from the access, not just maintaining it for future use [2][6].

The CISA directive requiring all agencies to inventory their Cisco Firepower devices by May 1 signals the government believes this compromised agency is likely not the only victim [3]. The reporting deadline to the National Cyber Director and White House by August 1, 2026 further suggests this is being treated as a significant national security incident [3].

References

1. FIRESTARTER Backdoor | CISA
2. FIRESTARTER Backdoor Hit Federal Cisco Firepower Device, Survives Security Patches | The Hacker News
3. CISA: US agency breached through Cisco vulnerability | The Record
4. New Cisco firewall malware can only be killed by pulling the plug | Help Net Security
5. UAT-4356's Targeting of Cisco Firepower Devices | Cisco Talos
6. Firestarter malware survives Cisco firewall updates, security patches | BleepingComputer
7. Cisco ASA Firewall Zero-Day Exploits Deploy RayInitiator and LINE VIPER Malware | The Hacker News
8. [REMOVED - Invalid Source]
9. ArcaneDoor, Campaign C0046 | MITRE ATT&CK
10. CVE-2025-20333, CVE-2025-20362: Cisco Zero-Days Exploited | Tenable

Hunt Guide: Hunt Report: FIRESTARTER Cisco Firewall Backdoor Campaign

Hypothesis: If UAT-4356/Storm-1849 has deployed FIRESTARTER or LINE VIPER backdoors in our environment, we expect to observe anomalous processes (lina_cs), modified boot configurations (CSP_MOUNT_LIST), suspicious VPN authentication patterns, and ICMP-based C2 communications in Cisco ASA/FTD devices and network telemetry.

Intelligence Summary: UAT-4356 (Storm-1849) deployed the FIRESTARTER backdoor on federal Cisco Firepower devices via CVE-2025-20333 and CVE-2025-20362, maintaining persistence for 6+ months through LINA process hooking that survives patches and reboots. The actor returned in March 2026 to deploy LINE VIPER for VPN access and data exfiltration, requiring complete device reimaging for remediation.

Confidence: High | Priority: Critical

Scope

• Networks: All Cisco ASA and Firepower (FTD) devices, especially internet-facing and VPN concentrators
• Timeframe: September 2025 to present (focus on March 2026 for LINE VIPER deployment)
• Priority Systems: Internet-facing firewalls, VPN concentrators, devices protecting critical assets or OT networks

MITRE ATT&CK Techniques

T1055 — Process Injection (Defense Evasion) [P1]

FIRESTARTER hooks into the LINA process and injects shellcode into libstdc++.so to maintain persistence and execute commands

Splunk SPL:

index=cisco_asa sourcetype=cisco:asa ("show processes" OR "ps -ef") | rex field=_raw "(?<process_name>lina_cs)" | where isnotnull(process_name) | stats count by host, process_name, _time | eval priority="P1-Critical", detection="FIRESTARTER backdoor detected"

Elastic KQL:

event.dataset:"cisco.asa" AND (message:"lina_cs" OR process.name:"lina_cs") AND NOT process.name:"lina"

Sigma Rule:

title: FIRESTARTER Backdoor Process Detection
id: 8a7f3c4e-9b12-4d56-a892-5c8f9e3d2a17
status: stable
description: Detects FIRESTARTER backdoor process lina_cs on Cisco ASA/FTD devices
author: CISA
references:
    - https://www.cisa.gov/news-events/analysis-reports/ar26-113a
date: 2026/04/23
logsource:
    product: cisco
    service: asa
detection:
    selection:
        - ProcessName: 'lina_cs'
        - CommandLine|contains: '/usr/bin/lina_cs'
    condition: selection
falsepositives:
    - None known
level: critical
tags:
    - attack.defense_evasion
    - attack.t1055

Direct IOC match - presence of lina_cs process confirms FIRESTARTER infection. No known false positives.

T1543 — Create or Modify System Process (Persistence) [P1]

FIRESTARTER modifies CSP_MOUNT_LIST configuration file to embed itself in the device boot sequence

Splunk SPL:

index=cisco_asa sourcetype=cisco:asa ("CSP_MOUNT_LIST" OR "CSP_MOUNTLIST.tmp") | rex field=_raw "(?<config_change>CSP_MOUNT_LIST.*modified|CSP_MOUNTLIST\.tmp.*created)" | where isnotnull(config_change) | eval priority="P1-Critical", ioc_type="persistence_mechanism" | stats count by host, config_change, _time

Elastic KQL:

event.dataset:"cisco.asa" AND (file.name:"CSP_MOUNT_LIST" OR file.name:"CSP_MOUNTLIST.tmp") AND (event.action:"modification" OR event.action:"creation")

Sigma Rule:

title: FIRESTARTER Boot Persistence Configuration Change
id: f2d8a9c3-4e5a-4b7c-9d8e-3f4a5b6c7d8e
status: experimental
description: Detects modifications to CSP_MOUNT_LIST used by FIRESTARTER for boot persistence
author: RedSheep Security/Stone
date: 2026/04/25
logsource:
    product: cisco
    service: asa
detection:
    selection:
        - FileName: 'CSP_MOUNT_LIST'
          EventType: 'file_modification'
        - FileName: 'CSP_MOUNTLIST.tmp'
          EventType: 'file_creation'
    condition: selection
falsepositives:
    - Legitimate Cisco system updates
level: high
tags:
    - attack.persistence
    - attack.t1543

Monitor for unauthorized changes to boot configuration files. Correlate with authorized maintenance windows.

