ArcaneDoor

ArcaneDoor was a nation-state espionage campaign targeting Cisco network edge devices, publicly disclosed in 2024 and attributed to the government-backed threat actor UAT-4356 by Cisco Talos. The campaign used volatile-memory-resident implants on Cisco ASA and Firepower appliances — malicious code loaded into RAM that a standard device reboot could clear. ArcaneDoor demonstrated that Cisco perimeter devices were being actively targeted by a sophisticated state-linked adversary, prompting Cisco and US-UK agencies to issue remediation guidance.

ArcaneDoor is the confirmed predecessor to FIRESTARTER. UAT-4356's escalation from ArcaneDoor's volatile-memory approach to FIRESTARTER's boot-sequence persistence shows a deliberate capability investment: having seen that reboots would evict its ArcaneDoor implants, the actor developed a boot-sequence hook that survives all conventional remediation. The September 2025 patches Cisco issued for FIRESTARTER's initial-access CVEs (CVE-2025-20333 and CVE-2025-20362) were adopted precisely in response to lessons from ArcaneDoor-era intrusion patterns.

For defenders, ArcaneDoor established the pattern that UAT-4356 targets Cisco edge devices in sustained multi-year campaigns, escalating persistence capability between generations. The 2024-to-2026 progression suggests a research-and-development cycle timed to pre-empt the defensive adjustments each advisory provokes.

ArcaneDoor is the name assigned by Cisco Talos to a 2024 espionage campaign targeting Cisco ASA and Firepower network edge devices, attributed to the government-backed threat actor UAT-4356. The campaign used volatile-memory-resident implants evictable by standard reboot. It was disclosed publicly in 2024 and is now understood as the predecessor operation to the boot-sequence-persistent FIRESTARTER implant disclosed in 2026.