Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 2 actorsExploits 4 CVEs

LINE VIPER

LINE VIPER is a modular user-mode shellcode loader and post-exploitation implant used against Cisco ASA and Firepower/Secure Firewall devices, especially Cisco ASA 5500-X series devices without secure boot. It has been observed in campaigns exploiting Cisco ASA/FTD WebVPN vulnerabilities CVE-2025-20333 and CVE-2025-20362, and is also loaded into memory by the RayInitiator GRUB bootkit. In observed intrusions, attackers deployed LINE VIPER first for post-exploitation access and later used FIRESTARTER as a persistence mechanism. CISA observed this sequence on a Cisco Firepower device at a U.S. federal civilian executive branch agency.

LINE VIPER receives command-and-control instructions over WebVPN client authentication sessions over HTTPS or via ICMP, with responses over raw TCP. It can establish illegitimate VPN sessions that bypass VPN authentication policies and AAA controls for actor devices. Reported capabilities include executing CLI commands with high privilege, performing hidden packet captures, suppressing syslog messages, harvesting user CLI commands, forcing delayed reboot, and accessing device configuration data including administrative credentials, certificates, and private keys. Reporting also states it facilitated broad file access on compromised devices.

The malware is associated with the broader Cisco-focused activity linked by Cisco to the ArcaneDoor threat actor cluster; some reporting ties the later related activity to UAT-4356 / Storm-1849, though public attribution for LINE VIPER-specific operations is not definitive in the provided content. High-confidence indicators and artifacts mentioned include use on Cisco ASA/FTD platforms, in-memory loading by RayInitiator, command delivery through crafted WebVPN authentication traffic, and use in conjunction with FIRESTARTER for longer-term persistence.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

4 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

4 CVES
CVE-2025-20362Unauthenticated restricted URL access in Cisco Secure ASA/FTD VPN web serverExploited in the wild

According to their analysis, RayInitiator is a multi-stage Grand Unified Bootloader (GRUB) bootkit that services reboots and firmware upgrades. It also deploys the LINE VIPER shellcode loader to Cisco ASA 5500-X series devices that do not have secure boot. LINE VIPER is loaded into memory by RayInitiator and it receives command and control instructions over WebVPN client authentication sessions over HTTPS or via ICMP with responses over raw TCP.

via palo alto networks unit 42 blogunit42.paloaltonetworks.com
CVE-2025-20333Authenticated RCE in Cisco ASA/FTD VPN Web ServerExploited in the wild

According to their analysis, RayInitiator is a multi-stage Grand Unified Bootloader (GRUB) bootkit that services reboots and firmware upgrades. It also deploys the LINE VIPER shellcode loader to Cisco ASA 5500-X series devices that do not have secure boot. LINE VIPER is loaded into memory by RayInitiator and it receives command and control instructions over WebVPN client authentication sessions over HTTPS or via ICMP with responses over raw TCP.

via palo alto networks unit 42 blogunit42.paloaltonetworks.com
CVE-2025-30333RCE in Cisco Adaptive Security Appliance (ASA) with VPN credentials

CISA added that the hackers deployed another strain of malware called Line Viper that established illegitimate virtual private network (VPN) sessions that bypassed all VPN authentication policies.

via the record mediatherecord.media
CVE-2025-20334Command Injection in Cisco IOS XE HTTP API Subsystem

Cisco ASA Firewall Zero-Day Exploits Deploy RayInitiator and LINE VIPER Malware

via cloudatg insightscloudatg.com
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
ArcaneDoor

The attack chain begins with exploitation of known vulnerabilities (CVE-2025–20333, CVE-2025–20362) to gain initial access, followed by the deployment of LINE VIPER and FIRESTARTER to take control of the network device itself.

via osint team blogosintteam.blog
UAT-4356

The attack chain begins with exploitation of known vulnerabilities (CVE-2025–20333, CVE-2025–20362) to gain initial access, followed by the deployment of LINE VIPER and FIRESTARTER to take control of the network device itself.

via osint team blogosintteam.blog
MITRE ATT&CK

Techniques & procedures

24 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

3 techniques
T1078Valid AccountsEvidence2

This activity was associated with user accounts that existed but were no longer active within the agency [T1078].