T1036.005 — Match Legitimate Name or Location (Defense Evasion) [P1]

FIRESTARTER masquerades as legitimate LINA process by using similar naming convention (lina_cs vs lina)

Splunk SPL:

index=cisco_asa sourcetype=cisco:asa | rex field=_raw "(?<process_path>/usr/bin/lina[_a-z]*)" | where process_path!="/usr/bin/lina" | eval suspicious_process=if(match(process_path,"lina_"),"FIRESTARTER variant detected","Unknown") | stats count by host, process_path, suspicious_process

Elastic KQL:

event.dataset:"cisco.asa" AND process.executable:"/usr/bin/lina*" AND NOT process.executable:"/usr/bin/lina"

Look for process names similar to 'lina' but not exactly 'lina'. The _cs suffix is known FIRESTARTER indicator.

T1133 — External Remote Services (Initial Access) [P2]

UAT-4356 exploited Cisco ASA/FTD VPN components via CVE-2025-20333 and CVE-2025-20362 for initial access

Splunk SPL:

index=cisco_asa sourcetype=cisco:asa (eventtype=cisco_firewall OR tag=authentication) "WebVPN" | rex field=_raw "User\s+<(?<user>[^>]+)>\s+IP\s+<(?<src_ip>[^>]+)>" | eventstats dc(src_ip) as unique_ips by user | where unique_ips > 5 OR user="" OR isnull(user) | eval priority="P2-Behavioral", detection_reason="Anomalous WebVPN authentication pattern"

Elastic KQL:

event.dataset:"cisco.asa" AND event.category:"authentication" AND cisco.asa.connection_type:"WebVPN" AND (user.name:"" OR NOT _exists_:user.name)

Monitor for WebVPN authentication attempts with missing/empty usernames or from unusual geographic locations. FIRESTARTER uses magic packet in WebVPN auth for activation.

T1078 — Valid Accounts (Defense Evasion) [P2]

LINE VIPER establishes VPN sessions using authentication bypass to blend with legitimate traffic

Splunk SPL:

index=cisco_asa sourcetype=cisco:asa tag=authentication "VPN" | transaction host startswith="session started" endswith="session terminated" | where duration < 60 OR src_ip=host | eval anomaly=case(src_ip==host,"VPN from firewall itself",duration<60,"Short-lived session",1=1,"Normal") | search anomaly!="Normal" | stats count by host, src_ip, user, anomaly

Elastic KQL:

event.dataset:"cisco.asa" AND event.category:"authentication" AND event.outcome:"success" AND cisco.asa.source_interface:"management*" AND destination.port:443

VPN sessions originating FROM the firewall management interface (not through it) indicate LINE VIPER activity.

T1082 — System Information Discovery (Discovery) [P3]

LINE VIPER enumerates device configuration and network details post-compromise

Splunk SPL:

index=cisco_asa sourcetype=cisco:asa ("show running-config" OR "show version" OR "show interface" OR "show route" OR "show crypto") | bucket _time span=5m | stats count by host, _time | where count > 10 | eval priority="P3-Anomaly", detection="Excessive configuration enumeration"

Elastic KQL:

event.dataset:"cisco.asa" AND message:("show running-config" OR "show version" OR "show interface" OR "show route" OR "show crypto")

Baseline normal admin activity. Spike in configuration commands, especially outside maintenance windows, may indicate reconnaissance.

T1057 — Process Discovery (Discovery) [P1]

FIRESTARTER monitors its own process state via signal handlers and relaunches if terminated

Splunk SPL:

index=cisco_asa sourcetype=cisco:asa ("Process" AND ("terminated" OR "killed" OR "restarted")) | transaction host process_name startswith="terminated" endswith="started" maxspan=30s | where process_name="lina_cs" | eval detection="FIRESTARTER auto-relaunch behavior detected" | table _time host process_name duration detection

Elastic KQL:

event.dataset:"cisco.asa" AND event.action:("process_stopped" OR "process_started") AND process.name:"lina_cs"

Rapid restart of lina_cs process after termination is strong indicator of FIRESTARTER presence.

