rter "considerably overlaps" with **RayInitiator's Stage 3 shellcode** from the earlier ArcaneDoor campaign. The NCSC previously detailed RayInitiator and its companion malware **Line Viper** in a joint report. The techniques, the targets, and the tradecraft all point to a long-running, patient espionage operation aimed at persistent access to high-value networks. ## What This Means for Network Security Firestarter exposes a fundamental assumption that many security teams operate under: **patching fixes the problem.** It doesn't. Not when the attacker has already established persistent access that lives outside the scope of the vulnerability you just patched. ### The New Rules of Perimeter Security **1. Patch ≠ Clean** Applying a patch closes the door, but doesn't evict the burglar already inside. For network edge devices — firewalls, VPN concentrators, load balancers — a patch without forensic validation is incomplete incident response. **2. Reboot ≠ Remediate** Firestarter explicitly defeats the standard "patch and reboot" remediation playbook. Security teams need to verify whether a reboot actually cleared an implant, not just assume it did. **3. Core Dumps Are Evidence** CISA's directive to collect and analyze device core dumps is instructive. Memory forensics on network appliances isn't a nice-to-have — for critical infrastructure, it's becoming mandatory. The implant lives in memory, not on disk. You won't find it with file integrity monitoring. **4. Network Edge Devices Are Prime Targets** Firewalls, VPNs, and perimeter appliances have become the new battleground. They sit at the boundary, process all traffic, and often run complex software with web interfaces. UAT-4356 isn't alone in targeting them — multiple APT groups have shifted focus to these high-value, often under-monitored devices. ## How to Detect and Respond ### Detection CISA and NCSC released YARA rules for detecting Firestarter against disk images or core dumps. Key indicators include: - Modifications to `CSP_MOUNT_LIST` - Presence of files at `/opt/c