T1133External Remote ServicesEvidence3

CISA identified that APT actors first deployed LINE VIPER to establish illegitimate virtual private network (VPN) sessions [T1133] that bypassed all VPN authentication policies.

T1190Exploit Public-Facing ApplicationEvidence12

Cisco has reported that a sophisticated state-sponsored threat actor is actively exploiting multiple zero-day vulnerabilities in Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software.

Execution

3 techniques
T1059Command and Scripting InterpreterEvidence2

These vulnerabilities allow attackers to execute arbitrary code, exfiltrate data and implant persistent malware to maintain access even after a device is rebooted.

T1059.004Unix ShellEvidence2

The hackers ... initially deployed a shellcode loader tracked by the U.K. National Cyber Security Center as Line Viper

T1574Hijack Execution FlowEvidence1

FIRESTARTER attempts to install a hook – a way to intercept and modify normal operations – within LINA, the device’s core engine for network processing and security functions. This hook enables the execution of arbitrary shell code provided by the APT actors, including the deployment of LINE VIPER.

Persistence

4 techniques
T1078Valid AccountsEvidence2

This activity was associated with user accounts that existed but were no longer active within the agency [T1078].

T1133External Remote ServicesEvidence3

CISA identified that APT actors first deployed LINE VIPER to establish illegitimate virtual private network (VPN) sessions [T1133] that bypassed all VPN authentication policies.

T1136Create AccountEvidence1

Line Viper malware ... created illegitimate VPN sessions

T1547Boot or Logon Autostart ExecutionEvidence1

These vulnerabilities allow attackers to execute arbitrary code, exfiltrate data and implant persistent malware to maintain access even after a device is rebooted.

Privilege Escalation

3 techniques
T1068Exploitation for Privilege EscalationEvidence2

CVE-2025–20333 (CVSS 9.9) affects the same WebVPN component and allows an authenticated remote attacker with valid VPN credentials to execute arbitrary code with root privileges.

T1078Valid AccountsEvidence2

This activity was associated with user accounts that existed but were no longer active within the agency [T1078].

T1547Boot or Logon Autostart ExecutionEvidence1

These vulnerabilities allow attackers to execute arbitrary code, exfiltrate data and implant persistent malware to maintain access even after a device is rebooted.

Stealth

4 techniques
T1070Indicator RemovalEvidence1

LINE VIPER can execute CLI commands, perform packet captures, bypass VPN AAA for actor devices, suppress syslog messages, harvest user CLI commands, and force a delayed reboot.

T1078Valid AccountsEvidence2

This activity was associated with user accounts that existed but were no longer active within the agency [T1078].

T1480.001Environmental KeyingEvidence1

LINE VIPER and RayInitiator utilise victim specific tokens... To check for a LINE VIPER request, the <group-select> element is verified to ensure it starts with a hard-coded, victim specific, 8-byte ASCII string... LINE VIPER tasking payloads sent to victim devices are checked for multiple victim-specific tokens before they are run.

T1574Hijack Execution FlowEvidence1

FIRESTARTER attempts to install a hook – a way to intercept and modify normal operations – within LINA, the device’s core engine for network processing and security functions. This hook enables the execution of arbitrary shell code provided by the APT actors, including the deployment of LINE VIPER.

Credential Access

3 techniques
T1040Network SniffingEvidence3

the LINE VIPER toolkit enables packet capture, VPN authentication bypass, syslog suppression, and credential harvesting

T1555Credentials from Password StoresEvidence2

CVE-2025–20362... enabling session validation bypass, credential harvesting, or reconnaissance... LINE VIPER toolkit enables packet capture, VPN authentication bypass, syslog suppression, and credential harvesting

T1649Steal or Forge Authentication CertificatesEvidence3

Line Viper is used to establish VPN sessions and access all configuration details, including administrative credentials, certificates, and private keys on compromised Firepower devices.

