Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: china-apt (13 articles)Clear

CISA and UK NCSC warn 'FIRESTARTER' backdoor survives Cisco ASA/Firepower patches - US agency compromised, hardware replacement recommended

CISA and the UK's National Cyber Security Centre jointly published a malware analysis report for FIRESTARTER, a persistent backdoor that China-linked group UAT-4356 (the same crew behind 2024's ArcaneDoor campaign) planted on Cisco ASA and Firepower firewall devices by chaining CVE-2025-20333 (VPN web server RCE) and CVE-2025-20362 (unauthorized access). The implant hooks into Cisco's Service Platform mount list, a boot-time configuration that controls which programs run when the device starts, so it survives reboots, firmware upgrades, and the September 2025 patches for those two CVEs. CISA found FIRESTARTER on an already-patched US federal civilian agency's Cisco Firepower device through continuous network monitoring - attackers silently returned in March 2026 to deploy a second-stage implant called Line Viper without needing to re-exploit the original vulnerabilities. Updated Emergency Directive ED 25-03 now orders federal agencies to audit every Cisco ASA and Firepower device they run and submit device memory snapshots for CISA analysis. The stark guidance for everyone else: if you confirm a compromise, replace the hardware. Reimaging is not enough because the bootloader itself may be implanted.

Check
Inventory every Cisco ASA and Firepower Threat Defense device in your environment - including branch offices, remote sites, and lab gear - and check patch status against CVE-2025-20333 and CVE-2025-20362 as the absolute minimum baseline.
Affected
Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) devices running ASA/FTD software, particularly any units that were internet-exposed and unpatched between the September 2025 patch release and the date you actually applied it. Devices patched in that window may still carry the FIRESTARTER implant because the backdoor survives patching.
Fix
Patch any ASA/FTD device still vulnerable to CVE-2025-20333 or CVE-2025-20362 immediately. Then perform a core dump on every device following CISA's supplemental direction and look for FIRESTARTER indicators described in MAR AR26-113A and the joint advisory AA26-113A. Any device showing indicators of compromise must be replaced with new hardware - do not trust reimaging or factory reset, because the persistence mechanism modifies the Cisco Service Platform mount list and the bootloader may be affected. Rotate all VPN credentials and admin passwords on affected devices. Hunt for Line Viper and review firewall logs for unexpected outbound connections from management interfaces for the period after initial patching.

China-linked spies named 'GopherWhisper' targeted Mongolian government using Slack, Discord, and Outlook drafts as their command channel

ESET disclosed GopherWhisper, a previously undocumented China-linked spy group active since at least November 2023 and targeting Mongolian government systems. The group's defining trick: instead of building its own command-and-control servers, it sends instructions through ordinary cloud services - private Slack channels, Discord servers, Outlook draft email folders, and the file.io file-sharing service. Because the malware traffic looks like normal Slack and Discord usage, network monitoring tools largely ignore it. ESET extracted thousands of operator messages from the attackers' own Slack and Discord workspaces, and even found a 'How to write RATs.txt' file in their Downloads folder.

Check
Audit which corporate endpoints have outbound access to slack.com, discord.com, graph.microsoft.com, and file.io without a clear business reason.
Affected
Organizations with operations in Mongolia or staff working on Indo-Pacific affairs. More broadly: any environment where outbound HTTPS to Slack, Discord, Microsoft Graph, or file.io is allowed by default - which is most corporate networks. Build servers, jump hosts, and developer machines are at acute risk because they need outbound HTTPS but have no business reason to talk to Slack or Discord.
Fix
Restrict outbound HTTPS to Slack, Discord, and file.io to only endpoints with a documented business reason. Alert on outbound traffic to those services from servers and developer machines that shouldn't be using them. In Microsoft 365, audit OAuth grants and alert on draft email creation in unfamiliar mailboxes. Block file.io entirely if you have no use case. ESET's GitHub repo lists the indicators.

Chinese APT Mustang Panda's new LOTUSLITE variant hits Indian banks and South Korean policy circles via CHM lures

Acronis researchers have spotted a new variant of LOTUSLITE, a backdoor associated with the Chinese nation-state group Mustang Panda, now distributed via lures tied to India's banking sector and, in a parallel campaign, impersonating figures from South Korea's Korean-peninsula-policy community. The shift is notable: prior LOTUSLITE activity targeted U.S. government and policy entities with U.S.-Venezuela geopolitical decoys, but this wave pivots the targeting while keeping the delivery playbook intact. The infection chain starts with a Compiled HTML (CHM) file - a legacy Microsoft help-file format that can embed executables and scripts - containing a legitimate signed binary, a rogue DLL, and an HTML pop-up that asks the user to click 'Yes.' Clicking it silently fetches JavaScript malware from cosmosmusic[.]com, which extracts and runs the DLL side-loading chain (trusted EXE loads attacker-supplied DLL) using dnx.onecore.dll as the malicious payload. The backdoor talks HTTPS to editor.gleeze[.]com over dynamic DNS, with remote shell access, file operations, and session management - a classic espionage toolkit. The Indian campaign uses HDFC Bank-themed pop-ups masquerading as legitimate banking software; the South Korean campaign uses spoofed Gmail accounts and Google Drive staging to impersonate a prominent Korean peninsula policy figure. This is active, tailored, human-operated espionage, not a commodity campaign.

Check
Block CHM file delivery through email and web download gateways, hunt for any instance of dnx.onecore.dll on the disk, and alert on DNS resolutions to cosmosmusic[.]com or editor.gleeze[.]com across your network.
Affected
Indian banking, financial services, and corporate employees handling HDFC Bank relationships (target set includes anyone social-engineered with banking-software lures). South Korean policy, diplomatic, think-tank, and government staff working on Korean-peninsula affairs, North Korea policy, or Indo-Pacific security dialogues. Any organisation where users can still open CHM files by default - Windows does not block them.
Fix
Add a mail-transport-agent rule blocking .chm attachments outright. Block CHM execution on endpoints via AppLocker or WDAC application-control policies. Enforce DNS filtering with sinkholes for cosmosmusic[.]com and editor.gleeze[.]com and monitor for similar dynamic-DNS patterns resolving from workstations that never used them before. Run EDR hunts for hh.exe (the CHM viewer) spawning script interpreters or unusual DLL loads, and specifically for dnx.onecore.dll. Provide targeted phishing-awareness training to India-based banking staff and any employees on Korean-peninsula policy briefs, including the specific lure patterns (HDFC Bank pop-ups, spoofed Gmail from named policy figures).