S1186: Line Dancer
Line Dancer is a memory-only Lua-based shellcode loader associated with the ArcaneDoor campaign. Line Dancer allows an adversary to upload and execute arbitrary shellcode on victim devices.[1][2]
Analyst context for executives and security teams
Line Dancer matters because it represents malware designed for perimeter network devices, not ordinary endpoints. ATT&CK describes it as a memory-only Lua-based shellcode loader that can upload and execute arbitrary shellcode on victim devices, and associates it with the ArcaneDoor campaign. For leaders, the key issue is visibility: network appliances often sit in critical traffic paths but may have weaker logging, shorter forensic retention, and less EDR-style coverage than servers or workstations.
Executive priority
Prioritize validation of security controls and incident response readiness for perimeter network devices, especially VPNs and other externally exposed appliances. This object is material to business continuity and audit readiness because compromise of a network device can affect remote access, traffic inspection, credential exposure, and evidence collection. Executives should ask whether these devices are inventoried, patched, centrally logged, monitored for unusual management and web-protocol activity, and covered by a tested response process.
Technical view
ATT&CK provides no official detection text for Line Dancer, so defenders should build coverage from the supported platform and relationships. Focus on Network Devices and behaviors mapped to Network Device CLI execution, web-protocol command and control, network sniffing, system information discovery, exfiltration over an existing C2 channel, defense impairment through command history logging prevention, power setting manipulation, deobfuscation/decoding, and rootkit-like hiding. SOC and IR teams should validate whether appliance logs, configuration changes, management sessions, process/script execution where available, and network egress telemetry are retained long enough to investigate memory-resident activity.
Likely telemetry
- Network device system, admin, VPN, and management logs
- Configuration change records and command accounting logs where supported
- Authentication events for administrative and remote access interfaces
- Network egress flow records from perimeter devices
- HTTP/HTTPS or other web-protocol metadata associated with device-originated traffic
Detection direction
- Confirm that network devices, not only endpoints and servers, are included in detection engineering scope.
- Hunt for unusual administrative CLI activity, missing or disabled command history/accounting, unexpected configuration changes, and abnormal management access patterns.
- Baseline device-originated web-protocol traffic and investigate unusual destinations, timing, volume, or encoded-looking communications consistent with C2 or exfiltration over C2.
- Correlate network sniffing indicators with interface mode changes, diagnostic captures, SPAN-like behavior, or unexplained packet capture activity where device telemetry supports it.
- Account for false positives from legitimate administrator diagnostics, vendor support activity, scripted maintenance, and monitoring tools.
Mitigation priorities
- Maintain an authoritative inventory of perimeter network devices, exposed management surfaces, software versions, and logging capabilities.
- Restrict administrative access to trusted management networks and enforce strong authentication and role-based access where supported.
- Centralize and retain device logs, command accounting, authentication records, and configuration backups for incident investigation and compliance evidence.
- Apply vendor-supported updates and hardening guidance for affected network appliances as part of vulnerability and exposure management.
- Monitor and control outbound traffic from network devices, especially unexpected web-protocol communications to external destinations.
Analyst notes and limits
This take is based on the ATT&CK S1186 software object, its external references, and relationship context. The most decision-relevant point is not a specific signature but the operational blind spot: perimeter devices may be high-value, externally reachable, and under-instrumented compared with conventional endpoints.
ATT&CK does not provide official detection guidance, aliases, labels, or tactics directly on the Line Dancer object. Local device models, firmware versions, logging features, network architecture, and vendor advisories are required to determine actual exposure, telemetry availability, and response actions.
Line Dancer
Line Dancer is a memory-only Lua-based shellcode loader associated with the ArcaneDoor campaign. Line Dancer allows an adversary to upload and execute arbitrary shellcode on victim devices.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Line Dancer shellcode payloads are base64 encoded when transmitted to compromised devices.CitationCCCS ArcaneDoor 2024 |
| Enterprise | T1690 | Prevent Command History Logging | Line Dancer can disable syslog on compromised devices.CitationCisco ArcaneDoor 2024 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Line Dancer exfiltrates collected data via command and control channels.CitationCisco ArcaneDoor 2024 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Line Dancer uses HTTP POST requests to interact with compromised devices.CitationCisco ArcaneDoor 2024CitationCCCS ArcaneDoor 2024 |
| Enterprise | T1014 | Rootkit | Line Dancer can hook both the crash dump process and the Autehntication, Authorization, and Accounting (AAA) functions on compromised machines to evade forensic analysis and authentication mechanisms.CitationCisco ArcaneDoor 2024 |
| Enterprise | T1653 | Power Settings | Line Dancer can modify the crash dump process on infected machines to skip crash dump generation and proceed directly to device reboot for both persistence and forensic evasion purposes.CitationCisco ArcaneDoor 2024 |
| Enterprise | T1040 | Network Sniffing | Line Dancer can create and exfiltrate packet captures from compromised environments.CitationCisco ArcaneDoor 2024 |
| Enterprise | T1059.008 | Network Device CLI Sub-technique | Line Dancer can execute native commands in networking device command line interfaces.CitationCisco ArcaneDoor 2024CitationCCCS ArcaneDoor 2024 |
| Enterprise | T1082 | System Information Discovery | Line Dancer can gather system configuration information by running the native `show configuration` command.CitationCisco ArcaneDoor 2024 |
Groups, software, and campaigns
C0046: ArcaneDoor
ArcaneDoor is a campaign targeting networking devices from Cisco and other vendors between July 2023 and April 2024, primarily focused on government and critical infrastructure networks. ArcaneDoor is associated with the deployment of the custom backdoors Line Runner and Line Dancer. ArcaneDoor is attributed to a group referred to as UAT4356 or STORM-1849, and is assessed to be a state-sponsored campaign.[1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | a1fae2aae43b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Cisco ArcaneDoor 2024
Cisco Talos. (2024, April 24). ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices. Retrieved January 6, 2025.
Open source URL -
[2]
CCCS ArcaneDoor 2024
Canadian Centre for Cyber Security. (2024, April 24). Cyber Activity Impacting CISCO ASA VPNs. Retrieved January 6, 2025.
Open source URL -
[3]
mitre-attack S1186Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.