Line Dancer
Line Dancer is a memory-resident shellcode loader/implant used in the ArcaneDoor espionage campaign against Cisco Adaptive Security Appliance (ASA) devices, including ASA55xx systems, during activity observed in late 2023 and early 2024. It has been associated with the state-sponsored threat actor tracked by Cisco as UAT4356 and by Microsoft as STORM-1849. Cisco Talos and partner agencies reported it being deployed alongside the persistent Line Runner backdoor on compromised ASA devices.
High-confidence reporting describes Line Dancer as an in-memory implant that enables attackers to upload and execute arbitrary shellcode payloads. NCSC analysis states it was recovered only from memory, from a non-file-backed RWX region outside the lina text section, and that it is non-persistent. Execution is achieved by overwriting a lina data-section function pointer used to parse the WebVPN XML <host-scan-reply> field. The implant checks for a victim-specific fixed 32-byte authentication token at the start of data submitted in that field of a WebVPN HTTP(S) POST request; if the token matches, it base64-decodes the remaining data as shellcode, copies it into a fixed address in the same memory region, executes it, and then returns control to the legitimate parser.
Reported capabilities include executing arbitrary commands and shellcode payloads, modifying device configuration, reconnaissance, collecting and exfiltrating device configuration data, creating and exfiltrating packet captures, disabling or suppressing syslog logging, and interfering with AAA/authentication mechanisms to bypass configured controls. Cisco reporting also states Line Dancer hooked the crash-dump process to force reboot behavior and hinder forensic collection. French CERT reporting similarly describes the implant as memory-only and capable of disabling system activity logs, retrieving configuration elements, performing and exfiltrating network captures, executing arbitrary commands, inserting into the crash-dump process to reduce traces, and inserting into AAA processing to bypass those mechanisms.
The malware was observed in targeted attacks exploiting Cisco ASA/WebVPN-related activity associated with CVE-2024-20353 and CVE-2024-20359. Public advisories describe the broader campaign as focused on espionage and targeting government and critical national infrastructure networks globally. Cisco stated the initial intrusion vector remained unknown, but the malware was used post-compromise on a small set of customers. Known behavioral indicators directly mentioned in the reporting include WebVPN HTTP(S) POST activity to URIs such as /CSCOSSLC/config-auth, use of the <host-scan-reply> XML field for tasking, victim-specific 32-byte tokens, and suspicious split or multiple executable lina memory regions observable via "show memory region | Include lina".
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
CISA added two Cisco product vulnerabilities — CVE-2024-20353 and CVE-2024-20359 — to the Known Exploited Vulnerabilities catalog. Cisco warned they are being exploited as part of a campaign by state-sponsored threat actors affecting Cisco ASA and Firepower Threat Defense devices.
CISA added two Cisco product vulnerabilities — CVE-2024-20353 and CVE-2024-20359 — to the Known Exploited Vulnerabilities catalog. Cisco warned they are being exploited as part of a campaign by state-sponsored threat actors affecting Cisco ASA and Firepower Threat Defense devices.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
UAT4356 deployed two backdoors as components of this campaign, ‘Line Runner’ and ‘Line Dancer,’ which were used collectively to conduct malicious actions on-target, which included configuration modification, reconnaissance, network traffic capture/exfiltration and potentially lateral movement
Cisco Talos previously attributed this group to the ArcaneDoor campaign in 2024, where they exploited two Cisco ASA zero-day vulnerabilities (CVE-2024–20353, CVE-2024–20359) to deploy malware such as Line Dancer and Line Runner.
Techniques & procedures
30 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
5 techniques
Execution
LINE DANCER is a persistent Lua-based shellcode loader, which is a component of a larger framework. This shellcode loader would process malicious payloads that execute system commands.
Persistence
7 techniques
Persistence
‘Line Runner’ and ‘Line Dancer’... were used collectively to conduct malicious actions on-target, which included configuration modification...
These affected products have been compromised by malicious actors who successfully established unauthorized access through WebVPN sessions, commonly associated with Clientless SSLVPN services.
UAT4356 deployed two backdoors as components of this campaign, ‘Line Runner’ and ‘Line Dancer,’ which were used collectively to conduct malicious actions on-target.
“Line Dancer is not persistent, the actor achieves persistence on ASA devices via Line Runner… a persistent Lua webshell…”
Privilege Escalation
1 technique
Privilege Escalation
Stealth
8 techniques
Stealth
“This data is then base64-decoded and copied into a fixed memory address… The base64-decoded data is expected to be shellcode.”
MITRE TTPs ... Injection of code into AAA and Crash Dump processes (T1055)
The malicious actors were able to control the enabling and disabling of the devices syslog service to obfuscate additional commands.
The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'
“An observed Line Dancer payload changes the memory protections of a region of lina, this results in the text section being split and causing multiple executable memory regions for lina… suspicious, especially if one is of size 0x1000.”
Defense Impairment
2 techniques
Defense Impairment
Credential Access
2 techniques
Credential Access
Discovery
2 techniques
Discovery
‘Line Runner’ and ‘Line Dancer’... were used collectively to conduct malicious actions on-target, which included... network traffic capture/exfiltration...
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
Collection
2 techniques
Collection
These samples are commands that directed the devices to perform specific actions which resulted in the exfiltration of device configurations, configuration of network captures, and data exfiltration.
Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers. Dyre has the ability to send information staged on a compromised host externally to C2. Line Runner utilizes HTTP to retrieve and exfiltrate information staged using Line Dancer.
Command and Control
2 techniques
Command and Control
Exfiltration
3 techniques
Exfiltration
ADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.
IOCs tracked for this family
60 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malware previously deployed in the ArcaneDoor campaign against Cisco ASA devices.
Referenced as a prior/less comprehensive related malware/tool compared to LINE VIPER; no additional functional details provided in the content.
Line Dancer is an in-memory shellcode loader deployed by threat actors to facilitate the execution of malicious payloads on compromised Cisco ASA and FTD devices. It is used to load and execute shellcode directly in memory, aiding in evasion and persistence.
Memory-resident shellcode interpreter implant on Cisco ASA devices that allows attackers to upload and execute arbitrary shellcode, disable syslog, exfiltrate configuration and packet captures, execute CLI commands, tamper with crash dumps, and bypass AAA for unauthorized VPN access.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.