
UAT-4356
Government-backed threat actor that deployed FIRESTARTER and ArcaneDoor on Cisco edge devices.
Last refreshed: 30 April 2026 · Appears in 1 active topic
Did UAT-4356 already implant your Cisco firewall before the September 2025 patch landed?
Timeline for UAT-4356
Mentioned in: UAT-8616 keeps Cisco SD-WAN under fire
Cybersecurity: Threats and DefencesDeployed FIRESTARTER implant on Cisco ASA/Firepower devices using CVE-2025-20333 and CVE-2025-20362 for initial access
Cybersecurity: Threats and Defences: FIRESTARTER implant survives every Cisco firewall patchFederal agency stayed compromised six months
Cybersecurity: Threats and DefencesMentioned in: CL-STA-1132 exploited PAN-OS since 16 April, log destruction confirmed
Cybersecurity: Threats and DefencesWho is behind the FIRESTARTER Cisco firewall implant?
What is the difference between ArcaneDoor and FIRESTARTER?
How does UAT-4356 activate the FIRESTARTER implant remotely?
Background
UAT-4356 is the government-backed threat actor tracked by Cisco Talos that deployed the FIRESTARTER persistent implant on Cisco ASA and Firepower appliances, disclosed by CISA and NCSC in joint advisory AA26-113A on 24 April 2026. The actor chained CVE-2025-20333 (CVSS 9.9) and CVE-2025-20362 for initial access, both patched in September 2025. An unnamed US federal agency remained compromised for six months after applying those patches, the implant having re-embedded itself into the device boot sequence during each remediation reboot.
UAT-4356 is the same actor behind 2024's ArcaneDoor campaign, which also targeted Cisco edge devices but relied on volatile memory-resident code that a standard reboot could clear. FIRESTARTER represents a structural escalation: the implant hooks the device's pre-OS boot sequence, self-backs-up before clean shutdowns, and activates via a magic-packet primitive — a crafted WebVPN authentication request with a secret prefix byte — that produces no continuous outbound beacon for network telemetry to detect. The companion implant Line Viper rides VPN sessions and bypasses authentication policy entirely. Cisco accepts UAT-4356 is government-backed but declines to name a sponsoring state, the same hedged language used after ArcaneDoor.
UAT-4356 operates on a multi-year persistent access strategy. The escalation from ArcaneDoor's volatile-memory persistence to FIRESTARTER's boot-sequence hooks shows a deliberate capability investment timed to survive the patch cycles organisations adopted in response to 2024's disclosures.
UAT-4356 is a government-backed advanced persistent threat (APT) actor tracked by Cisco Talos. The group specialises in persistent-access operations against enterprise network edge devices, particularly Cisco ASA and Firepower appliances. First identified publicly via the 2024 ArcaneDoor campaign, UAT-4356 escalated its capability with the FIRESTARTER boot-sequence implant disclosed in April 2026. Neither CISA nor NCSC has formally attributed the actor to a named nation-state in published advisories.