Discovery

3 techniques
T1040Network SniffingEvidence3

the LINE VIPER toolkit enables packet capture, VPN authentication bypass, syslog suppression, and credential harvesting

T1082System Information DiscoveryEvidence1

LINE VIPER enabled APT actors access to all configuration elements of the victim Firepower device, including administrative credentials, certificates, and private keys [T1082].

T1083File and Directory DiscoveryEvidence1

Line Viper malware ... facilitated universal access to the device's files

Collection

1 technique
T1602.001SNMP (MIB Dump)Evidence1

In the federal agency incident analyzed by CISA, the attackers first deployed a separate implant, called Line Viper, to gain access to device configurations, credentials, and encryption keys.

Command and Control

5 techniques
T1071Application Layer ProtocolEvidence1

LINE VIPER is loaded into memory by RayInitiator and it receives command and control instructions over WebVPN client authentication sessions over HTTPS or via ICMP with responses over raw TCP.

T1071.001Web ProtocolsEvidence2

LINE VIPER is loaded into memory by RayInitiator and it receives command and control instructions over WebVPN client authentication sessions over HTTPS

T1105Ingress Tool TransferEvidence1

Upon successful verification, the next stage of the malware is loaded by copying it into LINA’s memory and invoking mprotect to enable execution of the newly injected code.

T1571Non-Standard PortEvidence1

LINE VIPER responds to ICMP tasking via raw TCP using high-ephemeral ports... Observed destination ports used are random high ports, >60000.

T1573.002Asymmetric CryptographyEvidence1

LINE VIPER uses per-victim RSA keys for securing tasking and exfiltration via the WebVPN client authentication method... LINE VIPER uses an RSA public key to perform a symmetric key exchange.

Impact

1 technique
T1529System Shutdown/RebootEvidence1

LINE VIPER has an anti-forensic capability to immediately reboot the device when certain CLI commands are run. Additionally, LINE VIPER has a module to force a device reboot after a delay.

Other

1 technique
T1562Impair DefensesEvidence4

the LINE VIPER toolkit enables packet capture, VPN authentication bypass, syslog suppression, and credential harvesting

ACTIVITY FEED

Recent activity

31 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

31 SOURCESView more in app
osint team blogNews
May 8, 2026
Uncovering FIRESTARTER: Ongoing Cisco ASA Compromise Despite Patch Deployment | by Criminal IP | May, 2026 | OSINT Team

Post-exploitation toolkit used after initial access on Cisco ASA/FTD devices; described as enabling packet capture, VPN authentication bypass, syslog suppression, and credential harvesting, and as facilitating deployment of FIRESTARTER.

Read more
cyberthroneNews
Apr 28, 2026
FIRESTARTER: Cisco ASA Backdoor - TheCyberThrone

A user-mode shellcode loader used post-exploitation on Cisco devices to provide elevated access and facilitate deployment of FIRESTARTER. It can execute CLI commands, perform packet captures, bypass VPN AAA for actor devices, suppress syslog messages, harvest user CLI commands, and force a delayed reboot.

Read more
security affairsNews
Apr 25, 2026
CISA reports persistent FIRESTARTER backdoor on Cisco ASA device in federal network

A post-exploitation implant used by APT actors on compromised Cisco ASA devices. In the described incident, it was deployed before FIRESTARTER and could be delivered/executed via FIRESTARTER’s hook and shellcode mechanism.

Read more
the hacker newsNews
Apr 24, 2026
FIRESTARTER Backdoor Hit Federal Cisco Firepower Device, Survives Security Patches

A post-exploitation toolkit used on compromised Cisco devices to execute CLI commands, capture packets, bypass VPN AAA for actor devices, suppress syslog messages, harvest user CLI commands, and force delayed reboots. It was deployed via FIRESTARTER-enabled access.

Read more
+24 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities4

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping24

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.