.png){kind=logo}
ArcaneDoor Exploits Cisco ASA/FTD VPNs and Ransomware Groups Target Enterprise Email Services in 2024–2025 Campaigns
- Rescana
- Dec 21, 2025
- 5 min read
Executive Summary
In the second quarter of 2024, two highly sophisticated and distinct cyber threat campaigns have been observed targeting enterprise environments globally. The first campaign exploits critical vulnerabilities in Cisco VPN infrastructure, specifically affecting Cisco ASA and Cisco Secure Firewall devices, and is attributed to the advanced persistent threat group known as ArcaneDoor. The second campaign leverages a combination of social engineering, remote monitoring and management (RMM) tools, and ransomware to compromise enterprise email services, with strong links to notorious ransomware groups such as Black Basta, FIN7, LockBit, and Mallox. Both campaigns demonstrate advanced tactics, techniques, and procedures (TTPs), including zero-day exploitation, persistent access, and multi-stage attack chains. This advisory provides a comprehensive technical analysis, threat actor profiles, exploitation details, victimology, and actionable mitigation strategies, referencing the latest open-source intelligence and vendor advisories.
Threat Actor Profile
The ArcaneDoor threat actor is suspected to be a state-sponsored group with a focus on stealthy, persistent access to network edge devices. Their operations are characterized by the exploitation of zero-day vulnerabilities, advanced evasion techniques, and the ability to modify device firmware for long-term persistence. The group’s targeting of Cisco ASA and Cisco Secure Firewall devices suggests a strategic interest in gaining access to high-value enterprise and government networks.
The email services campaign is attributed to a coalition of financially motivated cybercriminal groups, including Black Basta, FIN7, LockBit, and Mallox. These actors are known for their use of commodity malware, RMM tools, and ransomware-as-a-service (RaaS) models. They employ sophisticated social engineering tactics, such as vishing and email bombing, to bypass traditional security controls and gain initial access to enterprise environments. The overlap in TTPs and infrastructure between these groups indicates a high level of collaboration and resource sharing within the cybercriminal ecosystem.
Technical Analysis of Malware/TTPs
Cisco VPN Campaign: ArcaneDoor
The ArcaneDoor campaign exploits multiple zero-day vulnerabilities in Cisco ASA and Cisco Secure Firewall devices, including CVE-2025-20333 (remote code execution, CVSS 9.9), CVE-2025-20362 (unauthorized access, CVSS 6.5), and CVE-2025-20363 (HTTP server RCE, CVSS 9.0). The attack chain begins with the exploitation of public-facing VPN web services, allowing the threat actor to gain privileged access to the device. Once inside, the attacker disables logging, intercepts CLI commands, and may crash the device to evade detection. On legacy ASA models lacking Secure Boot, the attacker modifies the ROMMON (ROM Monitor) firmware to achieve boot persistence, ensuring continued access even after device reboots or software upgrades.
Indicators of compromise include the presence of a firmware_update.log file on disk0:, unexplained device reboots, disabled logging, and configuration changes. Detection can be enhanced using Snort rules 65340 (for CVE-2025-20333) and 46897 (for CVE-2025-20362). The campaign leverages MITRE ATT&CK techniques such as T1190 (Exploit Public-Facing Application), T1078 (Valid Accounts), T1542.003 (Boot or Logon Autostart Execution: ROMMON Modification), and T1562 (Impair Defenses).
Email Services Campaign: Social Engineering, RMM, and Ransomware
The email services campaign employs a multi-stage attack chain. Initial access is achieved by overwhelming user inboxes with newsletter sign-up confirmations, a tactic designed to bypass email security filters and create confusion. The attacker then initiates a vishing call, impersonating IT support and offering to resolve the email issue. The victim is persuaded to install RMM tools such as AnyDesk, Microsoft Quick Assist, or ConnectWise ScreenConnect. Once remote access is established, batch scripts are executed to download OpenSSH for Windows, establish a reverse shell, and deploy additional payloads, including Cobalt Strike beacons (often disguised as 7z.DLL) and NetSupport RAT.
Lateral movement within the network is facilitated by the Impacket toolset, and ransomware deployment is achieved using LockBit Black (delivered via the Phorpiex botnet) or Mallox (often via brute-forced SQL servers and the PureCrypter loader). Key MITRE ATT&CK techniques include T1566 (Phishing), T1110 (Brute Force), T1204 (User Execution), T1071 (Application Layer Protocol for C2), T1219 (Remote Access Software), T1059 (Command and Scripting Interpreter), T1021 (Remote Services), and T1569.002 (Service Execution: Impacket).
Exploitation in the Wild
The ArcaneDoor campaign has been observed in multiple government and enterprise environments, with confirmed cases of malware implantation, command execution, and data exfiltration. Persistence has only been achieved on legacy ASA models without Secure Boot, highlighting the importance of hardware-based security features. Remediation requires upgrading to fixed software releases, resetting devices to factory defaults, and replacing all credentials and certificates.
The email services campaign has targeted a broad range of enterprises, resulting in successful credential harvesting, lateral movement, and attempted ransomware deployment. The use of legitimate RMM tools and social engineering has enabled attackers to bypass endpoint protection and gain deep access to victim networks. Notable tools observed in these attacks include Cobalt Strike, NetSupport RAT, ConnectWise ScreenConnect, OpenSSH, and Impacket.
Victimology and Targeting
Both campaigns exhibit a global reach, with victims spanning North America, Europe, and Asia-Pacific. The ArcaneDoor campaign primarily targets organizations with high-value network infrastructure, including government agencies, critical infrastructure providers, and large enterprises. The email services campaign is opportunistic, affecting organizations across manufacturing, retail, technology, and general enterprise sectors. The common denominator among victims is the presence of exposed VPN or email infrastructure and insufficient user awareness of social engineering threats.
Mitigation and Countermeasures
For organizations using Cisco ASA or Cisco Secure Firewall devices, immediate action is required. Upgrade to the latest fixed software releases as detailed in the official Cisco advisories. For legacy devices without Secure Boot, consider hardware replacement to eliminate the risk of persistent compromise via ROMMON modification. Reset all device credentials and certificates, and monitor for the presence of firmware_update.log and other IOCs. Implement network segmentation and restrict management access to trusted IP ranges.
To defend against the email services campaign, conduct user awareness training focused on vishing and social engineering. Monitor for unusual patterns of newsletter sign-up emails and block unauthorized installation of RMM tools such as AnyDesk, Quick Assist, and ConnectWise ScreenConnect. Deploy endpoint detection and response (EDR) solutions capable of identifying Cobalt Strike, NetSupport RAT, and suspicious DLLs like 7z.DLL. Regularly audit Active Directory and email accounts for signs of compromise, and enforce multi-factor authentication (MFA) wherever possible.
References
About Rescana
Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their supply chain and digital ecosystem. Our platform leverages advanced threat intelligence, continuous monitoring, and automated workflows to help organizations stay ahead of emerging threats and regulatory requirements. For more information or to discuss how Rescana can support your cybersecurity program, we are happy to answer questions at ops@rescana.com.
