FIRESTARTER
FIRESTARTER is a Linux ELF backdoor used for remote access and control on Cisco Firepower and Secure Firewall devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software. CISA and the UK National Cyber Security Centre assessed it was used by an advanced persistent threat in a broader campaign that gained initial access by exploiting CVE-2025-20333 and CVE-2025-20362 on Cisco ASA firmware. Multiple sources in the content associate the activity with threat actor UAT-4356, also referred to in some reporting as Storm-1849, and link it to prior ArcaneDoor-related Cisco targeting.
In the observed intrusion, attackers first deployed LINE VIPER and then used FIRESTARTER as a persistence mechanism. FIRESTARTER attempts to hook LINA, the core Cisco network processing and security engine, and enables execution of attacker-supplied shellcode delivered through specially crafted WebVPN requests after validating hard-coded and victim-specific identifiers. It serves as a command-and-control channel and can facilitate loading of additional payloads into LINA memory.
FIRESTARTER is notable for persistence and stealth on compromised edge devices. The content states it can survive firmware updates and normal reboots, and that patching compromised devices does not necessarily remove the threat actor. Its persistence mechanism includes handling termination signals, copying itself to /opt/cisco/platform/logs/var/log/svc_samcore.log, modifying /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST so it is restored to /usr/bin/lina_cs, made executable, and launched in the background at startup, then restoring original files and deleting artifacts to reduce forensic visibility. Reported associated artifacts include /usr/bin/lina_cs and /opt/cisco/platform/logs/var/log/svc_samcore.log. The malware also redirects stderr to /dev/null, timestomps files, and removes temporary artifacts.
CISA observed a successful FIRESTARTER implant in the wild on a Cisco Firepower device running ASA software at a U.S. Federal Civilian Executive Branch agency, with compromise assessed to have occurred in early September 2025 before patching. The content states the malware may be part of a wider campaign affecting government and critical national infrastructure networks. Detection guidance in the content emphasizes memory analysis and YARA rules on disk images or core dumps; Sigma rules were described as ineffective. For removal, the content states that a hard power cycle, and in some reporting full device reimaging, may be required because normal shutdown, reboot, reload, and firmware patching may not eliminate persistence.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
3 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
CISA published a malware analysis report today on FIRESTARTER, malware that allows remote access and control by malicious threat actors targeting Cisco Firepower and Secure Firewall products running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software. | CISA and NCSC-UK assess that an advanced persistent threat (APT) actor exploited CVE-2025-20333 and CVE-2025-20362 in Cisco ASA firmware to gain initial access and deploy FIRESTARTER on Firepower and Secure Firewall devices.
CISA and NCSC-UK assess that an advanced persistent threat (APT) actor exploited CVE-2025-20333 and CVE-2025-20362 in Cisco ASA firmware to gain initial access and deploy FIRESTARTER on Firepower and Secure Firewall devices. | CISA published a malware analysis report today on FIRESTARTER, malware that allows remote access and control by malicious threat actors targeting Cisco Firepower and Secure Firewall products running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software.
CISA said the unnamed department was infected with malware called “FIRESTARTER” that allowed the hackers to return to the Cisco device in March without re-exploiting the original vulnerabilities.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
In April 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre (NCSC) released a joint advisory on a newly identified backdoor named “FIRESTARTER,” deployed by the state-linked APT group UAT-4356 targeting Cisco Firepower devices.
In April 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre (NCSC) released a joint advisory on a newly identified backdoor named “FIRESTARTER,” deployed by the state-linked APT group UAT-4356 targeting Cisco Firepower devices.
The Cybersecurity and Infrastructure Security Agency and its British counterpart warned in a Thursday malware analysis report that the custom implant, dubbed "Firestarter," is targeting Cisco Adaptive Security Appliance and Firepower devices.
Techniques & procedures
25 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Execution
4 techniques
Execution
If the file is missing, FIRESTARTER creates it using a special function that can run shell commands [T1059].
Key Characteristics Written to operate inside the LINA process, a core Cisco firewall component Executes attacker-supplied shellcode directly in memory
Persistence
6 techniques
Persistence
To establish a foothold, UAT-4356 manipulates the device’s boot sequence by altering the Cisco Service Platform mount list.
When an attacker sends a specially crafted WebVPN authentication request containing a specific “magic packet” pattern, arbitrary shellcode is executed within the LINA process.
Described as a backdoor with remote access capabilities, Firestarter was named after Cisco Secure Firewall Adaptive Security Appliance (ASA) and Cisco Secure Firewall Threat Defense (FTD), the two products the malware targeted.
Upon successful verification of identification, the next stage of the malware is loaded by copying it into LINA’s memory and invoking mprotect to enable execution of the newly injected code [T1543].
Privilege Escalation
6 techniques
Privilege Escalation
To establish a foothold, UAT-4356 manipulates the device’s boot sequence by altering the Cisco Service Platform mount list.
The malware injects a block of shellcode 0x200 bytes before the end of the library’s text segment, installing the detour for the XML element handler [T1055].
CVE-2025–20333 (CVSS 9.9) affects the same WebVPN component and allows an authenticated remote attacker with valid VPN credentials to execute arbitrary code with root privileges.
Upon successful verification of identification, the next stage of the malware is loaded by copying it into LINA’s memory and invoking mprotect to enable execution of the newly injected code [T1543].
Stealth
9 techniques
Stealth
TA0005 – Defense Evasion: Operating as fileless malware, restoring modified configurations after execution, and blending malicious activity into legitimate firewall and VPN request handling.
Upon execution, FIRESTARTER accesses its own binary located at /usr/bin/lina_cs on the device [T1036.005] and copies its contents into memory.
The malware injects a block of shellcode 0x200 bytes before the end of the library’s text segment, installing the detour for the XML element handler [T1055].
After the reboot, it restores the original mount list and removes related files from disk to erase traces.
These commands delete the modified CSP_MOUNT_LIST file [T1070.004] restoring the original CSP_MOUNT_LIST.
Execute permissions are granted to any user, the owner and timestamp are set to match the original [T1070.006], and the temporary file is then deleted.
When an attacker sends a specially crafted WebVPN authentication request containing a specific “magic packet” pattern, arbitrary shellcode is executed within the LINA process.
Defense Impairment
1 technique
Defense Impairment
Discovery
1 technique
Discovery
Command and Control
5 techniques
Command and Control
Instead of traditional beaconing, command-and-control was achieved through trusted device workflows, including: Legitimate WebVPN request flows Authenticated firewall management interfaces In-memory payload execution via crafted requests
FIRESTARTER then actively intercepts incoming WebVPN requests. If an incoming request matches a specific custom prefix, the malware immediately executes the attached shellcode. If the data lacks the required prefix, FIRESTARTER quietly forwards the request to the original handler to evade suspicion.
Upon successful verification, the next stage of the malware is loaded by copying it into LINA’s memory and invoking mprotect to enable execution of the newly injected code.
Recent activity
25 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Custom backdoor for Cisco Firepower/ASA/FTD devices that hooks the LINA process to execute attacker-supplied shellcode via crafted WebVPN requests and maintains persistence across soft reboots and firmware updates.
Governments on high alert after CISA snuffs out Firestarter backdoor on fed network
Referenced as a backdoor in related context only; no further operational details are provided in the content.
Custom backdoor engineered for Cisco firewall environments. It operates inside the LINA process, executes attacker-supplied shellcode directly in memory, abuses trusted WebVPN and management workflows for command execution, and uses transient persistence via Cisco Service Platform mount-list manipulation to survive graceful reboots while minimizing forensic artifacts.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.