UAT-4356
Government-backed threat actor that deployed FIRESTARTER and ArcaneDoor on Cisco edge devices.
Last refreshed: 30 April 2026 · Appears in 1 active topic
Did UAT-4356 already implant your Cisco firewall before the September 2025 patch landed?
Timeline for UAT-4356
Deployed FIRESTARTER implant on Cisco ASA/Firepower devices using CVE-2025-20333 and CVE-2025-20362 for initial access
Cybersecurity: Threats and Defences: FIRESTARTER implant survives every Cisco firewall patchFederal agency stayed compromised six months
Cybersecurity: Threats and DefencesMentioned in: CL-STA-1132 exploited PAN-OS since 16 April, log destruction confirmed
Cybersecurity: Threats and Defences- Who is behind the FIRESTARTER Cisco firewall implant?
- CISA and NCSC attribute FIRESTARTER to UAT-4356, the same government-backed actor responsible for the 2024 ArcaneDoor Cisco edge-device campaign. Cisco tracks the group as government-backed but declines to name a sponsoring state.Source: CISA/NCSC joint advisory AA26-113A
- What is the difference between ArcaneDoor and FIRESTARTER?
- ArcaneDoor (2024) used volatile-memory-resident code that a standard reboot could clear. FIRESTARTER hooks the device boot sequence and self-reinstalls during every reboot, surviving all patches; only a hard power-cut evicts it.Source: CISA/NCSC joint advisory AA26-113A
- How does UAT-4356 activate the FIRESTARTER implant remotely?
- UAT-4356 sends a magic-packet — a crafted WebVPN authentication request with a secret prefix byte — to the compromised Cisco appliance. This triggers shellcode in memory without producing a continuous outbound beacon that network telemetry would catch.Source: CISA/NCSC advisory AA26-113A
- Which Cisco products are affected by UAT-4356 attacks?
- Cisco ASA (Adaptive Security Appliance) and Firepower Threat Defense (FTD) appliances are the confirmed targets. CVE-2025-20333 and CVE-2025-20362, both patched September 2025, were the initial access vectors.Source: CISA/NCSC advisory AA26-113A
Background
UAT-4356 is the government-backed threat actor tracked by Cisco Talos that deployed the FIRESTARTER persistent implant on Cisco ASA and Firepower appliances, disclosed by CISA and NCSC in joint advisory AA26-113A on 24 April 2026. The actor chained CVE-2025-20333 (CVSS 9.9) and CVE-2025-20362 for initial access, both patched in September 2025. An unnamed US federal agency remained compromised for six months after applying those patches, the implant having re-embedded itself into the device boot sequence during each remediation reboot.
UAT-4356 is the same actor behind 2024's ArcaneDoor campaign, which also targeted Cisco edge devices but relied on volatile memory-resident code that a standard reboot could clear. FIRESTARTER represents a structural escalation: the implant hooks the device's pre-OS boot sequence, self-backs-up before clean shutdowns, and activates via a magic-packet primitive — a crafted WebVPN authentication request with a secret prefix byte — that produces no continuous outbound beacon for network telemetry to detect. The companion implant Line Viper rides VPN sessions and bypasses authentication policy entirely. Cisco accepts UAT-4356 is government-backed but declines to name a sponsoring state, the same hedged language used after ArcaneDoor.
UAT-4356 operates on a multi-year persistent access strategy. The escalation from ArcaneDoor's volatile-memory persistence to FIRESTARTER's boot-sequence hooks shows a deliberate capability investment timed to survive the patch cycles organisations adopted in response to 2024's disclosures.
UAT-4356 is a government-backed advanced persistent threat (APT) actor tracked by Cisco Talos. The group specialises in persistent-access operations against enterprise network edge devices, particularly Cisco ASA and Firepower appliances. First identified publicly via the 2024 ArcaneDoor campaign, UAT-4356 escalated its capability with the FIRESTARTER boot-sequence implant disclosed in April 2026. Neither CISA nor NCSC has formally attributed the actor to a named nation-state in published advisories.
