{
	"id": "c7f17715-1ae7-4db0-aa0f-ee5f332e5b7c",
	"created_at": "2026-04-06T00:17:47.163525Z",
	"updated_at": "2026-04-10T03:28:05.508842Z",
	"deleted_at": null,
	"sha1_hash": "5a8e976a62bcc8159b3b0389b38ab06c2f9dccf5",
	"title": "ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 938193,
	"plain_text": "ArcaneDoor - New espionage-focused campaign found targeting\r\nperimeter network devices\r\nBy Cisco Talos\r\nPublished: 2024-04-24 · Archived: 2026-04-05 15:43:23 UTC\r\nWednesday, April 24, 2024 11:54\r\n*Update 2025-09-25: Cisco is aware of new activity targeting certain Cisco Adaptive Security Appliances (ASA)\r\n5500-X Series and has released three CVE’s related to the event: CVE-2025-20333, CVE-2025-20362 and CVE-2025-20363. The following Snort Rules cover these vulnerabilities: 65340, 46897.\r\nWe assess with high confidence this activity is related to same threat actor as ArcaneDoor in 2024.\r\nWe strongly recommend that Cisco customers upgrade their devices to the available fixed software and follow\r\nguidance in the security advisories.\r\n*Updated 2024-04-25 16:57 GMT with minor wording corrections regarding the targeting of other vendors.\r\nArcaneDoor is a campaign that is the latest example of state-sponsored actors targeting perimeter network devices\r\nfrom multiple vendors. Coveted by these actors, perimeter network devices are the perfect intrusion point for\r\nespionage-focused campaigns. As a critical path for data into and out of the network, these devices need to be\r\nroutinely and promptly patched; using up-to-date hardware and software versions and configurations; and be\r\nclosely monitored from a security perspective. Gaining a foothold on these devices allows an actor to directly\r\npivot into an organization, reroute or modify traffic and monitor network communications. In the past two years,\r\nwe have seen a dramatic and sustained increase in the targeting of these devices in areas such as\r\ntelecommunications providers and energy sector organizations — critical infrastructure entities that are likely\r\nstrategic targets of interest for many foreign governments.  \r\nhttps://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/\r\nPage 1 of 14\n\nCisco’s position as a leading global network infrastructure vendor gives Talos’ Intelligence and Interdiction team\r\nimmense visibility into the general state of network hygiene. This also gives us uniquely positioned investigative\r\ncapability into attacks of this nature. Early in 2024, a vigilant customer reached out to both Cisco’s Product\r\nSecurity Incident Response Team (PSIRT) and Cisco Talos to discuss security concerns with their Cisco Adaptive\r\nSecurity Appliances (ASA). PSIRT and Talos came together to launch an investigation to assist the customer.\r\nDuring that investigation, which eventually included several external intelligence partners and spanned several\r\nmonths, we identified a previously unknown actor now tracked as UAT4356 by Talos and STORM-1849 by the\r\nMicrosoft Threat Intelligence Center. This actor utilized bespoke tooling that demonstrated a clear focus on\r\nespionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor. \r\nUAT4356 deployed two backdoors as components of this campaign, “Line Runner” and “Line Dancer,” which\r\nwere used collectively to conduct malicious actions on-target, which included configuration modification,\r\nreconnaissance, network traffic capture/exfiltration and potentially lateral movement.  \r\nCritical Fixes Available \r\nWorking with victims and intelligence partners, Cisco uncovered a sophisticated attack chain that was used to\r\nimplant custom malware and execute commands across a small set of customers. While we have been unable to\r\nidentify the initial attack vector, we have identified two vulnerabilities (CVE-2024-20353 and CVE-2024-20359),\r\nwhich we detail below. Customers are strongly advised to follow the guidance published in the security advisories\r\ndiscussed below.  \r\nFurther, network telemetry and information from intelligence partners indicate the actor is interested in — and\r\npotentially attacking — Microsoft Exchange servers and network devices from other vendors. Regardless of your\r\nnetwork equipment provider, now is the time to ensure that the devices are properly patched, logging to a central,\r\nsecure location, and are configured to have strong, multi-factor authentication (MFA). Additional\r\nrecommendations specific to Cisco are available here.  \r\nTimeline \r\nCisco was initially alerted to suspicious activity on an ASA device in early 2024. The investigation that followed\r\nidentified additional victims, all of which involved government networks globally. During the investigation, we\r\nidentified actor-controlled infrastructure dating back to early November 2023, with most activity taking place\r\nbetween December 2023 and early January 2024. Further, we have identified evidence that suggests this capability\r\nwas being tested and developed as early as July 2023.   \r\nhttps://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/\r\nPage 2 of 14\n\nCisco has identified two vulnerabilities that were abused in this campaign (CVE-2024-20353 and CVE-2024-\r\n20359). Patches for these vulnerabilities are detailed in the Cisco Security Advisories released today.\r\nInitial Access \r\nWe have not determined the initial access vector used in this campaign. We have not identified evidence of pre-authentication exploitation to date. Our investigation is ongoing, and we will provide updates, if necessary, in the\r\nsecurity advisories or on this blog.\r\nLine Dancer: In-Memory Implant Technical Details \r\nThe malware implant has a couple of key components. The first is a memory-only implant, called “Line Dancer.”\r\nThis implant is a memory-resident shellcode interpreter that enables adversaries to upload and execute arbitrary\r\nshellcode payloads.  \r\nOn a compromised ASA, the attackers submit shellcode via the host-scan-reply field, which is then parsed by the\r\nLine Dancer implant. Note that the use of this field does not indicate the exploitation of CVE-2018-0101 which\r\nhttps://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/\r\nPage 3 of 14\n\nwas NOT used as a component of this campaign. The host-scan-reply field, typically used in later parts of the SSL\r\nVPN session establishment process, is processed by ASA devices configured for SSL VPN, IPsec IKEv2 VPN\r\nwith “client-services\" or HTTPS management access. The actor overrides the pointer to the default host-scan-reply code to instead point to the Line Dancer shellcode interpreter. This allows the actor to use POST requests to\r\ninteract with the device without having to authenticate and interact directly through any traditional management\r\ninterfaces. \r\nLine Dancer is used to execute commands on the compromised device. During our investigation, Talos was able to\r\nobserve the threat actors using the Line Dancer malware implant to: \r\nDisable syslog. \r\nRun and exfiltrate the command show configuration. \r\nCreate and exfiltrate packet captures. \r\nExecute CLI commands present in shellcode; this includes configuration mode commands and the ability\r\nto save them to memory (write mem). \r\nHook the crash dump process, which forces the device to skip the crash dump generation and jump directly\r\nto a device reboot. This is designed to evade forensic analysis, as the crash dump would contain evidence\r\nof compromise and provide additional forensic details to investigators. \r\nHook the AAA (Authentication, Authorization and Accounting) function to allow for a magic number\r\nauthentication capability. When the attacker attempts to connect to the device using this magic number,\r\nthey are able to establish a remote access VPN tunnel bypassing the configured AAA mechanisms. As an\r\nalternate form of access, a P12 blob is generated along with an associated certificate and exfiltrated to the\r\nactor along with a certificate-based tunnel configuration.  \r\nHost-Scan-Reply hook overview \r\nIn the Line Dancer implant’s process memory, we found a function (detailed below) that checks if a 32-byte token\r\nmatches a pattern. If so, it base64-decodes the payload, copies it into the attacker's writable and executable\r\nmemory region, and then calls the newly decoded function. Either way, it ends by calling\r\nprocessHostScanReply() . \r\nThe function processHostScanReply() is normally accessed through a function pointer in the elementArray\r\ntable, associated with the string host-scan-reply . In the captured memory, the entry that should point to\r\nprocessHostScanReply() now instead points to the attacker's function that decodes and runs its payload. Since\r\nthis change is in the data section of memory, it doesn't show up in hashes/dumps of text. \r\n The attacker function that decodes and runs its payload has the following decompilation: \r\nhttps://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/\r\nPage 4 of 14\n\nLine Runner: Persistence Mechanism \r\nThe threat actor maintains persistence utilizing a second, but persistent, backdoor called “Line Runner” on the\r\ncompromised ASA device using functionality related to a legacy capability that allowed for the pre-loading of\r\nVPN clients and plugins on the device. At boot, the ASA is designed to look for the presence of a file on disk0:\r\nmatching the Lua regular expression:\r\n ^client_bundle[%w_-]*%.zip$\r\nIf the file exists, it will unzip it and execute the script csco_config.lua. Once processed, the ZIP file is deleted.\r\nThis is assigned CVE-2024-20359 and more details are available in this Cisco Security Advisory.  \r\nIn at least one case, there is another vulnerability, CVE-2024-20353, that was abused by the actor to facilitate this\r\nprocess. The attackers were able to leverage this vulnerability to cause the target ASA device to reboot, triggering\r\nthe unzipping and installing the second component of the threat actor’s malware implant, Line Runner. \r\nThe threat actor’s ZIP file has the following files: \r\nhttps://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/\r\nPage 5 of 14\n\nThe scripts in the zip file allow the threat actor to maintain a persistent HTTP-based Lua backdoor to the ASA,\r\nwhich survives across reboots and upgrades. Line Runner was observed being used by UAT4356 to retrieve\r\ninformation that was staged through the use of Line Dancer.  \r\ncsco_config.lua \r\nThe csco_config.lua file is run at boot and makes the following modifications to the system: \r\n • Create disk0:/csco_config/97/webcontent/ if it doesn't already exist \r\n• Create disk0:/csco_config/97/webcontent/1515480F4B538B669648B17C02337098 from hash.txt \r\n• Append index.txt to disk0:/csco_config/97/webcontent/index_bp.ini and put the result in\r\ndisk0:/csco_config/97/webcontent/index.ini  \r\n• Move the original client_bundle.zip file to /run/lock/subsys/krbkdc6\r\n• Prepend umtfc.txt to /etc/init.d/umountfs  \r\n• Copy stgvdr.txt to /asa/scripts/lina_cs  \r\n• Backup /asa/scripts/lina_exe_cs.sh to /asa/scripts/lina_exe_cs_bp.sh  \r\n• Replace /asa/scripts/lina_exe_cs.sh with laecsnw.txt  \r\n• Copy csco_config2.lua over csco_config.lua  \r\n• Disable the importPlugin function for the next call only  \r\ncsco_config2.lua \r\nThe csco_config2.lua file cleans up the modifications made by csco_config.lua (above) and removes itself. \r\nhash.txt \r\nUsed as content for disk0:/csco_config/97/webcontent/1515480F4B538B669648B17C02337098 . \r\nIntercepts HTTP requests to the ASA. The threat actor’s code looks for an HTTP request with a set of 32-character\r\nparameters that are victim-dependent. If they match, then the payload contained within one of these parameters is\r\nwritten to a Lua script and executed. This is the backdoor’s command and control mechanism. \r\nindex.txt \r\nhttps://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/\r\nPage 6 of 14\n\nAdds webContent information so hash.txt is processed. \r\nlaecsnw.txt \r\nTemporarily replaces /asa/scripts/lina_exe_cs.sh . \r\nExecutes /asa/scripts/lina_cs as a background process (see below). Removes itself. Then restore the backup\r\n/asa/scripts/lina_exe_cs_bp.sh .  \r\nstgvdr.txt \r\nRuns as /asa/scripts/lina_cs . \r\nAfter sleeping for 30 seconds, sets expected owner and times on /etc/init.d/umountfs . Removes the hash API\r\nendpoint, the index.ini, and either restores the backup index.ini or removes the webcontent directory entirely.\r\nFinally, removes itself.  \r\numtfc.txt\r\nPrepended to /etc/init.d/unmountfs. \r\nThe unmountfs script is called at shutdown to unmount the filesystems. The threat actor’s modifications perform\r\nthe following functionality: \r\n• If disk0:/csco_config/97/webcontent/1515480F4B538B669648B17C02337098 exists, it removes it and\r\nindex.ini . \r\n• Copy /run/lock/subsys/krbkdc6 to disk0:client_bundle_install.zip\r\nThis sets up the zipfile to be executed at the next boot, maintaining persistence. \r\nForensic Recovery and Identification of Line Runner \r\nTo identify the presence of Line Runner on an ASA, the following methods can be used. Note also that the device\r\nshould be upgraded to a fixed version as identified in the first method. \r\nMethod 1: \r\nAfter updating the device to a software release that contains the fix for CVE-2024-20359, a review of the contents\r\nof disk0: should be conducted. If a new file (e.g., “client_bundle_install.zip” or any other unusual .zip file)\r\nappears on disk0 : following the update, this suggests that Line Runner was present on the device in question.\r\nNote that because the updated software is not vulnerable to CVE-2024-20359, Line Runner will no longer be\r\nactive on the device. \r\nMethod 2: \r\nTo detect (and remove) Line Runner, the following series of commands will create an innocuous file with a .zip\r\nextension. Note that it will not create a valid zip file, but the file will still be read by the ASA at reboot. Upon\r\nhttps://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/\r\nPage 7 of 14\n\nexecution of the following commands, if a new .zip file appears on disk0: following the reload, this suggests that\r\nLine Runner was present on the device in question. Deletion of the “client_bundle_install.zip” file will remove\r\nLine Runner. Note that the malicious ZIP containing the Line Runner functionality could have other names that fit\r\nthe naming pattern outlined previously.  \r\nIf you discover a newly created .zip file, copy that file off the device using the copy command and contact\r\npsirt@cisco.com referencing CVE-2024-20359. Include the outputs of the dir disk0: and show version\r\ncommands from the device and the .zip file extracted from the device. \r\nAnti-Forensics/Anti-Analysis Capabilities \r\nUAT4356 took clear and deliberate steps to attempt to prevent forensic capture of malicious artifacts. This\r\ntradecraft suggests a thorough understanding of the ASA itself and of the forensic actions commonly performed by\r\nCisco for network device integrity validation. Additional steps were taken on a case-by-case basis to hide actions\r\nbeing taken on the device. These steps included hooking the AAA (Authentication, Authorization and Accounting)\r\nfunction of the device to allow the actor to bypass normal AAA operations. We also identified some instances\r\nwhere UAT4356 disabled logging to perform operations on or from the ASA and not have those operations or\r\nactions logged.  \r\nLine Dancer appears to have been intentionally placed into a difficult-to-reach region of memory. In addition, it\r\nhooks into functions such as the core dump function, which is commonly used to collect information for\r\ndebugging and forensic purposes, which were made in memory such that this function simply jumped to a reboot.\r\nThis means that on reboot, Line Dancer itself would no longer be present and none of the collections present in the\r\ncore dump function would have been executed, all resulting in a complete loss of debug information and memory-based forensic artifacts. \r\nAttribution  \r\nAs a part of our ongoing investigation, we have also conducted analysis on possible attribution of this activity. Our\r\nattribution assessment is based on the victimology, the significant level of tradecraft employed in terms of\r\ncapability development and anti-forensic measures, and the identification and subsequent chaining together of 0-\r\nday vulnerabilities. For these reasons, we assess with high confidence that these actions were performed by a\r\nstate-sponsored actor.