Pull the Power Cord: FIRESTARTER, AR26-113A, and a Backdoor That Survives Your Patches

CISA and the UK NCSC co-released a Malware Analysis Report today called AR26-113A. The subject is a backdoor CISA named FIRESTARTER. It runs on Cisco Firepower and Secure Firewall devices, both ASA and FTD, and the MAR is paired with an update to Emergency Directive 25-03. The directive covers federal civilian agencies. The malware does not care who you are.

Three things in this report make it different from the usual Cisco advisory, and they are the three things that should put this on your Monday calendar.

First, FIRESTARTER survives the patch. A device compromised before September 25, 2025 can still be compromised today, on the current software, because the implant was written before the fix went in. Cisco shipped updates for CVE-2025-20333 and CVE-2025-20362 seven months ago. Those updates close the door for new exploitation. They do not remove anyone who was already inside.

Second, Sigma will not catch it. That is not my assessment. That is verbatim from the CISA report: Sigma rules do not offer effective detection because FIRESTARTER does not generate observable log events or behavioral anomalies in standard monitoring platforms. The malware is specifically designed to hide from the telemetry your SOC already collects.

Third, the only reliable eviction is a hard power pull. Reboot will not clear it. Patch will not clear it. The CISA guidance for non-federal organizations, once FIRESTARTER is confirmed on the device, is to physically unplug the device from every power source including redundant supplies, wait at least sixty seconds, and only then reconnect. That is the remediation from one of the top cyber agencies in the world. Go touch the appliance.

What FIRESTARTER actually is

FIRESTARTER is a Linux ELF that runs on the Firepower hardware, staged as /usr/bin/lina_cs. The filename is not fixed. Attackers can and will rename it. Once running, it copies itself into memory, registers callbacks for the common termination signals (SIGTERM, SIGINT, SIGQUIT, SIGABRT, SIGHUP, SIGTSTP), and walks LINA’s virtual memory map to find the executable segment of libstdc++.so. It injects shellcode 0x200 bytes before the end of that library’s text segment and installs a detour on the XML element handler used by WebVPN.

When the detoured handler fires, FIRESTARTER looks for a hardcoded eight-byte ASCII string inside a group-select element in the WebVPN request. If the string matches, and a second victim-specific identifier matches, the next stage is loaded into LINA’s memory with mprotect to flip the page executable. The advisory explicitly notes the path closely mirrors the RayInitiator Cisco ASA bootkit stage three deploy sequence.

Persistence is handled through an append to /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST. The script moves the implant from /opt/cisco/platform/logs/var/log/svc_samcore.log back into /usr/bin/lina_cs, chmods it 755, and launches it in the background. Timestamps and ownership are preserved with touch -r and chown --reference. Every stderr goes to /dev/null. This is not loud malware.

How the actor got in, and how they came back

CISA assesses with high confidence the initial access happened in early September 2025 through CVE-2025-20333 (a missing authorization bug) and CVE-2025-20362 (a classic buffer overflow), before the victim agency applied the ED 25-03 patches. Actors first deployed LINE VIPER, the user-mode shellcode loader that the NCSC wrote up in September alongside the RayInitiator bootkit. LINE VIPER gave them full access to the device configuration: administrative credentials, certificates, private keys, everything.

The tradecraft detail that matters for identity teams: LINE VIPER was used to stand up illegitimate VPN sessions tied to former employee accounts that still existed but were no longer active. Valid account, clean credentials, no AAA alarm. If your identity hygiene program still has dormant accounts with VPN entitlement on the box, you are carrying a loaded weapon for an attacker who does not need to guess a password.

Then the actor dropped FIRESTARTER. The agency patched the CVEs per ED 25-03. The actor came back in March 2026, using FIRESTARTER to re-deploy LINE VIPER without touching the original vulnerabilities. That is the reason this report exists. Patching closed the front door. FIRESTARTER had already built a side door and filled in the blueprints.

Why your SIEM cannot see this

LINE VIPER hooks syslog. It suppresses specific message IDs. It intercepts CLI commands before they reach the logging subsystem. It can intentionally crash the device to frustrate forensics. FIRESTARTER hides its own stderr. The device lies to you on purpose.

That is why CISA directs federal agencies to collect a core dump and submit it to their Malware Next Generation platform. Not a syslog export. Not a pcap. A core dump. CISA’s own YARA rules, reproduced in the MAR as CISA_261290_01 and CISA_261290_02, run against the dump. Rule one matches on the specific byte signatures of the injector plus the hardcoded paths /opt/cisco/platform/logs/var/log/, /opt/cisco/config/platform/rmdb/, /var/run/runlevel, /proc/%s/comm, /proc/%d/maps, and /asa/bin/lina. Rule two matches the shellcode itself.

