Cybersecurity agencies in the U.S. and U.K. are warning about a custom malware called Firestarter persisting on **Cisco** Firepower and Secure Firewall devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software. ### ArcaneDoor Connection The backdoor has been attributed to a threat actor that **Cisco Talos** tracks internally as **UAT-4356**, known for cyberespionage campaigns, including **ArcaneDoor**. ### Exploiting Vulnerabilities for Initial Access The U.S. Cybersecurity and Infrastructure Security Agency (**CISA**) and the U.K. National Cyber Security Center (**NCSC**) believe that the adversary obtained initial access by exploiting a missing authorization issue (**CVE-2025-20333**) and/or a buffer overflow bug (**CVE-2025-20362**). ### Line Viper and Firestarter Deployment In one incident at a federal civilian executive branch agency, **CISA** observed the threat actor first deploying the **Line Viper** malware, a user-mode shellcode loader, and then using **Firestarter**, which enables continued access even after patching. “**CISA** has not confirmed the exact date of initial exploitation but assesses the compromise occurred in early September 2025, and before the agency implemented patches in accordance with ED 25-03,” the agency notes in an alert. **Line Viper** is used to establish VPN sessions and access all configuration details, including administrative credentials, certificates, and private keys on compromised Firepower devices. Next, the ELF binary for the **Firestarter** backdoor is deployed for persistence, allowing the threat actor to regain access when needed. ### Persistence Mechanisms Once **Firestarter** nests on the devices, it maintains persistence across reboots, firmware updates, and security patches. Furthermore, the backdoor relaunches automatically if terminated. Persistence is achieved by hooking into LINA, the core **Cisco ASA** process, and using signal handlers that trigger reinstallation routines. A joint malware analysis report from the two cybersecurity agencies explains that **Firestarter** modifies the CSP_MOUNT_LIST boot/mount file to ensure execution on startup, stores a copy of itself in /opt/cisco/platform/logs/var/log/svc_samcore.log, and restores it to /usr/bin/lina_cs, where it runs in the background. **Cisco Talos** also published its analysis of the malware, saying that the persistence mechanism is triggered when a process termination signal is received, also known as a graceful reboot. The researchers noted in the Firestarter report that the backdoor used the commands below to set persistence for itself:  ### Backdoor Functionality The implant’s core function is to act as a backdoor for remote access, while it can also execute attacker-provided shellcode. This is done through a mechanism in which **Firestarter** hooks into LINA by modifying an XML handler and injecting shellcode into memory, creating a controlled execution path. This shellcode is triggered by a specially crafted WebVPN request, which, after validating a hardcoded identifier, loads and executes attacker-supplied payloads directly in memory. However, **CISA** did not provide any details on the specific payloads observed in attacks. ### Cisco's Recommendations **Cisco** published a security advisory about **Firestarter** that contains mitigations and workarounds for removing the persistence mechanism, as well as indicators of compromise for discovering the **Firestarter** implant. The vendor “strongly recommends reimaging and upgrading the device using the fixed releases,” which covers both compromised and non-compromised cases. To determine a compromise, administrators should run the ‘show kernel process | include lina_cs’ command. For any resulting output, the device should be considered compromised. If device re-imaging is not currently possible, **Cisco** says that a cold restart (disconnecting the device power) removes the malware. However, this alternative is not recommended as it carries the risk of database or disk corruption, leading to boot problems. **CISA** has also shared two YARA rules that can detect the **Firestarter** backdoor when applied to a disk image or a core dump from a device.