A backdoor with a movie-villain name was found running on a US federal agency’s Cisco firewall. It had been there for seven months. The agency that was compromised? Nobody will name it.

On April 23, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) jointly published a detailed analysis of a malware sample they call FIRESTARTER — a Linux backdoor designed to burrow into Cisco Firepower devices and survive firmware updates, reboots, and standard remediation. It was found actively operating on the network of an unnamed US Federal Civilian Executive Branch (FCEB) agency.

The silence on the agency’s identity is, by this point, familiar. Government breach disclosures follow a predictable pattern: confirm the intrusion, describe the threat, decline to identify the victim. CISA’s Malware Analysis Report describes the compromise in granular technical detail but stops well short of telling the public which corner of the federal government was penetrated.

What Firestarter Does

FIRESTARTER is a Linux Executable and Linkable Format (ELF) binary that targets Cisco Firepower and Secure Firewall devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software. Its job is establishing a persistent command-and-control channel — a backdoor that allows remote actors to execute arbitrary code at will.

The malware is technically sophisticated. According to CISA’s analysis, FIRESTARTER installs a hook inside LINA, the core engine responsible for network processing and security functions on Cisco devices. This hook intercepts WebVPN requests containing specific XML tags, checks them against hard-coded identifiers, and — if the magic bytes match — executes whatever shellcode the attackers appended. Requests that don’t match pass to the legitimate handler, making the backdoor nearly invisible during normal operation.

Persistence is where FIRESTARTER gets nasty. The malware manipulates the Cisco Service Platform mount list — essentially the device’s boot sequence instructions — to ensure it relaunches after every graceful reboot. It detects termination signals, writes itself to a backup location disguised as a log file (svc_samcore.log), and restores itself on startup. Then it cleans up after itself, removing the trojanized files and restoring the original configuration.

Standard firmware updates do not remove it. The shutdown, reboot, and reload commands do not remove it. The only reliable remediation, according to Cisco, is pulling the power cord — a hard power cycle — or fully reimaging the device.

Seven Months of Access

CISA assesses, but has not confirmed, that advanced persistent threat (APT) actors gained initial access to the unnamed agency’s Cisco Firepower device by exploiting CVE-2025-20333 (CVSS 9.9) and/or CVE-2025-20362, two vulnerabilities in Cisco’s ASA firewall platform. CISA has not confirmed the exact date of initial exploitation but assesses the compromise occurred in early September 2025, before the agency applied patches mandated by CISA’s Emergency Directive 25-03, issued September 25.

The attackers first deployed a post-exploitation toolkit called LINE VIPER — capable of executing CLI commands, bypassing VPN authentication, capturing network traffic, and suppressing syslog messages. LINE VIPER harvested administrative credentials, certificates, and private keys. Then, before the September 25 patching deadline, the actors installed FIRESTARTER as a persistence mechanism.

It worked. Even after the agency patched the vulnerabilities, FIRESTARTER remained embedded in the device. The attackers used the backdoor to redeploy LINE VIPER in March 2026 — seven months after the original compromise, and six months after the patches were supposed to close the door.

A Wider Campaign

Cisco Talos attributes the activity to a threat actor tracked as UAT-4356, the same group behind the ArcaneDoor espionage campaign first identified in early 2024. FIRESTARTER shares considerable technical overlap with RayInitiator, a previously documented bootkit from the same campaign. No government has formally attributed UAT-4356 to a specific nation, though analysis from attack surface management firm Censys in May 2024 suggested links to China, and SecurityWeek characterizes the campaign as “China-linked.”

The UK’s involvement is significant. The NCSC co-authored the advisory, and the guidance is explicitly directed at both US and UK organizations. When allied cyber agencies issue joint alerts about infrastructure compromise, it typically signals that the scope extends well beyond any single victim — and that the threat actor’s targets are likely international.

What Happens Now

CISA has ordered all federal agencies to collect core dumps from affected Cisco devices — Firepower 1000, 2100, 4100, and 9300 series, plus Secure Firewall 200, 1200, 3100, 4200, and 6100 series — and submit them for analysis by April 24, 2026. Confirmed infections must be reported immediately, and compromised devices must be hard-reset by April 30. Cisco’s guidance is blunter: in cases of confirmed compromise, “all configuration elements of the device should be considered untrusted.”

The public still doesn’t know which agency was breached, what data may have been exposed, or whether other federal networks carry the same undetected implant. CISA has published YARA rules for detecting FIRESTARTER. But the disclosure model leaves a familiar gap: the government will tell you how to check your firewall, but not which of its own firewalls failed.

Sources