If you are a federal agency, CISA wants the dump first, guidance second, and unplug only on their signal. Everyone else can apply the YARA rules themselves against a disk image or core dump obtained through a Cisco TAC case.

What defenders can still see

The device is blind to itself after implant. The network around the device is not. Four categories of telemetry are still useful.

• Pre-implant exploitation. Requests to /+CSCOE+/, /+CSCOU+/, or WebVPN endpoints that succeed without an auth header, or POSTs with oversized bodies or anomalous group-select and host-scan-reply content. Upstream proxies, load balancers, and network IDS see this. The ASA may not log it once the implant is in.
• Identity. Any VPN success on an AD-disabled account, an HR-termed account, or an account dormant more than ninety days. MILBERT catches this pattern independent of whether the device has been silenced.
• Flow reconciliation. A VPN session that appears in NetFlow or downstream firewall state tables with no matching AAA accounting record in the expected window. The device may lie. RADIUS does not.
• Integrity anomalies. Unscheduled reboots. Sudden drops in syslog volume that do not match a drop in traffic. Parsed show memory region output showing more than one executable region in lina, or any region exactly 0x1000 bytes. Cisco Talos called that last one out explicitly in the original ArcaneDoor guidance and it still holds.

What we shipped today

The ThreatHunter.ai Detection Pack for AR26-113A is live. It is an Argillite-format YAML pack with seven sections.

• Section one reproduces both CISA YARA rules verbatim, tagged for application to core dumps and disk images.
• Section two covers pre-implant exploitation signals for CVE-2025-20333 and CVE-2025-20362, including Snort coverage against Cisco rules 65340 and 46897.
• Section three covers identity: VPN success on dormant or termed accounts, flow-to-auth reconciliation, and AAA accounting gap detection.
• Section four covers device integrity: unexpected reboot detection, syslog-versus-flow volume ratio analysis, and scheduled parsing of show checkheaps and show memory region output.
• Section five covers post-compromise re-access, including WebVPN group-select reappearance on patched devices and sustained ICMP tunneling to or from ASA and FTD devices.
• Section six is posture: TACT-IO-driven CVE coverage, secure-boot-missing ASA 5500-X identification, privileged-account rotation status, legacy TACACS+ without TLS 1.3, and dormant accounts still holding VPN entitlement.
• Section seven is response, including the exact sequence of actions required before and after any remediation: preserve show-command output, preserve core dump, run YARA, report to CISA or NCSC, and only then consider the hard power cycle under agency direction.

Do this before Monday

Four actions. In order.

1. Inventory every Cisco ASA, FTD, and Firepower device on your network. Flag everything that is internet-facing. Flag every ASA 5500-X series device that does not support secure boot and plan its replacement. TACT-IO will do the identification. The replacement is a finance conversation.
2. Run the access hygiene sweep. Pull every account that has VPN entitlement on any of those boxes. Cross-reference against AD disabled state, HR leaver feed, and last interactive login. Anything past ninety days dormant gets its VPN entitlement revoked today, not next sprint. This is the specific identity abuse pattern named in AR26-113A.
3. If you have any reason to suspect compromise, before you patch again, before you reboot, before you touch the config, collect a core dump and the full show checkheaps and show tech-support detail output. Save them off-device. Apply the CISA YARA rules. If you are an FCEB agency, stop there and call CISA. If you are not, you can run the rules yourself and proceed based on the result.
4. Subscribe to the dynamic feed that tracks active ArcaneDoor infrastructure. Static IP lists will not hold. The threat actor here is the same one Talos has been tracking as UAT4356 since December 2023 and Microsoft tracks as Storm-1849. They are patient, resourced, and specifically targeting perimeter devices because those devices have no EDR.

Bottom line

The full-text direction from CISA to a victim organization in this MAR reads, in plain terms: pull the plug. That is a remarkable thing to read in a federal advisory. It is also correct. When persistence lives below your operating system and inside the binary that implements the device’s core logic, the only way to be sure it is gone is to remove the power that holds it in memory.

Firepower is not supposed to be the breach. It is supposed to be what prevents the breach. When the security boundary becomes the persistent foothold, you do not get to trust the device anymore. You replace it, or you do the work to confirm it.

The detection pack is available to ThreatHunter.ai ARGOS, MILBERT, TACT-IO, and VIZIUM customers today, and to partners through the MSP Program portal. If you think you might be in scope for this one, call us. We will run the YARA rules against a core dump with you, and we will help you figure out whether the device needs to keep running or needs to be unplugged.

ThreatHunter.ai • Brea, CA • Detection Pack: TH-DP-AR26-113A • Argillite v1.0.0 • Covers CISA AR26-113A, NCSC RayInitiator/LINE VIPER MAR, Cisco ASA/FTD CVE-2025-20333 and CVE-2025-20362