
ArcaneDoor
2024 UAT-4356 espionage campaign on Cisco network devices; predecessor operation that evolved into FIRESTARTER.
Last refreshed: 30 April 2026 · Appears in 1 active topic
How did ArcaneDoor teach UAT-4356 to build a backdoor that survives every patch?
Timeline for ArcaneDoor
Mentioned in: UAT-8616 keeps Cisco SD-WAN under fire
Cybersecurity: Threats and DefencesMentioned in: FIRESTARTER implant survives every Cisco firewall patch
Cybersecurity: Threats and DefencesWhat was the ArcaneDoor Cisco attack and who was responsible?
How is ArcaneDoor different from the FIRESTARTER Cisco backdoor?
Is ArcaneDoor linked to the same actors behind FIRESTARTER?
Background
ArcaneDoor was a nation-state espionage campaign targeting Cisco network edge devices, publicly disclosed in 2024 and attributed to the government-backed threat actor UAT-4356 by Cisco Talos. The campaign used volatile-memory-resident implants on Cisco ASA and Firepower appliances — malicious code loaded into RAM that a standard device reboot could clear. ArcaneDoor demonstrated that Cisco perimeter devices were being actively targeted by a sophisticated state-linked adversary, prompting Cisco and US-UK agencies to issue remediation guidance.
ArcaneDoor is the confirmed predecessor to FIRESTARTER. UAT-4356's escalation from ArcaneDoor's volatile-memory approach to FIRESTARTER's boot-sequence persistence shows a deliberate capability investment: having seen that reboots would evict its ArcaneDoor implants, the actor developed a boot-sequence hook that survives all conventional remediation. The September 2025 patches Cisco issued for FIRESTARTER's initial-access CVEs (CVE-2025-20333 and CVE-2025-20362) were adopted precisely in response to lessons from ArcaneDoor-era intrusion patterns.
For defenders, ArcaneDoor established the pattern that UAT-4356 targets Cisco edge devices in sustained multi-year campaigns, escalating persistence capability between generations. The 2024-to-2026 progression suggests a research-and-development cycle timed to pre-empt the defensive adjustments each advisory provokes.
ArcaneDoor is the name assigned by Cisco Talos to a 2024 espionage campaign targeting Cisco ASA and Firepower network edge devices, attributed to the government-backed threat actor UAT-4356. The campaign used volatile-memory-resident implants evictable by standard reboot. It was disclosed publicly in 2024 and is now understood as the predecessor operation to the boot-sequence-persistent FIRESTARTER implant disclosed in 2026.