Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors
5 malware familiesExploits CVEs in the wild

ArcaneDoor

Also known asArcaneDoorStorm-1849UAT4356

ArcaneDoor is a state-sponsored espionage threat actor/campaign tracked by Cisco Talos as UAT4356 and by Microsoft as Storm-1849. The content repeatedly links it to China or describes it as China-affiliated/China-linked, and Cisco and government partners linked later 2025 exploitation activity to the same actor behind the earlier ArcaneDoor attacks. ArcaneDoor has targeted government-owned perimeter network devices globally, including Cisco ASA and Firepower Threat Defense appliances, and earlier reporting also notes compromises of government and telecom networks. Reported tradecraft includes abusing WebVPN traffic and WebVPN sessions associated with clientless SSL VPN services to achieve unauthorized remote code execution; exploiting Cisco vulnerabilities including CVE-2024-20353 and CVE-2024-20359 in the 2024 campaign and CVE-2025-20333 and CVE-2025-20362 in later related activity; deploying bespoke tooling and backdoors including Line Runner, Line Dancer, FIRESTARTER, and the LINE VIPER post-exploitation toolkit; executing CLI commands; collecting packet captures, system configuration information, and victim device configuration information; exfiltrating data over existing command-and-control channels; modifying Cisco ASA AAA functionality to bypass normal authentication, authorization, and accounting operations; intercepting harvested user CLI commands; suppressing syslog/logging; and establishing persistence, including a previously unknown mechanism preserved across upgrades and ROMmon/boot-process persistence described for FIRESTARTER. The actor is also described as using dedicated adversary-controlled VPS infrastructure for command and control.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

36 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

12 of 15 tactics53 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
3 techniques
T1078
Valid Accounts
T1133×3
External Remote Services
T1190×10
Exploit Public-Facing Application
TA0002
Execution
3 techniques
T1059×7
Command and Scripting Interpreter
T1203×3
Exploitation for Client Execution
T1574×4
Hijack Execution Flow
TA0003
Persistence
10 techniques
T1037×2
Boot or Logon Initialization Scripts
T1078
Valid Accounts
T1112
Modify Registry
T1133×3
External Remote Services
T1205×2
Traffic Signaling
T1505
Server Software Component
T1542×2
Pre-OS Boot
T1542.001
System Firmware
T1542.003
Bootkit
T1547×4
Boot or Logon Autostart Execution
T1556
Modify Authentication Process
T1653
Power Settings
TA0004
Privilege Escalation
5 techniques
T1037×2
Boot or Logon Initialization Scripts
T1055
Process Injection
T1068×3
Exploitation for Privilege Escalation
T1078
Valid Accounts
T1547×4
Boot or Logon Autostart Execution
TA0005
Stealth
7 techniques
T1055
Process Injection
T1070×4
Indicator Removal
T1070.004
File Deletion
T1078
Valid Accounts
T1140
Deobfuscate/Decode Files or Information
T1205×2
Traffic Signaling
T1542×2
Pre-OS Boot
T1542.001
System Firmware
T1542.003
Bootkit
T1574×4
Hijack Execution Flow
TA0112
Defense Impairment
3 techniques
T1112
Modify Registry
T1556
Modify Authentication Process
T1601
Modify System Image
TA0006
Credential Access
4 techniques
T1040×6
Network Sniffing
T1555
Credentials from Password Stores
T1556
Modify Authentication Process
T1557
Adversary-in-the-Middle
TA0007
Discovery
2 techniques
T1040×6
Network Sniffing
T1082
System Information Discovery
TA0009
Collection
1 technique
T1557
Adversary-in-the-Middle
TA0011
Command and Control
5 techniques
T1071
Application Layer Protocol
T1071.001
Web Protocols
T1090
Proxy
T1102
Web Service
T1102.003
One-Way Communication
T1105×2
Ingress Tool Transfer
T1205×2
Traffic Signaling
TA0010
Exfiltration
2 techniques
T1041×3
Exfiltration Over C2 Channel
T1048
Exfiltration Over Alternative Protocol
TA0040
Impact
1 technique
T1499
Endpoint Denial of Service
ARSENAL

