In a separate advisory, Cisco’s Talos threat intelligence service said a group it calls UAT-4356 is behind Firestarter, as part of its continued targeting of Firepower devices. Other researchers call the group Storm-1849, and identify the campaign targeting networking devices from Cisco and other vendors as ArcaneDoor, dating back to 2023.
Critical failure in ‘patch and forget’ mentality
CISA believes threat actors compromised Cisco firewalls by exploiting CVE-2025-20333 and/or CVE-2025-20362 early last September, before patches to plug these holes were released.
In the example analyzed by the CISA, the hacker then deployed the LineViper shellcode loader to install a VPN that the threat actor could use to access all configuration elements of the compromised Firepower device, including administrative credentials and certificates and private keys. Then the Firestarter backdoor was added and used to link to a command and control server, which allowed the backdoor to persist even after patching. All this happened before patches to the two vulnerabilities were issued.
Firestarter achieves persistence by detecting termination signals and relaunching itself, which is how it can survive firmware updates and device reboots unless a hard power cycle occurs.
“The Firestarter malware represents a critical failure in the ‘patch and forget’ mentality of modern network security,” said IT analyst Rob Enderle of the Enderle Group.
“What makes this attack particularly unusual is its technical resilience and anti-forensic capabilities,” he said. “The malware registers callback functions for termination signals like SIGTERM or SIGHUP, which allows it to automatically relaunch if an admin tries to kill the process. It deep-dives into the LINA engine’s virtual memory to hook the C++ standard library, intercepting WebVPN requests to trigger its payload. By using ‘time stomping’ to mask its file presence and redirecting errors to /dev/null, it remains nearly invisible to traditional discovery tools.”
