A Persistent Implant That Outlasts Security Patches
U.S. and British cybersecurity authorities issued a joint warning Thursday about a sophisticated state-sponsored hacking operation that has been embedding a custom backdoor inside Cisco network security appliances — one capable of surviving both firmware updates and standard device reboots. The campaign has been targeting government bodies and critical infrastructure networks since at least late 2025.
The Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom's National Cyber Security Centre (NCSC) jointly released a malware analysis report identifying the backdoor, which has been code-named Firestarter. Cisco's threat intelligence arm, Talos, attributed the malware to a threat actor it tracks as UAT-4356 — the same group it previously linked to a 2024 espionage campaign known as ArcaneDoor, which focused on compromising network perimeter devices.
CISA confirmed that it discovered Firestarter on a U.S. federal civilian agency's Cisco Firepower device after flagging suspicious connections through continuous network monitoring. The discovery triggered an updated emergency directive, issued Thursday, requiring all federal civilian agencies to audit their Cisco firewall infrastructure and submit device memory snapshots for analysis by Friday.
How Firestarter Works
The core concern articulated in the directive is UAT-4356's ability to maintain a foothold on compromised devices even after affected organizations applied security patches that Cisco released in September 2025. Those patches addressed two vulnerabilities:
- CVE-2025-20333 — a remote code execution flaw located in the VPN web server component
- CVE-2025-20362 — an unauthorized access vulnerability
UAT-4356 exploited both flaws to gain initial entry into targeted devices. Critically, according to CISA, devices that were compromised before patching was applied may still harbor the Firestarter implant even after updates are installed.
Persistence Through Boot Sequence Manipulation
Firestarter achieves persistence by manipulating the Cisco Service Platform mount list, a configuration file that controls which programs are executed when a device boots. When the device receives a termination signal or enters a reboot cycle, the malware copies itself to a secondary storage location and rewrites the mount list so that it is automatically restored and relaunched after the system comes back online.
A standard software reboot does not remove the implant. Both CISA and Cisco confirmed that only a hard reboot — physically disconnecting the device from its power supply — is sufficient to clear the persistence mechanism from memory.
Injecting into Core Firewall Code
Once entrenched, Firestarter injects malicious shellcode into LINA, the core networking and firewalling layer within Cisco's Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. The malware then monitors incoming network traffic, intercepting a specific class of requests that are normally used for VPN authentication. When a request arrives containing a hidden trigger sequence embedded by the attackers, the malware executes attacker-supplied code, effectively providing a covert, remote-access backdoor into the compromised device.
Connection to Broader Espionage Campaign
Cisco Talos noted that Firestarter shares significant technical similarities with a previously documented implant called RayInitiator, suggesting the two tools share a common origin or development lineage within UAT-4356's toolkit.
In the federal agency incident analyzed by CISA, the attackers first deployed a separate implant named Line Viper to harvest device configurations, credentials, and encryption keys. Firestarter was installed shortly afterward, prior to Cisco's September 2025 patches being applied to those specific devices.
When the agency eventually patched its systems, Firestarter remained on the devices. The threat actors then leveraged the still-active Firestarter implant to redeploy Line Viper in March — nearly six months after the initial breach — demonstrating the severe long-term risk posed by the persistence mechanism.
China-Linked Attribution
Neither Cisco nor CISA formally attributed the espionage activity to a specific nation state. However, researchers at Censys previously stated they found compelling evidence suggesting the threat group is based in China. During their investigation into the early 2024 ArcaneDoor attacks, Censys said it identified multiple major Chinese networks as well as Chinese-developed anti-censorship software, which it cited as indicators pointing toward a Chinese origin.
Affected Hardware and Recommended Mitigations
The persistence vulnerability affects a broad swath of Cisco hardware. Devices confirmed to be at risk include:
- Firepower 1000, 2100, 4100, and 9300 series
- Secure Firewall 1200, 3100, and 4200 series
Cisco has released updated software intended to address the persistence mechanism. However, the company strongly recommends reimaging affected devices rather than relying solely on software updates in cases where compromise is suspected. A Cisco spokesperson told CyberScoop that customers requiring assistance should contact Cisco Technical Assistance for support.
CISA acknowledged that active exploitation of the underlying vulnerabilities was still ongoing at the time the advisory was published. The agency did not respond to a separate request for comment.
A Wider Pattern of Edge Device Targeting
The Firestarter campaign reflects a growing trend among state-linked threat actors: systematically targeting the network edge devices that organizations depend on to enforce security boundaries. Because these appliances sit at the perimeter of enterprise and government networks, successfully compromising them gives attackers a privileged position to intercept internal traffic, harvest credentials, and surveil communications — often without triggering conventional endpoint security controls.
The campaign underscores the limitations of patch-based remediation when adversaries have already established deep persistence within device firmware and boot processes. Security teams managing Cisco firewall infrastructure are urged to follow the CISA emergency directive, conduct thorough audits, and treat any device that was potentially exposed before September 2025 patches were applied as potentially compromised until a full memory analysis and reimaging can be completed.
Source: CyberScoop