Associated malware families

5 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
FIRESTARTERIn April 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre (NCSC) released a joint advisory on a newly identified backdoor named “FIRESTARTER,” deployed by the state-linked APT group UAT-4356 targeting Cisco Firepower devices.4May 8, 2026
Line DancerUAT4356 deployed two backdoors as components of this campaign, ‘Line Runner’ and ‘Line Dancer,’ which were used collectively to conduct malicious actions on-target, which included configuration modification, reconnaissance, network traffic capture/exfiltration and potentially lateral movement4May 26, 2026
Line RunnerUAT4356 deployed two backdoors as components of this campaign, ‘Line Runner’ and ‘Line Dancer,’ which were used collectively to conduct malicious actions on-target, which included configuration modification, reconnaissance, network traffic capture/exfiltration and potentially lateral movement4May 26, 2026
LINE VIPERThe attack chain begins with exploitation of known vulnerabilities (CVE-2025–20333, CVE-2025–20362) to gain initial access, followed by the deployment of LINE VIPER and FIRESTARTER to take control of the network device itself.4May 8, 2026
RayInitiatorAfter the flaws had been fixed, the U.K. NCSC reported that threat actors exploited them in zero-day attacks to deploy novel malware families, RayInitiator and LINE VIPER. RayInitiator is a persistent, multi-stage GRUB bootkit flashed to Cisco ASA 5500-X devices (many out of support) that survives reboots and firmware upgrades.2Mar 18, 2026
WEAPONIZED

Associated vulnerabilities

5 CVEs this actor has used in observed campaigns. 5 of them exploited in the wild.

CVE-2025-20362Unauthenticated restricted URL access in Cisco Secure ASA/FTD VPN web serverIn the wildEvidence12

Two of these, CVE-2025-20333 and CVE-2025-20362, are currently under active exploitation by adversaries in the wild... A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to access restricted URL endpoints that are related to remote access VPN that should otherwise be inaccessible without authentication.

CVE-2025-20333Authenticated RCE in Cisco ASA/FTD VPN Web ServerIn the wildEvidence11

Two of these, CVE-2025-20333 and CVE-2025-20362, are currently under active exploitation by adversaries in the wild... A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, remote attacker to execute arbitrary code on an affected device.

CVE-2024-20353Cisco ASA and FTD Web Services Denial of Service VulnerabilityIn the wildEvidence6

CISA added two Cisco product vulnerabilities — CVE-2024-20353 and CVE-2024-20359 — to the Known Exploited Vulnerabilities catalog. Cisco warned they are being exploited as part of a campaign by state-sponsored threat actors affecting Cisco ASA and Firepower Threat Defense devices.

CVE-2024-20359Cisco ASA and FTD Persistent Local Code Execution VulnerabilityIn the wildEvidence6

CISA added two Cisco product vulnerabilities — CVE-2024-20353 and CVE-2024-20359 — to the Known Exploited Vulnerabilities catalog. Cisco warned they are being exploited as part of a campaign by state-sponsored threat actors affecting Cisco ASA and Firepower Threat Defense devices.

CVE-2025-30333RCE in Cisco Adaptive Security Appliance (ASA) with VPN credentialsIn the wildEvidence1

The hackers are, reportedly, chaining together two known vulnerabilities in the Cisco ASA devices, identified as CVE-2025-30333 (CVSS 9.9) and CVE-2025-20362 (CVSS 6.5). This combined attack allows them to gain deep, persistent control over the appliances. CVE-2025-30333 is a serious issue that lets an attacker with VPN credentials run their own code on the device...

IOCS

Observables

62 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

62 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app
sdxcentral cybersecurityNews
May 12, 2026
Cisco to plug leaky legacy ware with Resilient Infrastructure service - SDxCentral

A China-affiliated campaign linked to attacks against Cisco firewall and switch infrastructure using remote code execution and privilege escalation to gain persistent unauthorized access.

Read more
the hacker newsNews
Apr 24, 2026
FIRESTARTER Backdoor Hit Federal Cisco Firepower Device, Survives Security Patches

Associated with exploitation of Cisco ASA/FTD vulnerabilities to deploy the FIRESTARTER backdoor and LINE VIPER post-exploitation toolkit for persistent access to compromised network appliances.

Read more
scworldNews
Feb 6, 2026
CISA gives federal agencies one year to replace outdated edge devices | SC Media

Referenced as an example of a named activity cluster associated with exploiting edge devices to maintain persistent access into targeted networks.

Read more
dark readingNews
Jan 23, 2026
Exploited Zero-Day Flaw in Cisco UC Could Affect Millions

State-sponsored cyber-espionage activity leveraging Cisco zero-day vulnerabilities.

Read more
+55 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping36

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal5

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs5

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables62

Domains, IPs, and hashes tied to this actor, refreshed continuously.