InfoSecBulletin Cybersecurity for mankind
A Cisco customer noticed the first confirmed activity in early January 2024, but the attacks actually began in November 2023. The researchers also found evidence that indicates this capability was being tested and developed as early as July 2023.
The initial access vector in this campaign – dubbed ArcaneDoor – is still unknown. The threat actor, which Cisco Talos tracks as UAT4356 and Microsoft as STORM-1849, used custom malware:
YouTube geo-blocks at least 4 Bangladeshi TV channels in India
Microsoft Patches Four Critical Azure and Power Apps Vulns
Qilin Ransomware topped April 2025 with 45+ data leak disclosures
SonicWall Patches 3 Flaws in SMA 100 Devices
Top Ransomware Actively Attacking Financial Sector: 406 Incidents Disclosed
Critical (CVSS 10) Flaw in Cisco IOS XE WLCs Allows RRA
CVE-2025-29824
Play Ransomware Exploited Windows CVE-2025-29824 as Zero-Day
Hacker exploited Samsung MagicINFO 9 Server RCE flaw
CISA adds Langflow flaw to its KEV catalog
Google Fixes Android Flaw (CVE-2025-27363) Exploited by Attackers
Line Dancer, a shellcode interpreter that resides only in memory, to upload and execute arbitrary shellcode payloads
Line Runner, a backdoor to maintain persistence.
“On a compromised ASA, the attackers submit shellcode via the host-scan-reply field, which is then parsed by the Line Dancer implant. The host-scan-reply field, typically used in later parts of the SSL VPN session establishment process, is processed by ASA devices configured for SSL VPN, IPsec IKEv2 VPN with ‘client-services’ or HTTPS management access,” the researchers explained.
“The actor overrides the pointer to the default host-scan-reply code to instead point to the Line Dancer shellcode interpreter. This allows the actor to use POST requests to interact with the device without having to authenticate and interact directly through any traditional management interfaces.”
Line Dancer has been used to disable syslog, exfiltrate the command show configuration and packet captures, execute CLI commands, prevent the device from creating a crash dump when it crashes, and create ways to always be able to remotely connect to the device.
Line Runner uses an old ASA feature to locate a particular LUA file, unzip it, run it, and then delete it. The scripts in the file let the attacker keep an HTTP-based Lua backdoor on the device, which remains even after reboots and upgrades.
Patch, investigate, respond:
Cisco has released patches for CVE-2024-20353 and CVE-2024-20359, provided indicators of compromise, Snort signatures, and has outlined several methods for locating the Line Runner backdoor on ASA devices.
Companies with Cisco ASA should install the patches right away because there are no other solutions for the vulnerabilities.
“Customers are also strongly encouraged to monitor system logs for indicators of undocumented configuration changes, unscheduled reboots, and any anomalous credential activity,” Cisco advised.
Cisco has also released patches for a third vulnerability (CVE-2024-20358) affecting Cisco ASAs, which is not being exploited by these attackers.
