What if the malware on your network perimeter wasn't just hiding from your EDR — it was hiding from your entire incident response playbook? What if patching the vulnerability, rebooting the device, and declaring the threat neutralized was exactly what the attackers wanted you to do? That's the story of **Firestarter** — a custom-built backdoor found on Cisco firewalls at a **U.S. federal agency**, discovered in April 2026, and it's unlike anything most security teams have dealt with before. ## The Backdoor That Doesn't Die On **April 23, 2026**, CISA and the UK's National Cyber Security Centre (NCSC) jointly published a malware analysis report on Firestarter. Cisco Talos attributed it to **UAT-4356**, a China-linked threat actor behind the 2024 **ArcaneDoor** espionage campaign that targeted network perimeter devices. Here's what makes Firestarter terrifying: - It **survives firmware updates** - It **survives standard reboots** - It **reinstalls itself automatically** after a graceful reboot - The **only way to clear it** is a hard power cycle — literally unplugging the device > "A standard software reboot does not remove the implant. Only a hard reboot — physically disconnecting the device from its power supply — is sufficient to clear the persistence mechanism." — CISA/NCSC joint report ## How It Works: Persistence by Design Firestarter targets Cisco Firepower and Secure Firewall devices running ASA or FTD software. The initial entry point was two n-day vulnerabilities: **CVE-2025-20333** (remote code execution in the VPN web server) and **CVE-2025-20362** (unauthorized access). These were patched by Cisco in September 2025. But here's the kicker: **devices that were patched after being compromised remained infected.** The persistence mechanism is elegantly devious. Firestarter manipulates the **Cisco Service Platform (CSP) mount list** — a configuration file that controls which programs execute during the device's boot sequence. When the device receives a termination signal or enters a graceful reboot: 1. Firestarter copies itself to a backup location at `/opt/cisco/platform/logs/var/log/svc_samcore.log` 2. It updates the CSP_MOUNT_LIST to restore itself to `/usr/bin/lina_cs` after reboot 3. When the device comes back online, it re-executes and removes the traces of its persistence mechanism 4. It then injects itself into **LINA**, the core network processing engine of Cisco ASA/FTD appliances This hook gives attackers arbitrary shell code execution inside the firewall's core process — complete remote control of the device that sits at the edge of your network. And because the runlevel check (value 6 = reboot) triggers the transient persistence, a simple `reboot` command just re-infects the device. Only cutting power completely clears the memory-resident implant. ## CISA's Emergency Directive: The Timeline This isn't theoretical. CISA issued **Emergency Directive 25-03** in September 2025, ordering federal agencies to patch vulnerable Cisco devices. In November, they updated guidance with additional mitigations. On **April 23, 2026**, CISA updated the directive again with a stunning revelation: at least **one federal agency was confirmed infected**, and the backdoor had persisted since before September 2025 — through patching, through remediation, and into March 2026. The updated directive requires: - All federal agencies submit **device core dumps** to CISA's Malware Next Generation portal by April 24, 2026 - **Hard-reset all affected devices** by April 30, 2026 - Immediately report any confirmed compromises to CISA's 24/7 Operations Center Affected devices include: - Firepower 1000, 2100, 4100, 9300 series - Secure Firewall 200, 1200, 3100, 4200, 6100 series ## The Wider Campaign: Not Just One Agency This isn't an isolated incident. The ArcaneDoor campaign — linked to the same threat actor — has been targeting network perimeter devices since at least 2024. In May 2024, Cisco patched zero-days in ASA firewalls exploited by UAT-4356. A year later, two more zero-days (CVE-2025-20333 and CVE-2025-20362) were patched. Cisco Talos notes that Firesta