A state-sponsored hacking group has implanted a custom backdoor on Cisco network security devices that can survive firmware updates and standard reboots, U.S. and British cybersecurity authorities disclosed Thursday, marking a significant escalation in a campaign that has targeted government and critical infrastructure networks since at least late 2025.

The Cybersecurity and Infrastructure Security Agency and the United Kingdom’s National Cyber Security Centre jointly published a malware analysis report identifying the backdoor, code-named Firestarter. Cisco’s threat intelligence division, Talos, attributed the malware to a threat actor it tracks as UAT-4356. The company attributed the same group to a 2024 espionage campaign called ArcaneDoor, which focused on compromising network perimeter devices.

CISA confirmed it discovered Firestarter on a U.S. federal civilian agency’s Cisco Firepower device after identifying suspicious connections through continuous network monitoring. The finding prompted an updated emergency directive issued Thursday, requiring all federal civilian agencies to audit their Cisco firewall infrastructure and submit device memory snapshots for analysis by Friday.

A backdoor that outlasts patches

The central concern driving the updated directive is the attack group’s ability to persist on compromised devices, even after enterprises applied security patches Cisco released in September 2025. Those patches addressed two vulnerabilities — CVE-2025-20333, a remote code execution flaw in the VPN web server component, and CVE-2025-20362, an unauthorized access vulnerability — that UAT-4356 exploited to gain initial entry. According to CISA, devices compromised before patching may still harbor the implant.

Firestarter allows attackers to achieve persistence by manipulating the Cisco Service Platform mount list, a configuration file that governs which programs execute during the device’s boot sequence. When the device receives a termination signal or enters a reboot, the malware copies itself to a secondary location and rewrites the mount list to restore and relaunch itself after the system comes back online. 

Critically, a standard software reboot does not remove the implant. Only a hard reboot — physically disconnecting the device from its power supply — is sufficient to clear the persistence mechanism from memory, according to both CISA and Cisco.

From there, the malware injects malicious shellcode into LINA, the core networking and firewalling code of Cisco’s Adaptive Security Appliance and Firepower Threat Defense software. Once embedded, the malware intercepts a specific type of network request normally used for VPN authentication. When a request arrives containing a hidden trigger sequence, it executes code supplied by the attackers, giving them a backdoor into the device.

Ties to ongoing campaign

Cisco Talos noted that Firestarter shares significant technical similarities with a previously documented implant called RayInitiator, suggesting the tools share a common origin or development history within UAT-4356’s arsenal.

In the federal agency incident analyzed by CISA, the attackers first deployed a separate implant, called Line Viper, to gain access to device configurations, credentials, and encryption keys. Firestarter was installed shortly after, prior to Cisco’s September 2025 patches being applied to those specific devices. When the agency patched its systems, Firestarter stayed on the devices, and the actors used it to then redeploy Line Viper in March, nearly six months after the initial breach.

Cisco and CISA did not attribute the espionage attacks to a specific nation state, but Censys researchers previously said it found compelling evidence indicating a threat group based in China was behind the ArcaneDoor campaign. Censys noted it found evidence of multiple major Chinese networks and Chinese-developed anti-censorship software during its investigation into the early 2024 attacks.

The persistence vulnerability affects a broad range of Cisco hardware, including the Firepower 1000, 2100, 4100, and 9300 series, as well as the Secure Firewall 1200, 3100, and 4200 series.

Cisco has released updated software to address the persistence mechanism, though the company strongly recommends reimaging affected devices rather than relying solely on software updates where compromise is suspected.

The incident reflects a pattern increasingly seen among state-linked hackers: targeting the network edge devices that organizations rely on to enforce security boundaries. Because these appliances sit at the perimeter of enterprise and government networks, compromising them can expose internal traffic and give attackers a position to intercept credentials and communications.

CISA acknowledged active exploitation of the underlying vulnerabilities was ongoing at the time of publication.

A Cisco spokesperson told CyberScoop that customers needing assistance should contact Cisco Technical Assistance for support. CISA did not respond to a request for comment. 

The post US, UK agencies warn hackers were hiding on Cisco firewalls long after patches were applied appeared first on CyberScoop.

Google Threat Intelligence Group warned that a diverse and growing collection of attackers, including nation-state groups and financially motivated cybercriminals, are exploiting a path-traversal vulnerability affecting WinRAR that was disclosed and patched six months ago.

The high-severity vulnerability — CVE-2025-8088 — was exploited in the wild almost two weeks before RARLAB, the vendor behind the file archiver tool, addressed the vulnerability in a software update in late July. 

Active exploitation of the vulnerability has consistently extended to more threat groups during the past six months and remains ongoing. Google threat hunters have attributed attacks to at least three financially motivated attackers, four Russia state-sponsored groups and one attacker based in China. 

