C0046: ArcaneDoor
ArcaneDoor is a campaign targeting networking devices from Cisco and other vendors between July 2023 and April 2024, primarily focused on government and critical infrastructure networks. ArcaneDoor is associated with the deployment of the custom backdoors Line Runner and Line Dancer. ArcaneDoor is attributed to a group referred to as UAT4356 or STORM-1849, and is assessed to be a state-sponsored campaign.[1][2]
Analyst context for executives and security teams
ArcaneDoor matters because it shows how compromise of perimeter networking devices can become a business continuity and incident response problem, not just a malware issue. The campaign is described by ATT&CK as targeting Cisco and other networking devices, primarily in government and critical infrastructure networks, and using custom backdoors associated with execution of Lua scripts or shellcode. For leaders, the key question is whether edge devices are inventoried, monitored, recoverable, and included in incident response evidence collection.
Executive priority
Prioritize this as an edge-device resilience and visibility issue. Network devices often sit outside normal endpoint detection coverage, yet they can affect remote access, traffic visibility, credential exposure, and continuity of critical services. Executives should ask for evidence that public-facing network appliances, VPNs, and management interfaces are known, patched or risk-accepted, logged centrally, and covered by response playbooks that include firmware/configuration validation and replacement criteria.
Technical view
ATT&CK provides no campaign-specific detection text, so defenders should validate coverage against the related behaviors: exploitation of public-facing systems and external remote services; web-protocol command and control; automated collection and exfiltration; network sniffing and adversary-in-the-middle positioning; persistence through initialization scripts or authentication-process modification; stealth through masquerading, file deletion, deobfuscation, process injection, and rootkit-like behavior. Because the associated Line Runner and Line Dancer software are described for Network Devices, SOC and IR teams should confirm they can collect and preserve appliance logs, configuration snapshots, management-plane activity, network flow, TLS/certificate observations, and outbound web traffic from perimeter devices.
Likely telemetry
- Network device system, audit, authentication, and administrative logs
- VPN and external remote service access logs
- Configuration and startup/boot script change records
- Firmware, image, and file integrity evidence where available
- Management-plane access records and command history where available
Detection direction
- Validate that network devices are treated as monitored assets, not just infrastructure, with logs forwarded and retained before an incident occurs.
- Hunt for unusual management access, unexpected configuration changes, new or altered initialization scripts, and authentication-process changes on perimeter devices.
- Review outbound web-protocol traffic from networking devices, especially where those devices normally should not initiate broad external communications.
- Correlate automated collection or exfiltration indicators with network flows rather than relying only on endpoint telemetry.
- Account for stealth behaviors such as masquerading and file deletion by comparing device state against known-good configurations and backups.
Mitigation priorities
- Maintain a current inventory of Internet-facing networking devices, VPNs, and management interfaces, including ownership and criticality.
- Restrict and monitor administrative access to network devices; separate management planes from general user networks where feasible.
- Prioritize timely remediation and risk acceptance tracking for weaknesses in public-facing network appliances and remote services.
- Centralize logs from network devices and test that SOC and IR teams can retrieve them during an incident.
- Back up known-good configurations and define recovery procedures for rebuilding or replacing compromised edge devices.
Analyst notes and limits
This Glexia take is based on the ATT&CK campaign object for ArcaneDoor, its official description, external references, and listed relationships to Line Runner, Line Dancer, and related techniques. The strongest defensive theme is perimeter network device readiness: visibility, configuration assurance, remote access governance, and IR recoverability.
ATT&CK does not provide platform or tactic values directly on the ArcaneDoor campaign object and does not include official detection guidance. Technique and software relationships provide useful defensive context, but local device models, firmware versions, logging capabilities, network architecture, and business criticality are required to determine actual exposure or coverage.
