Malware Analysis Report at a Glance Malware Name FIRESTARTER Original Publication April 23, 2026 Executive Summary The Cybersecurity and Infrastructure Security Agency (CISA) analyzed a sample of FIRESTARTER malware obtained from a forensic investigation. CISA and the United Kingdom National Cyber Security Centre (NCSC) assess advanced persistent threat (APT) actors are using FIRESTARTER malware for persistence, specifically targeting publicly accessible Cisco Firepower and Secure Firewall devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software. CISA and the NCSC are releasing this Malware Analysis Report to share analysis of one FIRESTARTER malware sample operating as a backdoor and urge organizations to take key response actions. Note: The release of this Malware Analysis Report aligns with CISA’s update to V1: Emergency Directive (ED) 25-03: Identify and Mitigate Potential Compromise of Cisco Devices and Supplemental Direction ED 25-03: Core Dump and Hunt Instructions . The malware outlined in this report is relevant for both Cisco Firepower and Secure Firewall devices; however, CISA has only observed a successful implant of the malware in the wild on a Cisco Firepower device running ASA software. Key Actions for U.S. FCEB Agencies Collect and submit core dumps to CISA’s Malware Next Generation platform. Immediately report the submission via CISA’s 24/7 Operations Center; CISA will reach out with next steps. Take no additional action until CISA provides further guidance. Key Actions for All Other Organizations Use the YARA rules to detect FIRESTARTER malware against either a disk image or core dump of a device. Report any findings to CISA or the NCSC. If compromise is confirmed , conduct incident response actions. Intended Audience Organizations: Government and critical infrastructure organizations ( Note: While this publication supplements CISA ED 25-03, the guidance is applicable to all organizations, including U.K. organizations.) Sector : Government Services and Facilities Sector Roles: Digital forensics analysts , incident responders , vulnerability analysts , system administrators Introduction The Cybersecurity and Infrastructure Security Agency (CISA) analyzed a sample of FIRESTARTER malware obtained from a forensic investigation. CISA and the United Kingdom National Cyber Security Centre (NCSC) assess that FIRESTARTER—a backdoor that allows remote access and control—is part of a widespread campaign that afforded an advanced persistent threat (APT) actor initial access to Cisco Adaptive Security Appliance (ASA) firmware by exploiting CVE-2025-20333 [ CWE-862: Missing Authorization ] and/or CVE-2025-20362 [ CWE-120: Classic Buffer Overflow ]. For more information on this campaign, see CISA’s original version of Emergency Directive (ED) 25-03: Identify and Mitigate Potential Compromise of Cisco Devices (released Sept. 25, 2025). CISA and the NCSC assess that FIRESTARTER can persist as an active threat on Cisco devices running ASA or Firepower Threat Defense (FTD) software, maintaining post-patching persistence and enabling threat actors to re-access compromised devices without re-exploiting vulnerabilities. U.S. Federal Civilian Executive Branch (FCEB) agencies are required to implement the new required actions in CISA’s updated Emergency Directive ( V1: ED 25-03 ). CISA and the NCSC urge other U.S. and U.K. organizations to use the YARA rules to detect FIRESTARTER malware against either a disk image or core dump of a device and report any findings to CISA or the NCSC. Organizations can also refer to Cisco’s Security Advisory and Talos Blog . Download the PDF version of this report: AR26-113A_MAR_FIRESTARTER_backdoor_ (PDF, 604.62 KB ) FIRESTARTER Collection CISA is authorized to monitor for, analyze, and notify U.S. FCEB agencies of anomalous or suspected malicious activity detected on federal networks. Through continuous monitoring, CISA identified suspicious connections on one U.S. FCEB agency’s Cisco Firepower device running ASA software. CISA notified and validated the true positive finding with agency personnel and initiated a forensic engagement. During the engagement, CISA discovered one malware sample—named FIRESTARTER—on the Firepower device. In this incident, APT actors initially deployed LINE VIPER as a post-exploitation implant and subsequently used FIRESTARTER as a persistence mechanism to maintain continued access to the compromised device. Although Cisco’s patches addressed CVE-2025-20333 and CVE-2025-20362, devices compromised prior to patching may remain vulnerable because FIRESTARTER is not removed by firmware updates. Threat Actor Activity  Note: This advisory uses the MITRE ATT&CK ® Matrix for Enterprise framework, version 18. See Appendix A: MITRE ATT&CK Techniques  for tables mapping the cyber actors’ activity to MITRE ATT&CK tactics and techniques. CISA’s analysis identified the following: Initial Access: CISA assesses, but has not confirmed, that APT actors obtained initial access by exploiting CVE-2025-20333 