\r\nhttps://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/\r\nPage 8 of 14\n\nRecommendations \r\nThere are some known indicators of compromise that customers can look for if they suspect they may have been\r\ntargeted in this campaign. First, organizations should look for any flows to/from ASA devices to any of the IP\r\naddresses present in the IOC list provided at the bottom of this blog. This is one indication that further\r\ninvestigation is necessary. \r\nAdditionally, organizations can issue the command show memory region | include lina to identify another\r\nindicator of compromise. If the output indicates more than one executable memory region (memory regions\r\nhaving r-xp permissions, see output examples), especially if one of these memory sections is exactly 0x1000\r\nbytes, then this is a sign of potential tampering.   \r\nOutput of the ‘show memory region’ command for a compromised device (top) vs. a clean device\r\n(bottom).\r\nNote that the earlier provided steps to identify the presence of Line Runner can still be followed even in the\r\nabsence of more than one executable memory region as we have seen cases where Line Runner was present\r\nwithout Line Dancer being present. We still recommend following the steps to upgrade to a patched version even\r\nif customers believe that their device has not been compromised.  \r\nNext, follow the steps detailed in the Cisco ASA Forensic Investigation Procedures for First Responders. When\r\nfollowing these procedures first responders should NOT attempt to collect a core dump (Step 5) or reboot\r\nthe device if they believe that the device has been compromised, based on the lina memory region output.\r\nThe previous steps up to and including a collection of the memory text section should be followed. In addition, we\r\nhave released some Snort signatures to detect the activity on the wire including access attempts. Signatures 63139,\r\n62949, and 45575 have been released to detect the implants or associated behaviors. Please note that the device\r\nmust be set up to decrypt TLS for these signatures to be effective. \r\nCVE-2024-20353 (ASA DOS/Reboot) - 3:63139 \r\n‘Line Runner’ – Persistence Mechanism Interaction – 3:62949 \r\n‘Line Dancer’ – In-Memory Only Shellcode Interpreter Interaction – 3:45575 \r\nNote that this signature was originally built to detect an unrelated CVE but it also detects Line Dancer\r\ninteraction \r\nhttps://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/\r\nPage 9 of 14\n\nIf your organization does find connections to the provided actor IPs and the crash dump functionality has been\r\naltered, please open a case with Cisco TAC.  \r\nUAT4356 Infrastructure \r\nKey components of the actor-controlled infrastructure used for this operation had an interesting overlap of SSL\r\ncertificates which match the below pattern while also appearing as an ASA, during the same period, to external\r\nscanning engines such as Shodan and Censys as reported by the CPE data on the same port as the noted SSL\r\ncertificate. The SSL certificate information suggests that the infrastructure is making use of an OpenConnect VPN\r\nServer (https://ocserv.openconnect-vpn.net) through which the actor appeared to be conducting actions on target. \r\nCertificate Pattern: \r\n:issuer = O=ocserv,CN=ocserv VPN \r\n:selfsigned = true \r\n:serial = 0000000000000000000000000000000000000002 \r\n:subject = O=ocserv,CN=ocserv VPN \r\n:version = v3 \r\nCPE identifiers:  \r\ncpe:2.3:a:cisco:http:*:*:*:*:*:*::\r\nhttps://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/\r\nPage 10 of 14\n\ncpe:2.3:h:cisco:adaptive_security_appliance:*:*:*:*:*:*:*:* \r\ncpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:* \r\nMITRE TTPs \r\nThis  threat demonstrates several techniques of the MITRE ATT\u0026CK framework, most notably: \r\nLine Runner persistence mechanism (T1037),  \r\nThe reboot action via CVE-2024-20353 (T1653),  \r\nBase64 obfuscation (T1140),  \r\nHooking of the processHostScanReply() function (T0874),  \r\nDisabling syslog and tampering with AAA (T1562-001), \r\nInjection of code into AAA and Crash Dump processes (T1055)  \r\nExecution of CLI commands (T1059),  \r\nBypassing of the AAA mechanism (T1556),  \r\nRemoval of files after execution (T1070-004),  \r\nHTTP interception for C2 communications (T1557),  \r\nHTTP C2 (T1071-001),  \r\nHTTP C2 one-way backdoor (T1102-003),  \r\nData exfiltration over C2 (T1041),  \r\nNetwork sniffing (T1040)  \r\nCoverage \r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat. \r\nUmbrella, Cisco's secure internet gateway (SIG) blocks devices from connecting to malicious