RayInitiator
RayInitiator is a persistent multi-stage GRUB bootkit used to compromise Cisco ASA 5500-X series devices that do not implement secure boot. It was reported by the U.K. NCSC in connection with September 2025 zero-day exploitation of Cisco ASA/FTD vulnerabilities including CVE-2025-20333 and CVE-2025-20362, and is associated with the same state-sponsored activity cluster Cisco linked to the earlier ArcaneDoor campaign. The malware is flashed into GRUB on compromised ASA devices and survives reboots and firmware upgrades. Its bootstrap chain patches GRUB to invoke stage 1, patches the loader to invoke stage 2, and patches the Linux kernel syscall table entry for sched_getparam to execute stage 3.
RayInitiator’s purpose is to facilitate in-memory deployment of the LINE VIPER shellcode loader. It installs a handler inside the Cisco ASA lina process, locates the WebVPN XML parsing table using the string "client-cert-fail," and patches a form element handler to trigger execution. In the deploy phase, it verifies victim-specific values embedded in WebVPN XML elements, including an 8-byte ASCII identifier in <group-select> and a second victim-specific 8-byte hexadecimal value in another XML element, then extracts and executes a LINE VIPER shellcode stub. Observed deployments used the <client-cert-auth-signature> XML element to carry a Base64-encoded shellcode stub, and the <client-cert cert-format="pkcs7"> element contained 0x80 bytes of a legitimate VeriSign certificate followed by LINE VIPER code; the partial certificate serial number reported was 3037644167568058970164719475676101450. RayInitiator copies the shellcode stub into lina WebVPN form-element data space and uses a direct mprotect syscall to mark memory executable.
The malware was used to deploy LINE VIPER on Cisco ASA 5500-X devices, including many that were out of support. The NCSC described RayInitiator as surviving firmware upgrades and reboots and noted that it may be present even when LINE VIPER is not currently deployed. Multiple later reports state that FIRESTARTER shows significant technical overlap with RayInitiator, especially its stage 3 deployment path and XML-based payload handling, suggesting shared tooling or development lineage within the same actor arsenal.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
3 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The U.K.’s National Cyber Security Center (NCSC) published a malware analysis report on the RayInitiator and LINE VIPER malware families used in attacks to exploit these zero-day vulnerabilities. According to their analysis, RayInitiator is a multi-stage Grand Unified Bootloader (GRUB) bootkit that services reboots and firmware upgrades.
The U.K.’s National Cyber Security Center (NCSC) published a malware analysis report on the RayInitiator and LINE VIPER malware families used in attacks to exploit these zero-day vulnerabilities. According to their analysis, RayInitiator is a multi-stage Grand Unified Bootloader (GRUB) bootkit that services reboots and firmware upgrades.
Cisco ASA Firewall Zero-Day Exploits Deploy RayInitiator and LINE VIPER Malware
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Cisco Talos noted that Firestarter shares significant technical similarities with a previously documented implant called RayInitiator, suggesting the tools share a common origin or development history within UAT-4356’s arsenal.
After the flaws had been fixed, the U.K. NCSC reported that threat actors exploited them in zero-day attacks to deploy novel malware families, RayInitiator and LINE VIPER. RayInitiator is a persistent, multi-stage GRUB bootkit flashed to Cisco ASA 5500-X devices (many out of support) that survives reboots and firmware upgrades.
Techniques & procedures
7 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Execution
2 techniques
Execution
Persistence
2 techniques
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Stealth
3 techniques
Stealth
LINE VIPER and RayInitiator utilise victim specific tokens... To check for a LINE VIPER request, the <group-select> element is verified to ensure it starts with a hard-coded, victim specific, 8-byte ASCII string... LINE VIPER tasking payloads sent to victim devices are checked for multiple victim-specific tokens before they are run.
Recent activity
27 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Previously disclosed bootkit noted as technically similar to FIRESTARTER.
Referenced as a malware/tool whose deployment tactics substantially overlap with FIRESTARTER’s loading mechanism.
A previously documented bootkit noted only as having overlap with FIRESTARTER.
A previously documented implant that shares significant technical similarities with Firestarter, suggesting common origin or development history within UAT-4356’s toolset.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.