CTI Swarm
Zurück zu allen Deep Dives
ALL CISA ADVISORIES

FIRESTARTER Backdoor

Strategische Zusammenfassung

FIRESTARTER backdoor provides persistent access on Cisco ASA/FTD devices, enabling long-term espionage and lateral movement.

Volltext

Title: FIRESTARTER Backdoor | CISA

URL Source: https://www.cisa.gov/news-events/analysis-reports/ar26-113a

Markdown Content: # FIRESTARTER Backdoor | CISA

An official website of the United States government

Here’s how you know

Here’s how you know

**Official websites use .gov**

A **.gov** website belongs to an official government organization in the United States.

**Secure .gov websites use HTTPS**

A **lock** () or **https://** means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

**Due to the lapse in federal funding, this website will not be actively managed.**[**Read More**](https://go.dhs.gov/lapse-2026)

[no-cost Cyber Services](https://www.cisa.gov/resources-tools/resources/free-cybersecurity-services-and-tools "Free Cyber Services")[Secure by design](https://www.cisa.gov/securebydesign)[Secure Your Business](https://www.cisa.gov/secureyourbusiness)[Shields Up](https://www.cisa.gov/node/8056)[Report A Cyber Issue](https://www.cisa.gov/report)

Search

[×](javascript:void(0) "Clear search box")

Menu

Close

[×](javascript:void(0) "Clear search box")

* Topics[Topics](https://www.cisa.gov/topics) [Cybersecurity Best Practices](https://www.cisa.gov/topics/cybersecurity-best-practices) [Cyber Threats and Response](https://www.cisa.gov/topics/cyber-threats-and-response) [Critical Infrastructure Security and Resilience](https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience) [Election Security](https://www.cisa.gov/topics/election-security) [Emergency Communications](https://www.cisa.gov/topics/emergency-communications) [Industrial Control Systems](https://www.cisa.gov/topics/industrial-control-systems) [Information and Communications Technology Supply Chain Security](https://www.cisa.gov/topics/information-communications-technology-supply-chain-security) [Partnerships and Collaboration](https://www.cisa.gov/topics/partnerships-and-collaboration) [Physical Security](https://www.cisa.gov/topics/physical-security) [Risk Management](https://www.cisa.gov/topics/risk-management) [How can we help?](https://www.cisa.gov/audiences) [Government](https://www.cisa.gov/topics/government)[Educational Institutions](https://www.cisa.gov/topics/educational-institutions)[Industry](https://www.cisa.gov/topics/industry)[State, Local, Tribal, and […]

[… 35,365 Zeichen — nächste Zone: keyword-dense paragraphs …]

| Malware Name | FIRESTARTER | | --- | | Original Publication | April 23, 2026 | | Executive Summary | The Cybersecurity and Infrastructure Security Agency (CISA) analyzed a sample of FIRESTARTER malware obtained from a forensic investigation. CISA and the United Kingdom National Cyber Security Centre (NCSC) assess advanced persistent threat (APT) actors are using FIRESTARTER malware for persistence, specifically targeting publicly accessible Cisco Firepower and Secure Firewall devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software. CISA and the NCSC are releasing this Malware Analysis Report to share analysis of one FIRESTARTER malware sample operating as a backdoor and urge organizations to take key response actions. **Note:** The release of this Malware Analysis Report aligns with CISA’s update to [V1: Emergency Directive (ED) 25-03: Identify and Mitigate Potential Compromise of Cisco Devices](https://www.cisa.gov/news-events/directives/v1-ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices) and [Supplemental Direction ED 25-03: Core Dump and Hunt Instructions](https://www.cisa.gov/news-events/directives/supplemental-direction-ed-25-03-core-dump-and-hunt-instructions). The malware outlined in this report is relevant for both Cisco Firepower and Secure Firewall devices; however, CISA has only observed a successful implant of the malware in the wild on a Cisco Firepower device running ASA software. | | Key Actions for U.S. FCEB Agencies | * **Collect and submit core dumps** to CISA’s Malware Next Generation platform. * **Immediately report the submission** via CISA’s 24/7 Operations Center; CISA will reach out with next steps. * **Take no additional action until CISA provides further guidance.** | | Key Actions for All Other Organizations | * **Use the YARA rules** to detect FIRESTARTER malware against either a disk image or core dump of a device. * **Report any findings to CISA or the NCSC.** * **If compromise is confirmed**, conduct incident response actions. | | Intended Audience | **Organizations:** Government and critical infrastructure organizations (**Note:** While this publication supplements CISA ED 25-03, the guidance is applicable to all organizations, including U.K.

* Maintain all systems and software with the latest security patches, prioritizing expedited remediation of vulnerabilities […]

* […]

[… 34,838 Zeichen — nächste Zone: tail …]

[Return to top](https://www.cisa.gov/news-events/analysis-reports/ar26-113a#top)

* [Topics](https://www.cisa.gov/topics) * [Spotlight](https://www.cisa.gov/spotlight) * [Resources & Tools](https://www.cisa.gov/resources-tools) * [News & Events](https://www.cisa.gov/news-events) * [Careers](https://www.cisa.gov/careers) * [About](https://www.cisa.gov/about)

[Cybersecurity & Infrastructure Security Agency](https://www.cisa.gov/ "Go to the Cybersecurity & Infrastructure Security Agency homepage")

* [Facebook](https://www.facebook.com/CISA) * [X](https://x.com/CISAgov) * [LinkedIn](https://www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency) * [YouTube](https://www.youtube.com/@cisagov) * [Instagram](https://www.instagram.com/cisagov) * [RSS](https://www.cisa.gov/subscribe-updates-cisa)

CISA Central[1-844-Say-CISA](tel:1-844-Say-CISA)[contact@cisa.dhs.gov](mailto:contact@cisa.dhs.gov)

DHS Seal

CISA.gov

An official website of the U.S. Department of Homeland Security

* [About CISA](https://www.cisa.gov/about "About CISA") * [Budget and Performance](https://www.dhs.gov/performance-financial-reports "Budget and Performance") * [DHS.gov](https://www.dhs.gov/ "Department of Homeland Security") * [FOIA Requests](https://www.dhs.gov/foia "FOIA Requests") * [No FEAR Act](https://www.cisa.gov/no-fear-act "No FEAR Act Reporting") * [Office of Inspector General](https://www.oig.dhs.gov/ "Office of Inspector General") * [Privacy Policy](https://www.cisa.gov/privacy-policy "Privacy Policy") * [Subscribe](https://public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138 "Subscribe to Email Updates") * [The White House](https://www.whitehouse.gov/ "The White House") * [USA.gov](https://www.usa.gov/ "USA.gov") * [Website Feedback](https://www.cisa.gov/forms/feedback "Website Feedback")