and/or CVE-2025-20362 [ T1190 ]. CISA has not confirmed the exact date of initial exploitation but assesses the compromise occurred in early September 2025, and before the agency implemented patches in accordance with ED 25-03. Privilege Escalation and Defense Evasion: CISA identified that APT actors first deployed LINE VIPER to establish illegitimate virtual private network (VPN) sessions [ T1133 ] that bypassed all VPN authentication policies. This activity was associated with user accounts that existed but were no longer active within the agency [ T1078 ]. Although this behavior was observed in this incident, threat actors may use other (including fabricated) accounts. LINE VIPER enabled APT actors access to all configuration elements of the victim Firepower device, including administrative credentials, certificates, and private keys [ T1082 ]. Persistence: APT actors deployed FIRESTARTER on the Firepower device before Sept. 25, 2025 (exact date is unknown). Because it was present before patching, FIRESTARTER persisted through remediation and established command and control (C2) channels on the victim Firepower device [ T1219 ]. APT actors leveraged FIRESTARTER to regain access without re-exploiting the original vulnerabilities and deployed LINE VIPER in March 2026. Malware Summary FIRESTARTER is a Linux Executable and Linkable File (ELF) designed to execute on Cisco Firepower and Secure Firewall devices, serving as a C2 channel for remote access and control. The malware achieves persistence by detecting termination signals and relaunching itself, and it can survive firmware updates and device reboots unless a hard power cycle occurs. FIRESTARTER attempts to install a hook—a way to intercept and modify normal operations—within LINA, the device’s core engine for network processing and security functions. This hook enables the execution of arbitrary shell code provided by the APT actors, including the deployment of LINE VIPER. Note: The file CISA obtained for analysis was named lina_cs ; filenames may vary, as threat actors can easily modify the name of the malicious file. Malware Functionality Initialization Upon execution, FIRESTARTER accesses its own binary located at /usr/bin/lina_cs on the device [ T1036.005 ] and copies its contents into memory. It then registers a callback function that triggers when the program receives any of the following termination-related signals [ T1546.004 ]: SIGTERM SIGINT SIGQUIT SIGABRT SIGHUP SIGTSTP After copying itself into heap, and updating the signal handlers, the shell executor initiates the following sequential commands: rm /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST 2>/dev/null cp /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST.tmp /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST 2>/dev/null chmod 755 /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST 2>/dev/null chown‑reference=/opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST.tmp /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST 2>/dev/null touch‑r /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST.tmp /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST 2>/dev/null rm /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST.tmp 2>/dev/null rm /usr/bin/lina_cs 2>/dev/null These commands delete the modified CSP_MOUNT_LIST file [ T1070.004 ] restoring the original CSP_MOUNT_LIST . Execute permissions are granted to any user, the owner and timestamp are set to match the original [ T1070.006 ], and the temporary file is then deleted. Finally, /usr/bin/lina_cs is deleted. Persistence and Shutdown Task When any of these signals are received or runlevel (6) is reached, the callback function is triggered and first checks whether the  /opt/cisco/platform/logs/var/log/ directory exists. If absent, it creates the directory with full read/write/execute permissions [ T1222 ]. The callback then opens /opt/cisco/platform/logs/var/log/svc_samcore.log and writes a copy of itself to this file, which is in a reboot-persistent directory. Next, the callback verifies whether  /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST is present on the device. If the file is missing, FIRESTARTER creates it using a special function that can run shell commands [ T1059 ]. After creating the file, the malware runs a series of callback commands (in sequential order) to establish persistence and manage its files: cp /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST/opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST.tmp 2>/dev/null chown ‑reference=/opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST.tmp 2>/dev/null touch‑r /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST.tmp 2>/dev/null Append the contents below to  /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST mv /opt/cisco/platform/logs/var/log/svc_samcore.log /usr/bin/lina_cs chmod 755 /usr/bin/lina_cs lina_cs & These commands first create a temporary copy of CSP_MOUNT_LIST with the same ownership information and timestamps. A