China-Linked Espionage Campaign Leaves Persistent Implant on US Government Network
At least one US federal agency has been confirmed infected with a sophisticated backdoor called Firestarter, part of a broader China-linked espionage operation targeting Cisco firewall platforms. The revelation came in an updated version of Emergency Directive 25-03 (ED 25-03), issued by the Cybersecurity and Infrastructure Security Agency (CISA), which carries a stark warning: applying available patches does not eliminate malware already deployed on compromised devices.
Background: The ArcaneDoor Campaign
The roots of this intrusion stretch back to May 2024, when Cisco patched two zero-day vulnerabilities in its Adaptive Security Appliance (ASA) firewall platform. Those flaws had been actively exploited in a state-sponsored espionage campaign that researchers track as ArcaneDoor. A year later, Cisco disclosed and patched two additional zero-days connected to the same campaign: CVE-2025-20333 and CVE-2025-20362. Both vulnerabilities affect the VPN web server component of ASA and Secure Firewall Threat Defense (FTD) software.
In September 2025, CISA issued ED 25-03, urgently directing federal agencies to patch vulnerable Cisco devices without delay. The agency updated that guidance in November 2025 with additional mitigation recommendations, and has now issued a further update with even more serious implications for affected organizations.
Patching Alone Is Not Enough
The latest version of ED 25-03 makes clear that remediation efforts confined to applying patches are insufficient. According to CISA, malware deployed on Cisco firewall devices prior to patching remains on those systems even after updates are applied. The directive now requires federal agencies to take additional concrete steps:
- Upload device core dumps to the Malware Next Gen portal to determine whether compromise has occurred.
- Notify CISA immediately upon discovering evidence of infection.
- Apply all available patches if not already done.
The requirement covers a wide range of hardware, including Firepower 1000, 2100, 4100, and 9300 series devices, as well as Secure Firewall 200, 1200, 3100, 4200, and 6100 series appliances. Agencies must complete all checks and updates by 11:59 PM EST on April 24, 2026, and must perform hard resets of affected devices by April 30, 2026, per the directive's mandate.
Inside the Firestarter Backdoor
Alongside the updated directive, CISA published a detailed technical analysis of the Firestarter backdoor, identified as the malware deployed in these attacks. According to CISA, at least one federal agency was infected through exploitation of a Firepower device vulnerable to CVE-2025-20333 and CVE-2025-20362.
The implant was deployed before September 25 and persisted through the agency's remediation efforts, granting the threat actors sustained remote access and control over the compromised firewall. CISA describes its core mechanism in technical detail:
"Firestarter attempts to install a hook—a way to intercept and modify normal operations—within Lina, the device's core engine for network processing and security functions. This hook enables the execution of arbitrary shell code provided by the APT actors, including the deployment of Line Viper."
Cisco's own analysis notes that Firestarter bears a strong resemblance to RayInitiator, a bootkit component previously documented in the ArcaneDoor campaign. The backdoor achieves persistence by modifying the mount list for Cisco Service Platform (CSP), enabling it to execute code during the device's boot process. After a reboot occurs, Firestarter restores the original mount list and deletes the trojanized copy — a technique that helps the implant evade routine inspection.
Removal Requires a Hard Reset
Despite its persistence through standard firmware updates, Firestarter can be eliminated through a hard reboot — specifically, one that involves physically unplugging the device from power. This distinction is critical: a standard software-initiated reboot is not sufficient to remove the implant, whereas cutting power entirely appears to clear it. CISA's directive sets April 30, 2026 as the deadline for federal agencies to carry out these hard resets on all affected hardware.
Attribution: UAT-4356
Cisco has formally attributed the attacks supporting the ArcaneDoor campaign and the Firestarter deployments to a threat actor it designates as UAT-4356, described as a state-sponsored group with a clear focus on espionage. The company has also published a fresh advisory addressing the continuing exploitation of CVE-2025-20333 and CVE-2025-20362, underscoring that adversary activity linked to these vulnerabilities has not ceased.
Implications for Federal Agencies and Critical Infrastructure
The infection of at least one US federal agency with a backdoor that survived patching illustrates the acute danger posed by nation-state actors targeting network perimeter devices. Cisco ASA and FTD firewalls are widely deployed across government and critical infrastructure environments, making them high-value targets for persistent access operations.
The combination of zero-day exploitation, firmware-resistant persistence, and covert boot-time execution represents a sophisticated capability consistent with long-running, well-resourced adversaries. Organizations using the affected device families that have not yet complied with CISA's directive should treat remediation as an urgent priority, following both the core dump analysis process and the hard-reset procedure outlined by CISA and Cisco.
Federal civilian agencies operating under CISA's authority are bound by the emergency directive's deadlines, but private-sector organizations running the same hardware are strongly encouraged to follow the same mitigation steps to determine whether they too have been compromised.
Source: SecurityWeek