The malware framework targets web applications and cloud environments, including AWS, Docker, Kubernetes, and more.
The post โPCPJackโ Worm Removes TeamPCP Infections, Steals Credentials appeared first on SecurityWeek.
The software developer has identified the impacted systems, removed potentially compromised files, and validated installation packages.
The post Vendor Says Daemon Tools Supply Chain Attack Contained appeared first on SecurityWeek.
The persistent, evasive implant provides remote access, surveillance, and credential exfiltration capabilities.
The post Sophisticated Quasar Linux RAT Targets Software Developers appeared first on SecurityWeek.
Hackers delivered malware via a customer chat channel, infected an analystโs system, and accessed the internal support portal.
The post DigiCert Revokes Certificates After Support Portal Hack appeared first on SecurityWeek.
The stealthy Python-based backdoor framework deploys a persistent Windows implant likely designed for espionage.
The post Sophisticated Deep#Door Backdoor Enables Espionage, Disruption appeared first on SecurityWeek.
Threat actors are relying on social engineering to lure users into downloading files containing malicious instructions.
The post Hugging Face, ClawHub Abused for Malware Distribution appeared first on SecurityWeek.
The threat actor infected victims with the Snow malware family โ Snowbelt, Snowglaze, and Snowbasin โ for persistent access.
The post UNC6692 Uses Email Bombing, Social Engineering to Deploy โSnowโ Malware appeared first on SecurityWeek.
It targeted high-precision calculation software to tamper with results and packed a self-propagation mechanism.
The post Pre-Stuxnet Sabotage Malware โFast16โ Linked to US-Iran Cyber Tensions appeared first on SecurityWeek.
A state-sponsored hacking group has implanted a custom backdoor on Cisco network security devices that can survive firmware updates and standard reboots, U.S. and British cybersecurity authorities disclosed Thursday, marking a significant escalation in a campaign that has targeted government and critical infrastructure networks since at least late 2025.
The Cybersecurity and Infrastructure Security Agency and the United Kingdomโs National Cyber Security Centre jointly published a malware analysis report identifying the backdoor, code-named Firestarter. Ciscoโs threat intelligence division, Talos, attributed the malware to a threat actor it tracks as UAT-4356. The company attributed the same group to a 2024 espionage campaign called ArcaneDoor, which focused on compromising network perimeter devices.
CISA confirmed it discovered Firestarter on a U.S. federal civilian agencyโs Cisco Firepower device after identifying suspicious connections through continuous network monitoring. The finding prompted an updated emergency directive issued Thursday, requiring all federal civilian agencies to audit their Cisco firewall infrastructure and submit device memory snapshots for analysis by Friday.
The central concern driving the updated directive is the attack groupโs ability to persist on compromised devices, even after enterprises applied security patches Cisco released in September 2025. Those patches addressed two vulnerabilities โ CVE-2025-20333, a remote code execution flaw in the VPN web server component, and CVE-2025-20362, an unauthorized access vulnerability โ that UAT-4356 exploited to gain initial entry. According to CISA, devices compromised before patching may still harbor the implant.
Firestarter allows attackers to achieve persistence by manipulating the Cisco Service Platform mount list, a configuration file that governs which programs execute during the deviceโs boot sequence. When the device receives a termination signal or enters a reboot, the malware copies itself to a secondary location and rewrites the mount list to restore and relaunch itself after the system comes back online.ย
Critically, a standard software reboot does not remove the implant. Only a hard reboot โ physically disconnecting the device from its power supply โ is sufficient to clear the persistence mechanism from memory, according to both CISA and Cisco.
From there, the malware injects malicious shellcode into LINA, the core networking and firewalling code of Ciscoโs Adaptive Security Appliance and Firepower Threat Defense software. Once embedded, the malware intercepts a specific type of network request normally used for VPN authentication. When a request arrives containing a hidden trigger sequence, it executes code supplied by the attackers, giving them a backdoor into the device.
Cisco Talos noted that Firestarter shares significant technical similarities with a previously documented implant called RayInitiator, suggesting the tools share a common origin or development history within UAT-4356โs arsenal.
In the federal agency incident analyzed by CISA, the attackers first deployed a separate implant, called Line Viper, to gain access to device configurations, credentials, and encryption keys. Firestarter was installed shortly after, prior to Ciscoโs September 2025 patches being applied to those specific devices. When the agency patched its systems, Firestarter stayed on the devices, and the actors used it to then redeploy Line Viper in March, nearly six months after the initial breach.
Cisco and CISA did not attribute the espionage attacks to a specific nation state, but Censys researchers previously said it found compelling evidence indicating a threat group based in China was behind the ArcaneDoor campaign. Censys noted it found evidence of multiple major Chinese networks and Chinese-developed anti-censorship software during its investigation into the early 2024 attacks.
The persistence vulnerability affects a broad range of Cisco hardware, including the Firepower 1000, 2100, 4100, and 9300 series, as well as the Secure Firewall 1200, 3100, and 4200 series.
Cisco has released updated software to address the persistence mechanism, though the company strongly recommends reimaging affected devices rather than relying solely on software updates where compromise is suspected.
The incident reflects a pattern increasingly seen among state-linked hackers: targeting the network edge devices that organizations rely on to enforce security boundaries. Because these appliances sit at the perimeter of enterprise and government networks, compromising them can expose internal traffic and give attackers a position to intercept credentials and communications.
CISA acknowledged active exploitation of the underlying vulnerabilities was ongoing at the time of publication.
A Cisco spokesperson told CyberScoop that customers needing assistance should contact Cisco Technical Assistance for support. CISA did not respond to a request for comment.ย
The post US, UK agencies warn hackers were hiding on Cisco firewalls long after patches were applied appeared first on CyberScoop.
Login