script is appended to CSP_MOUNT_LIST . This script is the persistence mechanism, which moves FIRESTARTER from its staging location, svc_samcore.log , to /usr/bin/lina_cs . It then makes it executable and runs it in the background [ T1547 ]. This sequence ensures persistent execution of the file, even when termination signals are received. All commands redirect any standard error ( stderr ) messages to /dev/null and hides them from the console [ T1564 ]. Memory Scanning and Hook Installation The process enumerates LINA’s virtual memory map to locate the private read-write (rw-p) segment associated with lina [ T1057 ], which represents the main process’s writable data region. Once identified, this memory segment is parsed using a custom algorithm to locate the XML Handler element table. The algorithm inspects each 0x260-byte region for element IDs. After identifying five element IDs in the correct offset sequence (each separated by 0x260 bytes), it calculates and stores the handler pointer address for the seventeenth element. Shellcode Injection FIRESTARTER scans LINA’s memory to locate the executable (r-xp) segment of libstdc++.so , which corresponds to the C++ standard library’s code section. The malware injects a block of shellcode 0x200 bytes before the end of the library’s text segment, installing the detour for the XML element handler [ T1055 ]. The process then resumes its main loop and continues operating until it detects a reboot runlevel or the termination-related signals. Victim Identification and Stage Loading The FIRESTARTER malware closely mirrors the RayInitiator Cisco ASA bootkit stage 3 deploy path. The injected shellcode is triggered when LINA processes a WebVPN request containing the XML tag with the detoured handler. Within the element, the malware searches for a hard-coded 8-byte ASCII string unique to the installation, verifying it against a predefined value embedded in the shellcode. Additionally, a victim-specific ID—another hard-coded 8-byte sequence—is compared against WebVPN request elements until a match is found. Upon successful verification of identification, the next stage of the malware is loaded by copying it into LINA’s memory and invoking mprotect to enable execution of the newly injected code [ T1543 ]. Detection U.S. FCEB Agency Instructions The primary detection method for FIRESTARTER is memory analysis. In accordance with V1: ED 25-03 , all U.S. FCEB agencies are required to collect device core dumps and submit them to CISA’s Malware Next Generation (MNG) platform (see Incident Response section), which analyzes core dumps for the presence and behavior of the lina_cs binary. U.S. FCEB agencies should not take further action without first consulting CISA . To preserve evidence, avoid any hard power cycles and other changes (e.g., reboots, patching, configuration changes) before collection and coordination, as these can affect volatile artifacts. Other U.S. and U.K. Recommendations CISA and the NCSC recommend using the following CISA-created YARA rules to detect FIRESTARTER when applied to a disk image or a core dump from a device: To obtain a disk image, open a Cisco Technical Assistance Center (TAC) case . For instructions on obtaining a core dump, see CISA’s Supplemental Direction for ED 25-03 . Note: CISA recommends following this Supplemental Direction rather than other open source resources, as APT actors commonly employ anti-forensic techniques. YARA Rules See Table 1 for a list of FIRESTARTER YARA rules. Table 1. YARA Rules FIRESTARTER Rule 1 rule CISA_261290_01 : FIRESTARTER backdoor captures_system_state_data cleans_traces_of_infection fingerprints_host persists_after_system_reboot {   meta:       author = "CISA Code & Media Analysis"       incident = "261290"       date = "2026-4-3"       last_modified = "20260406_732"       actor = "n/a"       family = "n/a"       capabilities = "captures-system-state-data cleans-traces-of-infection fingerprints-host persists-after-system-reboot"       malware_type = "backdoor"       tool_type = "unknown"       description = "Detects CISCO Firepower FIRESTARTER injector samples"   strings:        $s1 = { 57 48 C1 EF 0C 48 C1 E7 0C BA 07 00 00 00 48 C7 C6 00 20 00 00 }        $s2 = { 2f 6f 70 74 2f 63 69 73 63 6f 2f 70 6c 61 74 66 6f 72 6d 2f 6c 6f 67 73 2f 76 61 72 2f 6c 6f 67 2f }        $s3 = { 2f 6f 70 74 2f 63 69 73 63 6f 2f 63 6f 6e 66 69 67 2f 70 6c 61 74 66 6f 72 6d 2f 72 6d 64 62 2f }        $s4 = { 2f 76 61 72 2f 72 75 6e 2f 72 75 6e 6c 65 76 65 6c}        $s5 = { 2f 70 72 6f 63 2f 25 73 2f 63 6f 6d 6d }        $s6 = { 2f 70 72 6f 63 2f 25 64 2f 6d 61 70 73 }        $s7 = { 2f 61 73 61 2f 62 69 6e 2f 6c 69 6e 61 }   condition:        5 of them } FIRESTARTER Rule 2 rule CISA_261290_02 : FIRESTARTER_shellcode backdoor captures_system_state_data cleans_traces_of_infection fingerprints_host persists_after_system_reboot {    meta:       author = "CISA Code & Media Analysis"       incident = "261290"       date = "2026-4-3"       last_modified = "20260406_732"       