ArcaneDoor
ArcaneDoor is a campaign targeting networking devices from Cisco and other vendors between July 2023 and April 2024, primarily focused on government and critical infrastructure networks. ArcaneDoor is associated with the deployment of the custom backdoors Line Runner and Line Dancer. ArcaneDoor is attributed to a group referred to as UAT4356 or STORM-1849, and is assessed to be a state-sponsored campaign.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1102.003 | One-Way Communication Sub-technique | ArcaneDoor utilized HTTP command and control traffic where commands are intercepted from HTTP traffic to the device, parsed for appropriate identifiers and commands, and then executed.CitationCisco ArcaneDoor 2024 |
| Enterprise | T1037 | Boot or Logon Initialization Scripts | ArcaneDoor used malicious boot scripts to install the Line Runner backdoor on victim devices.CitationCisco ArcaneDoor 2024 |
| Enterprise | T1036 | Masquerading | ArcaneDoor involved the use of digital certificates on adversary-controlled network infrastructure that mimicked the formatting used by legitimate Cisco ASA appliances.CitationCisco ArcaneDoor 2024 |
| Enterprise | T1583.003 | Virtual Private Server Sub-technique | ArcaneDoor included the use of dedicated, adversary-controlled virtual private servers for command and control.CitationCisco ArcaneDoor 2024 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | ArcaneDoor included use of existing command and control channels for data exfiltration.CitationCisco ArcaneDoor 2024CitationCCCS ArcaneDoor 2024 |
| Enterprise | T1587.003 | Digital Certificates Sub-technique | ArcaneDoor included acquiring digital certificates mimicking patterns associated with Cisco ASA appliances for command and control infrastructure.CitationCisco ArcaneDoor 2024 |
| Enterprise | T1653 | Power Settings | ArcaneDoor involved exploitation of CVE-2024-20353 to force a victim Cisco ASA to reboot, triggering the automated unzipping and execution of the Line Runner implant.CitationCisco ArcaneDoor 2024 |
| Enterprise | T1583.006 | Web Services Sub-technique | ArcaneDoor included the use of OpenConnect VPN Server instances for conducting actions on victim devices.CitationCisco ArcaneDoor 2024 |
| Enterprise | T1020 | Automated Exfiltration | ArcaneDoor included scripted exfiltration of collected data.CitationCCCS ArcaneDoor 2024 |
| Enterprise | T1557 | Adversary-in-the-Middle | ArcaneDoor included interception of HTTP traffic to victim devices to identify and parse command and control information sent to the device.CitationCisco ArcaneDoor 2024 |
| Enterprise | T1587.001 | Malware Sub-technique | ArcaneDoor featured the development and deployment of two unique malware types, Line Dancer and Line Runner.CitationCCCS ArcaneDoor 2024CitationCisco ArcaneDoor 2024 |
| Enterprise | T1119 | Automated Collection | ArcaneDoor included collection of packet capture and system configuration information.CitationCCCS ArcaneDoor 2024 |
| Enterprise | T1014 | Rootkit | ArcaneDoor included hooking the `processHostScanReply()` function on victim Cisco ASA devices.CitationCisco ArcaneDoor 2024 |
| Enterprise | T1556 | Modify Authentication Process | ArcaneDoor included modification of the AAA process to bypass authentication mechanisms.CitationCisco ArcaneDoor 2024 |
| Enterprise | T1040 | Network Sniffing | ArcaneDoor included network packet capture and sniffing for data collection in victim environments.CitationCisco ArcaneDoor 2024CitationCCCS ArcaneDoor 2024 |
| Enterprise | T1070.004 | File Deletion Sub-technique | ArcaneDoor included multiple instances of file deletion or removal during execution and other adversary actions.CitationCisco ArcaneDoor 2024CitationCCCS ArcaneDoor 2024 |
| Enterprise | T1059 | Command and Scripting Interpreter | ArcaneDoor included the adversary executing command line interface (CLI) commands.CitationCisco ArcaneDoor 2024 |
| Enterprise | T1690 | Prevent Command History Logging | ArcaneDoor included disabling logging on targeted Cisco ASA appliances.CitationCisco ArcaneDoor 2024CitationCCCS ArcaneDoor 2024 |
| Enterprise | T1685 | Disable or Modify Tools | ArcaneDoor modified the Authentication, Authorization, and Accounting (AAA) function of targeted Cisco ASA appliances to allow the threat actor to bypass normal AAA operations.CitationCisco ArcaneDoor 2024CitationCCCS ArcaneDoor 2024 |
| Enterprise | T1190 | Exploit Public-Facing Application | ArcaneDoor abused WebVPN traffic to targeted devices to achieve unauthorized remote code execution.CitationCCCS ArcaneDoor 2024 |
| Enterprise | T1082 | System Information Discovery | ArcaneDoor included collection of victim device configuration information.CitationCCCS ArcaneDoor 2024 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | ArcaneDoor command and control activity was conducted through HTTP.CitationCisco ArcaneDoor 2024 |
| Enterprise | T1133 | External Remote Services | ArcaneDoor used WebVPN sessions commonly associated with Clientless SSLVPN services to communicate to compromised devices.CitationCCCS ArcaneDoor 2024 |
| Enterprise | T1055 | Process Injection | ArcaneDoor included injecting code into the AAA and Crash Dump processes on infected Cisco ASA devices.CitationCisco ArcaneDoor 2024 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | ArcaneDoor involved the use of Base64 obfuscated scripts and commands.CitationCisco ArcaneDoor 2024 |
Groups, software, and campaigns
S1186: Line Dancer
Line Dancer is a memory-only Lua-based shellcode loader associated with the ArcaneDoor campaign. Line Dancer allows an adversary to upload and execute arbitrary shellcode on victim devices.[1][2]
S1188: Line Runner
Line Runner is a persistent backdoor and web shell allowing threat actors to upload and execute arbitrary Lua scripts. Line Runner is associated with the ArcaneDoor campaign.[1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 03554bf3f7c7… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Cisco ArcaneDoor 2024
Cisco Talos. (2024, April 24). ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices. Retrieved January 6, 2025.
Open source URL -
[2]
CCCS ArcaneDoor 2024
Canadian Centre for Cyber Security. (2024, April 24). Cyber Activity Impacting CISCO ASA VPNs. Retrieved January 6, 2025.
Open source URL -
[3]
mitre-attack C0046Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.