Indicators of Compromise

IOC Sweep Queries (Splunk):

index=* ("lina_cs" OR "lina_cs.exe" OR "/usr/bin/lina_cs") | stats count by host, sourcetype, _time | eval ioc_match="FIRESTARTER process name detected"

index=* "/usr/bin/lina_cs" | stats count by host, sourcetype | eval ioc_type="FIRESTARTER backdoor path"

index=* "/opt/cisco/platform/logs/var/log/svc_samcore.log" | stats count by host, sourcetype | eval ioc_type="FIRESTARTER persistence file"

index=* "CSP_MOUNT_LIST" NOT sourcetype=stash | stats count by host, sourcetype | eval ioc_type="FIRESTARTER boot config target"

index=* "CSP_MOUNTLIST.tmp" | stats count by host, sourcetype | eval ioc_type="FIRESTARTER temp file"

index=* "libstdc++.so" (modified OR injected OR hooked) | stats count by host, sourcetype | eval ioc_type="FIRESTARTER injection target"

YARA Rules

FIRESTARTER_Backdoor_Artifacts — Detects FIRESTARTER backdoor file artifacts and strings

rule FIRESTARTER_Backdoor_Artifacts {
    meta:
        description = "Detects FIRESTARTER backdoor artifacts on Cisco ASA/FTD devices"
        author = "RedSheep Security/Stone"
        date = "2026-04-25"
        reference = "https://www.cisa.gov/news-events/analysis-reports/ar26-113a"
        hash1 = "Unknown - not provided in source material"
    
    strings:
        $s1 = "lina_cs" ascii
        $s2 = "CSP_MOUNT_LIST" ascii
        $s3 = "CSP_MOUNTLIST.tmp" ascii
        $s4 = "/opt/cisco/platform/logs/var/log/svc_samcore.log" ascii
        $s5 = "/usr/bin/lina_cs" ascii
        
        $hook1 = "libstdc++.so" ascii
        $hook2 = "LINA" ascii
        
    condition:
        uint32(0) == 0x464c457f and (
            2 of ($s*) or
            (any of ($s*) and any of ($hook*))
        )
}

LINE_VIPER_Shellcode_Loader — Detects LINE VIPER shellcode loader patterns

rule LINE_VIPER_Shellcode_Loader {
    meta:
        description = "Detects LINE VIPER post-exploitation implant patterns"
        author = "RedSheep Security/Stone"
        date = "2026-04-25"
        reference = "UAT-4356 Campaign Analysis"
    
    strings:
        $webvpn1 = "WebVPN" ascii
        $webvpn2 = "authentication" ascii
        $icmp1 = { 08 00 ?? ?? ?? ?? ?? ?? }  // ICMP Echo Request header
        $vpn_bypass = "VPN_SESSION_ESTABLISHED" ascii
        
        // Generic shellcode patterns
        $shellcode1 = { 48 31 C0 48 89 C7 48 89 C6 }  // xor rax,rax; mov rdi,rax; mov rsi,rax
        $shellcode2 = { 50 48 31 D2 48 BB }  // push rax; xor rdx,rdx; mov rbx
        
    condition:
        2 of ($webvpn*, $icmp*, $vpn_bypass) or
        (any of ($webvpn*, $icmp*, $vpn_bypass) and any of ($shellcode*))
}

Suricata Rules

SID 2026042501 — FIRESTARTER WebVPN Magic Packet Activation Attempt

alert http $EXTERNAL_NET any -> $HOME_NET 443 (msg:"ET TROJAN FIRESTARTER WebVPN Magic Packet Activation Attempt"; flow:to_server,established; content:"POST"; http_method; content:"/+CSCOE+/logon.html"; http_uri; content:"username="; http_client_body; pcre:"/username=(&|$)/"; content:!"password="; http_client_body; threshold:type limit,track by_src,count 1,seconds 3600; classtype:trojan-activity; sid:2026042501; rev:1; metadata:created_at 2026_04_25;)

SID 2026042502 — LINE VIPER ICMP C2 Beacon

alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN LINE VIPER ICMP C2 Beacon from Firewall"; itype:8; dsize:>100; content:"|00 00 00 00 00 00 00 00|"; offset:8; depth:8; threshold:type threshold,track by_src,count 5,seconds 60; classtype:trojan-activity; sid:2026042502; rev:1; metadata:created_at 2026_04_25;)

SID 2026042503 — LINE VIPER Raw TCP Response After ICMP

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN LINE VIPER Raw TCP C2 Response"; flow:to_client,established; flags:PA; dsize:>500; content:!"|16 03|"; depth:2; threshold:type limit,track by_src,count 1,seconds 300; classtype:trojan-activity; sid:2026042503; rev:1; metadata:created_at 2026_04_25;)

Data Source Requirements

Sources

• FIRESTARTER Backdoor | CISA
• FIRESTARTER Backdoor Hit Federal Cisco Firepower Device, Survives Security Patches | The Hacker News
• CISA: US agency breached through Cisco vulnerability | The Record
• New Cisco firewall malware can only be killed by pulling the plug | Help Net Security
• UAT-4356's Targeting of Cisco Firepower Devices | Cisco Talos
• Firestarter malware survives Cisco firewall updates, security patches | BleepingComputer
• Cisco ASA Firewall Zero-Day Exploits Deploy RayInitiator and LINE VIPER Malware | The Hacker News
• ArcaneDoor, Campaign C0046 | MITRE ATT&CK
• CVE-2025-20333, CVE-2025-20362: Cisco Zero-Days Exploited | Tenable