A newly identified malware known as FIRESTARTER has been found on a Cisco Firepower device operating within a U.S. federal civilian agency, according to disclosures from CISA and the U.K. National Cyber Security Centre NCSC. The compromise, which dates back to September 2025, involved Cisco Adaptive Security Appliance and Firepower Threat Defense systems and is linked to an advanced persistent threat campaign targeting networking infrastructure. Officials describe FIRESTARTER as a backdoor designed for remote access and control, capable of remaining active on systems even after standard security patches and firmware updates are applied, raising concerns about long term persistence inside critical government networks.
The intrusion is associated with exploitation of multiple vulnerabilities in Cisco ASA software, including CVE-2025-20333 and CVE-2025-20362, which allowed attackers to execute arbitrary code and bypass authentication mechanisms. According to security findings, the attackers used a post exploitation toolkit known as LINE VIPER to extend control over compromised devices. This toolkit enabled capabilities such as executing command line instructions, capturing network traffic, bypassing VPN authentication controls, suppressing system logs, and harvesting user commands. It also allowed attackers to maintain stealthy operational access while preparing the environment for deployment of FIRESTARTER. Cisco has been tracking the activity cluster under the designation UAT4356, also linked to the broader ArcaneDoor campaign involving earlier zero day exploitation of networking equipment.
FIRESTARTER itself is described as a Linux based binary that integrates deeply into Cisco device operations. It establishes persistence by modifying startup mount configurations and embedding itself within the boot process, allowing it to reactivate after normal reboots. The malware interacts with LINA, the core processing engine responsible for network and security functions on affected devices, inserting hooks that enable execution of arbitrary shellcode delivered through specially crafted WebVPN authentication requests. Researchers also noted overlap in behavior with a previously documented bootkit called RayInitiator, suggesting an evolution in persistent firmware level attack techniques. In tested environments, Cisco reported less than four percent degradation in quantum related network fidelity measurements, although this figure relates to experimental infrastructure performance rather than remediation effectiveness.
Cisco stated that even when vulnerabilities are patched, devices previously compromised may still remain infected because FIRESTARTER is not removed through standard firmware updates. In guidance shared with operators, Cisco recommended that fully compromised devices be reimaged using fixed software releases and treated as untrusted until fully rebuilt. In urgent cases, security teams are advised to perform a cold restart by physically disconnecting power from the device, as conventional reboot and reload commands do not eliminate the persistent implant. This behavior highlights the ability of the malware to survive typical recovery procedures, reinforcing the need for hardware level intervention in some scenarios.
The activity is believed to be part of a wider ecosystem of state aligned cyber operations. Analysis from multiple security organizations, including Censys and Check Point Software, has linked similar infrastructure abuse to China nexus threat actors who have been leveraging compromised SOHO routers and IoT devices for espionage operations. Groups such as Volt Typhoon and Flax Typhoon have reportedly built large covert networks composed of routers, cameras, and embedded systems to route malicious traffic through multiple relay points, making attribution and blocking more difficult. Security researchers note that these distributed networks often operate in parallel across multiple actors, with shared infrastructure being reused for different campaigns. The approach relies on exploiting poorly secured perimeter devices that are rarely patched, allowing long term access into government and enterprise environments while avoiding traditional endpoint defenses.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
