Executive Summary
Firestarter is a highly sophisticated backdoor malware that targets Cisco network security appliances, specifically those running Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. This malware, attributed to advanced persistent threat (APT) actors, is engineered to persist through standard remediation efforts, including firmware updates, security patches, and device reboots. The only effective eradication method is a complete power cycle—physically disconnecting the device from all power sources. The campaign has been observed in the wild, with at least one confirmed compromise of a U.S. federal agency. The resilience and stealth of Firestarter represent a significant escalation in the threat landscape for organizations relying on Cisco perimeter defenses.
Threat Actor Profile
The Firestarter campaign is attributed to a China-based APT group, tracked as UAT-4356 and associated with the ArcaneDoor operation. This group is known for targeting government entities, critical infrastructure, and high-value organizations in the United States and United Kingdom. The threat actors demonstrate advanced capabilities in exploiting zero-day vulnerabilities, developing custom malware, and maintaining long-term persistence within targeted environments. Their operational sophistication is evident in their ability to bypass traditional detection mechanisms and survive standard incident response procedures.
Technical Analysis of Malware/TTPs
Firestarter is deployed as a custom Linux ELF binary, typically named lina_cs, which integrates deeply with the Cisco LINA process—the core engine of ASA and FTD devices. The initial access vector leverages two critical vulnerabilities: CVE-2025-20333 (Missing Authorization, CWE-862) and CVE-2025-20362 (Classic Buffer Overflow, CWE-120). These vulnerabilities allow the attackers to execute arbitrary code on vulnerable devices.
Upon successful exploitation, the attackers deploy LINE VIPER, a user-mode shellcode loader that facilitates unauthorized VPN session hijacking. Firestarter then establishes persistence by copying itself to /usr/bin/lina_cs and /opt/cisco/platform/logs/var/log/svc_samcore.log, and modifying boot and mount scripts to ensure execution upon device restart. The malware hooks into the LINA process, injects shellcode into libstdc++.so, and detours XML handlers to enable command-and-control (C2) operations.
Firestarter employs several advanced MITRE ATT&CK techniques, including T1190 (Exploit Public-Facing Application), T1133 (External Remote Services), T1078 (Valid Accounts), T1543 (Create or Modify System Process), T1546.004 (Event Triggered Execution), T1547 (Boot or Logon Autostart Execution), T1055 (Process Injection), T1070.004 (Indicator Removal on Host), T1070.006 (Timestomp), T1564 (Hide Artifacts), T1036.005 (Masquerading), T1057 (Process Discovery), T1082 (System Information Discovery), and T1219 (Remote Access Tools).
The malware is designed to survive firmware upgrades and reboots by residing in memory and leveraging modified system scripts. Only a full power cycle—disconnecting all power sources for at least one minute—can guarantee removal.
Detection is challenging due to the malware's stealth. Memory analysis (core dumps) is required to identify the presence of lina_cs or injected shellcode. CISA has released YARA rules for scanning disk images and core dumps. Notable file paths include /usr/bin/lina_cs, /opt/cisco/platform/logs/var/log/svc_samcore.log, and /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST.
Exploitation in the Wild
The Firestarter campaign has been observed in the wild since at least September 2025. The most notable victim is a U.S. federal agency, as confirmed by CISA and reported by SecurityWeek. The attackers exploited the aforementioned vulnerabilities to gain initial access, deployed LINE VIPER and Firestarter for persistence, and maintained access through March 2026. The campaign demonstrates the attackers' ability to re-deploy tools and adapt to remediation efforts, highlighting the need for comprehensive incident response beyond standard patching and rebooting.
Victimology and Targeting
The primary targets of the Firestarter campaign are government agencies, critical infrastructure providers, and organizations operating high-value networks in the United States and United Kingdom. The attackers focus on Cisco Firepower and Secure Firewall devices running ASA or FTD software, particularly those with VPN web services enabled. The campaign's targeting suggests a focus on entities with significant operational impact and sensitive data, aligning with the strategic objectives of state-sponsored threat actors.
Mitigation and Countermeasures
Standard remediation procedures, such as applying security patches and rebooting devices, are ineffective against Firestarter. The only reliable eradication method is a full power cycle: physically disconnecting the device from all power sources, including redundant supplies, for at least one minute while the device is powered on. After reconnecting and rebooting, organizations should immediately change all administrative and service account passwords, audit for unauthorized or dormant accounts, and monitor for signs of lateral movement within the network.
Detection requires collecting core dumps or disk images and scanning them with CISA-provided YARA rules. Organizations should also review system logs for evidence of unauthorized VPN sessions and monitor for the presence of suspicious files (lina_cs, svc_samcore.log) in the specified directories.
For organizations subject to U.S. federal regulations, compromised devices and forensic artifacts should be reported to CISA. UK organizations should coordinate with the NCSC. All organizations are advised to implement robust credential hygiene, network segmentation, and continuous monitoring to detect and respond to future threats.
References
CISA AR26-113A: FIRESTARTER Backdoor, BleepingComputer: Firestarter malware survives Cisco firewall updates, security patches, TheHackerNews: FIRESTARTER Backdoor Hit Federal Cisco Firepower Device, SecurityWeek: US Federal Agency's Cisco Firewall Infected With 'Firestarter', MITRE ATT&CK Techniques, Cisco Security Advisory
About Rescana
Rescana delivers advanced third-party risk management (TPRM) solutions, empowering organizations to proactively identify, assess, and mitigate cyber risks across their extended supply chain. Our platform leverages real-time intelligence, automated workflows, and deep analytics to provide actionable insights and enhance your organization's security posture. For more information or to discuss how Rescana can support your cybersecurity strategy, please contact us at ops@rescana.com.
