UAT-4356
UAT-4356 is an espionage-focused, likely government-backed threat actor tracked by Cisco Talos and linked to the 2024 ArcaneDoor campaign, which Cisco described as a state-sponsored espionage operation focused on compromising network perimeter and edge devices. Microsoft tracks this actor as Storm-1849 and classifies it as a China-nexus threat. Cisco has publicly said the group appears government-backed, while some reporting notes Cisco has not publicly attributed it to a specific nation-state. UAT-4356 has targeted Cisco ASA, Firepower, and Secure Firewall devices, including FXOS environments, by exploiting Cisco ASA/FTD vulnerabilities including the 2024 ArcaneDoor zero-days CVE-2024-20353 and CVE-2024-20359, and later the n-day vulnerabilities CVE-2025-20333 and CVE-2025-20362. In post-compromise activity, the actor has deployed malware and tooling including Line Dancer, Line Runner, LINE VIPER, and the custom FIRESTARTER backdoor. FIRESTARTER operates inside the LINA process on Cisco devices, hooks WebVPN request handling, and enables execution of attacker-supplied shellcode in memory via specially crafted WebVPN authentication requests. The actor has used persistence mechanisms involving manipulation of the Cisco Service Platform mount list/CSP_MOUNT_LIST so the implant can survive normal reboots, firmware updates, and patching, while reducing forensic traces by restoring original configuration after restart. Reported targeting includes government and critical national infrastructure networks, with one confirmed intrusion affecting a U.S. Federal Civilian Executive Branch agency. Known aliases in the provided content include Storm-1849.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- Government & Administration
- Technology Hardware & Equipment
Where they target
Geographies tied to known operations.
- 🇺🇸 United States
Where they're from
Attributed origin per open-source reporting.
- CN
Tradecraft
27 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
5 malware families attributed to this actor across reporting.
Associated vulnerabilities
4 CVEs this actor has used in observed campaigns. 4 of them exploited in the wild.
The attack chain begins with exploitation of known vulnerabilities (CVE-2025–20333, CVE-2025–20362) to gain initial access... CVE-2025–20333 (CVSS 9.9) affects the same WebVPN component and allows an authenticated remote attacker with valid VPN credentials to execute arbitrary code with root privileges. When combined, these vulnerabilities effectively enable unauthenticated remote code execution.
The attack chain begins with exploitation of known vulnerabilities (CVE-2025–20333, CVE-2025–20362) to gain initial access... CVE-2025–20362 (CVSS 6.5) is an unauthenticated URL access vulnerability in the VPN web server component of Cisco ASA/FTD. Attackers can access restricted URL paths without authentication, enabling session validation bypass, credential harvesting, or reconnaissance.
Cisco Talos previously attributed this group to the ArcaneDoor campaign in 2024, where they exploited two Cisco ASA zero-day vulnerabilities (CVE-2024–20353, CVE-2024–20359) to deploy malware such as Line Dancer and Line Runner.
Cisco Talos previously attributed this group to the ArcaneDoor campaign in 2024, where they exploited two Cisco ASA zero-day vulnerabilities (CVE-2024–20353, CVE-2024–20359) to deploy malware such as Line Dancer and Line Runner.
Recent activity
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
State-linked espionage-oriented activity cluster targeting Cisco Firepower, Secure Firewall, ASA, and FTD edge devices using chained vulnerabilities and custom implants for persistence, re-entry, credential harvesting, packet capture, and stealthy long-term access.
Conducting a targeted cyber-espionage campaign against Cisco network edge devices, deploying the custom FIRESTARTER backdoor on Cisco ASA, Firepower, and Secure Firewall appliances running FXOS to achieve stealthy, memory-resident access and long-term espionage.
Conducting a long-term intrusion campaign against Cisco ASA/FTD perimeter devices using the FIRESTARTER backdoor and LINE VIPER loader, with persistence designed to survive patching and reboots. The activity is linked to the earlier ArcaneDoor campaign and appears focused on intelligence collection via compromised network security appliances.
Espionage-focused activity targeting Cisco Firepower/FXOS perimeter devices by chaining known vulnerabilities to deploy the FIRESTARTER backdoor. The group was previously linked to the ArcaneDoor campaign and is using compromised network appliances for unauthorized remote control and espionage.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.