IPs. Sign up for a\r\nfree trial of Umbrella here. \r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center. \r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org. Snort SIDs for this threat are 45575, 62949 and 63139. \r\nIndicators of Compromise (IOCs)  \r\nhttps://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/\r\nPage 11 of 14\n\nThere are several known indicators of compromise that defenders can look for when assessing whether their ASA\r\ndevice has been compromised as a result of this attack, as outlined earlier in this post. For example, if any gaps in\r\nlogging or any recent unexpected reboots are observed, this should be treated as suspicious activity that warrants\r\nfurther investigation. Also, below is a list of IP addresses we identified as having been used by UAT4356. Please\r\nnote that some of these IPs are part of publicly known anonymization infrastructure and not directly controlled by\r\nthe attackers themselves. If your organization does find connections to the provided actor IPs and the crash dump\r\nfunctionality has been altered, please open a case with Cisco TAC. \r\nLikely Actor-Controlled Infrastructure: \r\n192.36.57[.]181 \r\n185.167.60[.]85 \r\n185.227.111[.]17 \r\n176.31.18[.]153 \r\n172.105.90[.]154 \r\n185.244.210[.]120 \r\n45.86.163[.]224 \r\n172.105.94[.]93 \r\n213.156.138[.]77 \r\n89.44.198[.]189 \r\n45.77.52[.]253 \r\n103.114.200[.]230 \r\n212.193.2[.]48 \r\n51.15.145[.]37 \r\n89.44.198[.]196 \r\n131.196.252[.]148 \r\n213.156.138[.]78 \r\n121.227.168[.]69 \r\n213.156.138[.]68 \r\n194.4.49[.]6 \r\n185.244.210[.]65 \r\n216.238.75[.]155  \r\nMulti-Tenant Infrastructure: \r\n5.183.95[.]95 \r\n45.63.119[.]131 \r\n45.76.118[.]87 \r\n45.77.54[.]14 \r\n45.86.163[.]244 \r\n45.128.134[.]189    \r\n89.44.198[.]16 \r\n96.44.159[.]46 \r\nhttps://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/\r\nPage 12 of 14\n\n103.20.222[.]218 \r\n103.27.132[.]69 \r\n103.51.140[.]101 \r\n103.119.3[.]230 \r\n103.125.218[.]198 \r\n104.156.232[.]22 \r\n107.148.19[.]88 \r\n107.172.16[.]208 \r\n107.173.140[.]111 \r\n121.37.174[.]139 \r\n139.162.135[.]12 \r\n149.28.166[.]244 \r\n152.70.83[.]47 \r\n154.22.235[.]13 \r\n154.22.235[.]17 \r\n154.39.142[.]47  \r\n172.233.245[.]241 \r\n185.123.101[.]250 \r\n192.210.137[.]35  \r\n194.32.78[.]183 \r\n205.234.232[.]196  \r\n207.148.74[.]250 \r\n216.155.157[.]136 \r\n216.238.66[.]251 \r\n216.238.71[.]49 \r\n216.238.72[.]201 \r\n216.238.74[.]95 \r\n216.238.81[.]149 \r\n216.238.85[.]220 \r\n216.238.86[.]24  \r\nAcknowledgments  \r\nCisco would like to thank the following organizations for supporting this investigation: \r\nAustralian Signals Directorate’s Australian Cyber Security Centre \r\nBlack Lotus Labs at Lumen Technologies \r\nCanadian Centre for Cyber Security, a part of the Communications Security Establishment \r\nMicrosoft Threat Intelligence Center \r\nThe UK's National Cyber Security Centre (NCSC) \r\nU.S. Cybersecurity \u0026 Infrastructure Security Agency (CISA) \r\nhttps://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/\r\nPage 13 of 14\n\nSource: https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/\r\nhttps://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/"
	],
	"report_names": [
		"arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices"
	],
	"threat_actors": [
		{
			"id": "09b4b3f5-e9f4-4209-982a-51d90078ff18",
			"created_at": "2024-04-27T02:00:03.545351Z",
			"updated_at": "2026-04-10T02:00:03.635129Z",
			"deleted_at": null,
			"main_name": "ArcaneDoor",
			"aliases": [],
			"source_name": "MISPGALAXY:ArcaneDoor",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "514e4a19-24fe-4f26-9f95-214584676528",
			"created_at": "2024-04-28T02:00:03.702905Z",
			"updated_at": "2026-04-10T02:00:03.636095Z",
			"deleted_at": null,
			"main_name": "Storm-1849",
			"aliases": [
				"UAT4356"
			],
			"source_name": "MISPGALAXY:Storm-1849",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434667,
	"ts_updated_at": 1775791685,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5a8e976a62bcc8159b3b0389b38ab06c2f9dccf5.pdf",
		"text": "https://archive.orkl.eu/5a8e976a62bcc8159b3b0389b38ab06c2f9dccf5.txt",
		"img": "https://archive.orkl.eu/5a8e976a62bcc8159b3b0389b38ab06c2f9dccf5.jpg"
	}
}