actor = "n/a"       family = "n/a"       capabilities = "captures-system-state-data cleans-traces-of-infection fingerprints-host persists-after-system-reboot"       malware_type = "backdoor"       tool_type = "unknownk"       description = "Detects CISCO Firepower FIRESTARTER_shellcode samples"    strings:        $1 = { 57 4C 8B 47 18 4D 85 C0 0F 84 C7 01 00 00 49 8B 38 48 85 FF }        $2 = { 48 83 C6 08 4C 39 C6 0F 87 7A 01 00 00 4C 8B 0E }        $3 = { 48 89 D7 4C 89 CE B9 D0 01 00 F3 A4 48 89 D7 57 48 C1 EF 0C 48 C1 E7 0C }        $4 = { 0F 05 58 5F FF E0 90 90 }    condition:        3 of them } Sigma Rules Given the nature of this malware, Sigma rules do not offer effective detection because it does not generate observable log events or behavioral anomalies in standard monitoring platforms. Incident Response U.S. FCEB Agencies CISA requires U.S. FCEB agencies to: Refer to the Supplemental Direction for ED 25-03 for guidance on running the “show checkheaps” and “show tech-support detail” commands. Ensure to save the full output off the device (preferably to an isolated system). Generate a core dump from the affected Cisco device(s) and submit it through CISA’s Malware Next Generation platform . Report the submission immediately via CISA’s 24/7 Operations Center ( contact@cisa.dhs.gov , 1-844-Say-CISA [1-844-729-2472], or CISA’s Incident Reporting System ). Identify the activity is related to FIRESTARTER. After incident intake, CISA will provide guidance on next steps. If compromise is confirmed, this may include instructions to physically unplug the device from power to remove FIRESTARTER’s persistence. Organizations should not unplug the device unless directed to do so by CISA. Other U.S. Organizations CISA recommends   organizations take the following actions: Although applicable to U.S. FCEB agencies, refer to the Supplemental Direction for ED 25-03 for guidance on running the “show checkheaps” and “show tech-support detail” commands. Ensure to save the full output off the device (preferably to an isolated system). Generate a core dump from the affected Cisco device(s) and deploy the provided YARA rules. U.S. organizations can submit core dumps through CISA’s Malware Next Generation platform . If the core dump indicates the presence of FIRESTARTER malware, proceed with steps 3 and 4 below; additionally, activate internal incident response plans to assess potential lateral movement and impact: Unplug the device from all power sources—CISA assesses this is the only method to remove FIRESTARTER’s persistence from a device—then conduct the following steps: Locate the physical device. Unplug the physical device from its power source while the device is still powered on. Note: It is not sufficient to power the device off or reboot it. The device must be entirely removed from all power sources, including duplicate power sources created for redundancy. Leave the device fully disconnected from any power source for one minute. Reconnect the device to its power source and allow it to reboot. Promptly report any detection of FIRESTARTER malware to CISA. U.S. organizations can report to CISA’s 24/7 Operations Center ( contact@cisa.dhs.gov , 1-844-Say-CISA [1-844-729-2472], or CISA’s Incident Reporting System ). Requests for assistance can also be submitted to CISA via this reporting channel. U.K. Organizations The NCSC recommends U.K. organizations take the following actions: Refer to the Supplemental Direction for ED 25-03 for guidance on running the “show checkheaps” and “show tech-support detail” commands. Ensure to save the full output off the device (preferably to an isolated system). Generate a core dump from the affected Cisco device(s) and deploy the provided YARA rules. If FIRESTARTER is detected, report an incident to the NCSC via https://report.ncsc.gov.uk . After reporting an incident, the NCSC will provide guidance on next steps. If compromise is confirmed, this may include instructions to physically unplug the device from power to remove FIRESTARTER’s persistence. Organizations should not unplug the device unless directed to do so by the NCSC. Mitigations CISA and the NCSC recommend all organizations implement the mitigations below to improve cybersecurity posture on the basis of the threat actors’ activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals 2.0 (CPG 2.0) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections recommended for all organizations. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s CPG 2.0 webpage for more information on the CPGs, including additional recommended baseline protections. Maintain all systems and software with the latest security patches, prioritizing expedited remediation of vulnerabilities listed in CISA’s Known Exploited Vulnerabilities (KEV) Catalog [CPG 2.B] . At the time of ED 25-03’s release (Sept. 25, 2025), available patches did not specifically remediate FIRESTARTER; although patching mitigated initial access, it did not eliminate this persistence mechanism. For additional information on software updates that prevent FIRESTARTER’s persistence and for remediation guidance, refer to Cisco’s Security Advisory . Inventory all network edge devices [ CPG 2.A ], with a specific focus on Cisco devices. Monitor these devices for any suspicious network connections that correlate with the activity described in this report. Monitor and audit activity for all accounts with elevated privileges, including network administrators and service accounts, to detect unauthorized use or anomalous behavior. For example, track and review commands executed by these accounts, and promptly investigate any suspicious activity identified. Apply the principle of least privilege and restrict service accounts to needed permissions only [ CPG 3.H ]. Regularly rotate passwords for privileged accounts (such as network administrators) and service accounts. Routine password changes invalidate credentials that threat actors may have compromised, forcing them to reestablish access and increasing the likelihood of detection or disruption. While not specific to FIRESTARTER, modernize administrative access controls by implementing TACACS+ over TLS 1.3. This approach encrypts device administration Authentication, Authorization, and Accounting traffic, safeguards administrator and service account credentials, and reduces the risk of interception [ CPG 3.K ]. See Cisco’s blog, Modernizing TACACS+: Why Full-Session Encryption Matters More Than Ever . Disclaimer CISA and the NCSC do not endorse any commercial entity, product, company, or service, including any entities, products, companies, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favor by CISA or the NCSC. Acknowledgements Cisco contributed to this Malware Analysis Report. Version History April 23, 2026: Initial version. Appendix A: MITRE ATT&CK Techniques See Table 2 through Table 7 all referenced threat actor tactics and techniques in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool . Table 2. Initial Access Technique Title ID Use Exploit Public-Facing Application T1190 The APT actors gained access to the victim’s Cisco Firepower device, likely by exploiting CVE-2025-20333 and/or CVE-2025-20362. Table 3. Execution Technique Title ID Use Command and Scripting Interpreter T1059 FIRESTARTER uses a special function to run shell commands that create /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST  if it is missing. FIRESTARTER runs callback commands to manage its files. Table 4. Persistence Technique Title ID Use Create or Modify System Process T1543 FIRESTARTER invokes mprotect to enable execution of newly injected code. Event Triggered Execution: Unix Shell Configuration Modification T1546.004 FIRESTARTER registers a callback function that is automatically triggered when the program receives any of the following termination-related signals: SIGTERM , SIGINT , SIGQUIT , SIGABRT , SIGHUP , or SIGTSTP . Boot or Logon Autostart Execution T1547 Persistence is maintained by modifying a boot-time configuration/mount script so FIRESTARTER runs on startup. External Remote Services T1133 The APT actors used LINE VIPER to establish illegitimate VPN sessions. Valid Accounts T1078 The APT actors used valid user accounts for their illegitimate VPN sessions (the user accounts belonged to former employees). Table 5. Defense Evasion Technique Title ID Use File and Directory Permissions Modification T1222 FIRESTARTER creates the /opt/cisco/platform/logs/var/log/ directory with full read/write/execute permissions.  FIRESTARTER uses chown and chmod to modify file permissions. Hide Artifacts: Hidden Users T1564 FIRESTARTER redirects standard error ( stderr ) messages to /dev/null and hides them from the console. Indicator Removal on Host: File Deletion T1070.004 FIRESTARTER deletes the following files: CSP_MOUNT_LIST , CSP_MOUNT_LIST.tmp , and /usr/bin/lina_cs . Indicator Removal on Host: Timestomp T1070.006 FIRESTARTER uses touch -r to copy timestamps from original files to modified and temporary ones, explicitly to match the original. Masquerading: Match Legitimate Resource Name or Location T1036.005 FIRESTARTER accesses its own binary located at /usr/bin/lina_cs on the victim device. Process Injection T1055 FIRESTARTER injects shellcode into a library’s code section before the start of the text segment. Table 6. Discovery Technique Title ID Use Process Discovery T1057 FIRESTARTER enumerates LINA’s virtual memory map to locate the private read-write ( rw-p ) segment associated with lina . System Information Discovery T1082 The APT actors used LINE VIPER to access Cisco Firepower device configuration elements, including administrative credentials, certificates, and private keys. Table 7. Command and Control Technique Title ID Use Remote Access Tools T1219 FIRESTARTER is a Linux ELF designed to execute on Cisco Firepower and Secure Firewall devices, serving as a C2 channel for remote access and control.

AI summaries can be wrong sometimes—always verify important details using the source link below.