“Government-backed threat actors linked to Russia and China as well as financially motivated threat actors continue to exploit this n-day across disparate operations,” Google said in a threat intelligence report Tuesday. Researchers did not say how many attacks are linked to the vulnerability but described the activity as widespread.

Nation-state groups are consistently exploiting the defect to target victims in military, government and technology for espionage, researchers said. Groups backed by Russia are targeting Ukrainian military and government entities while the China-based attacker’s targets remain unknown. 

Cybercriminals are swarming to exploit the vulnerability, too. Google traced campaigns back to groups that previously targeted victims in Indonesia, Latin America and Brazil. Cybercrime groups exploited the vulnerability in December and January to deploy malware, including remote access trojans and infostealers.

Google published a timeline of observed exploitation depicting a broad set of attackers involved through October, but the majority of malicious activity since late 2025 is attributed to cybercriminals. 

Attacks share a common method of exploitation, which was rapidly adopted by a range of threat groups. 

“We are seeing both government-backed groups and financially motivated actors use the same exploitation method to achieve successful execution on target devices,” GTIG said in an email. “This mechanism of crafting a malicious RAR archive makes it more difficult for victims to determine they’ve been impacted, as they are shown a benign decoy file while in the background it silently drops a malicious payload into a critical system location such as Windows Startup folder.”

The malware requires no user interaction and because there are no obvious indicators of compromise, the malicious activity is very difficult to spot, researchers said.

Attackers of various objectives are flocking to the vulnerability, reminiscent of widespread exploitation of a previous WinRAR defect — CVE-2023-38831 — that Google’s Threat Analysis Group warned about in October 2023. 

“The barrier to entry for threat actors to abuse WinRAR vulnerabilities is low, as there are public ready-to-use tools to quickly craft and test malicious archives,” researchers said. Google urged organizations to install security updates for WinRAR and published indicators of compromise to help defenders hunt for malicious activity on their systems.

The post Cybercriminals and nation-state groups are exploiting a six-month old WinRAR defect appeared first on CyberScoop.

COMMENTARY By Susan Bradley Over the years, Hollywood has given us some excellent movies that brought the idea of cybersecurity to the masses. As Hollywood goes, some are memorable. Lots are not. But there are always some gems that you can watch over and over again. Here are some of my favorites, plus some that […]

SonicWall said a state-sponsored threat actor was behind the brute-force attack that exposed firewall configuration files of every customer that used the company’s cloud backup service. 

The vendor pinned the responsibility for the attack on an undisclosed nation state Tuesday, after Mandiant concluded its investigation into the incident.

SonicWall did not attribute the attack to a specific country or threat group and Mandiant declined to provide additional information. The vendor’s update, which lacked a root-cause analysis, was mostly an effort to put the attack behind it as leadership made pledges to improve SonicWall’s security practices.

“The malicious activity has been contained and was isolated to our firewall cloud backup service, which stores firewall configuration files in a specific cloud bucket,” SonicWall CEO Bob VanKirk said in a pre-recorded video published alongside the update. “There was no impact to any SonicWall product, firmware, source code, production network, or to any customer data or any other SonicWall system.”

Yet, customer data was impacted because backup firewall configuration files were stolen. Ryan Dewhurst, head of proactive threat intelligence at watchTowr, previously told CyberScoop those files contain a “treasure trove of sensitive data, including firewall rules, encrypted credentials, routing configurations and more.”

The vendor’s public disclosures regarding the attack have been convoluted and, in some cases, erroneous. SonicWall played down the scope of compromise in its initial disclosure, framing it as impacting less than 5% of its firewall install base, but walked that assessment back weeks later when Mandiant confirmed the totality of exposure. 

SonicWall said Mandiant determined the state-sponsored attacker gained access to the cloud backup files using an API call, but it did not provide further detail. 

Other critical details remain unknown, including how many customers were impacted and how long the nation-state attacker maintained access to SonicWall’s customer portal. The company said it detected suspicious activity on MySonicWall.com in September. 

The attack on SonicWall’s customer-facing system was disclosed a week after researchers and authorities warned about a fresh burst of about 40 Akira ransomware attacks involving exploits of a year-old vulnerability affecting SonicWall firewalls. The company said those attacks impacting customers are unrelated to the attack on SonicWall’s cloud backup environment.

“There is no evidence that this event is related to recent increases in the Akira ransomware attacks on edge devices,” VanKirk said. 

SonicWall customers have confronted a series of actively exploited vulnerabilities in SonicWall devices, including four flaws exploited in the wild this year.

Fourteen defects affecting the vendor’s products have been added to the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog since late 2021. Nine of those defects are known to be used in ransomware campaigns, according to CISA. 

VanKirk said the company is committed to continuously improve the security of its products and systems, adding that all of Mandiant’s recommended remediations have been enacted or are actively underway.

The post SonicWall pins attack on customer portal to undisclosed nation-state appeared first on CyberScoop.