Line Runner
Line Runner is a persistent Lua-based webshell/backdoor used in the ArcaneDoor espionage campaign against Cisco Adaptive Security Appliance (ASA) devices, particularly via WebVPN/Clientless SSLVPN functionality. It is associated with the state-sponsored threat actor tracked by Cisco as UAT4356 and by Microsoft as STORM-1849. Cisco Talos and allied government advisories describe it as one of two custom malware components used in the campaign alongside the related Line Dancer in-memory shellcode loader.
Line Runner targets Cisco ASA WebVPN device customization and plug-in functionality and is tied to abuse of CVE-2024-20359. It enables attackers to upload and execute arbitrary Lua scripts, including via HTTP GET requests to legitimate Cisco ASA WebVPN or AnyConnect URIs such as /+CSCOE+/portal.css, using victim-specific tokens and randomized parameter names/values to hinder detection. It has been described as a persistent HTTP-based Lua backdoor/webshell that can survive reboots and upgrades. In at least one case, attackers abused CVE-2024-20353 to force a reboot and trigger installation.
High-confidence reporting states that Line Runner was used collectively with Line Dancer to conduct malicious actions on target, including configuration modification, reconnaissance, network traffic capture and exfiltration, and possible lateral movement. Advisories also state the broader activity included exfiltration of device configurations, manipulation of syslog services to obfuscate commands, and AAA configuration changes to permit actor-controlled access. Cisco observed UAT4356 using Line Runner to retrieve information staged using Line Dancer.
NCSC reporting provides additional implementation details: Line Runner can be installed via a crafted ZIP bundle matching the client bundle naming pattern, with malicious logic in csco_config.lua, leveraging Cisco ASA boot-time WebVPN plug-in auto-install behavior. It deploys modified WebVPN include content, hides artifacts in disk0:/csco_config/, patches functions to avoid showing a suspicious plug-in as installed, and modifies shutdown/startup-related scripts to restore persistence and remove traces. It also includes anti-forensic and defense-evasion behavior, including hiding files from normal administrative views, self-removing under certain WebVPN customization operations, manipulating timestamps and ownership, and using cleanup logic tied to reboot/shutdown behavior. A hard power cycle has been reported as able to prevent reinstallation in some scenarios because normal shutdown scripts do not run.
The malware has been observed in attacks from late 2023 through early 2024 against a small set of victims, including government and critical national infrastructure-related networks globally, with affected devices predominantly reported as Cisco ASA55xx systems running ASA firmware 9.12 and 9.14. Known indicators and artifacts directly mentioned in reporting include the ZIP name pattern ^client_bundle[%w_-]%.zip$, the recovered installer name client_bundle_install.zip, execution via WebVPN/AnyConnect URIs, and associated modified files such as browser_inc.lua and index.ini mappings under disk0:/csco_config/.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
CISA added two Cisco product vulnerabilities — CVE-2024-20353 and CVE-2024-20359 — to the Known Exploited Vulnerabilities catalog. Cisco warned they are being exploited as part of a campaign by state-sponsored threat actors affecting Cisco ASA and Firepower Threat Defense devices.
CISA added two Cisco product vulnerabilities — CVE-2024-20353 and CVE-2024-20359 — to the Known Exploited Vulnerabilities catalog. Cisco warned they are being exploited as part of a campaign by state-sponsored threat actors affecting Cisco ASA and Firepower Threat Defense devices.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
UAT4356 deployed two backdoors as components of this campaign, ‘Line Runner’ and ‘Line Dancer,’ which were used collectively to conduct malicious actions on-target, which included configuration modification, reconnaissance, network traffic capture/exfiltration and potentially lateral movement
Cisco Talos previously attributed this group to the ArcaneDoor campaign in 2024, where they exploited two Cisco ASA zero-day vulnerabilities (CVE-2024–20353, CVE-2024–20359) to deploy malware such as Line Dancer and Line Runner.
Techniques & procedures
32 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
4 techniques
Execution
LINE RUNNER offers the ability to run arbitrary Lua code sent via HTTP GET requests to legitimate Cisco ASA WebVPN / AnyConnect URIs.
Persistence
9 techniques
Persistence
MITRE TTPs ... Line Runner persistence mechanism (T1037)
‘Line Runner’ and ‘Line Dancer’... were used collectively to conduct malicious actions on-target, which included configuration modification...
These affected products have been compromised by malicious actors who successfully established unauthorized access through WebVPN sessions, commonly associated with Clientless SSLVPN services.
UAT4356 deployed two backdoors as components of this campaign, ‘Line Runner’ and ‘Line Dancer,’ which were used collectively to conduct malicious actions on-target.
“Line Runner implements a Lua webshell that is tasked via HTTP(S) GET requests… reachable by sending GET requests to multiple unauthenticated WebVPN endpoints.”
"maintain persistence... in the bootloader"; "they also infect the bootloader for persistence"
“Line Runner prepends code to several system files… /etc/init.d/umountfs… /asa/scripts/lina_exe_cs.sh…”
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
8 techniques
Stealth
“To write to this location it uses a directory traversal technique… ifs.dump(cbizipcontent, “disk0:/csco_config/../../../../../run/lock/subsys/krbkdc6”)”
“The code for this line is obfuscated with base64 encoding.”
“The file is deleted after it has been run.” / “delete the webshell… restore the original index.ini… delete… /asa/scripts/lina_cs (itself)…”
The content repeatedly describes adversaries and malware deleting files, directories, droppers, scripts, logs, archives, staged data, and other artifacts from compromised systems, e.g., 'APT29 has used SDelete to remove artifacts from victim networks' and 'Lazarus Group malware has deleted files in various ways, including "suicide scripts" to delete malware binaries from the victim.'
"maintain persistence... in the bootloader"; "they also infect the bootloader for persistence"
Defense Impairment
2 techniques
Defense Impairment
Credential Access
3 techniques
Credential Access
‘Line Runner’ and ‘Line Dancer’... were used collectively to conduct malicious actions on-target, which included... network traffic capture/exfiltration...
Discovery
2 techniques
Discovery
Collection
3 techniques
Collection
These samples are commands that directed the devices to perform specific actions which resulted in the exfiltration of device configurations, configuration of network captures, and data exfiltration.
Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers. Dyre has the ability to send information staged on a compromised host externally to C2. Line Runner utilizes HTTP to retrieve and exfiltrate information staged using Line Dancer.
Command and Control
3 techniques
Command and Control
Exfiltration
3 techniques
Exfiltration
ADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.
IOCs tracked for this family
61 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malware previously deployed in the ArcaneDoor campaign against Cisco ASA devices.
Line Runner is a backdoor malware used by threat actors to maintain persistence on compromised Cisco ASA and FTD devices. It allows remote access and control, surviving reboots and software upgrades by modifying device ROMMON.
Persistent HTTP-based Lua backdoor for Cisco ASA devices that survives reboots and upgrades. It is installed via a malicious client bundle ZIP mechanism and used to maintain persistence and retrieve staged information.
LINE RUNNER is a persistent webshell implant for Cisco ASA devices, enabling attackers to upload and execute arbitrary Lua scripts via specially crafted HTTP GET requests. It is designed for stealth and persistence, allowing remote code execution and facilitating further compromise or espionage.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.