FIRESTARTER Backdoor

h2 strong Malware Analysis Report at a Glance /strong /h2 table tbody tr th Malware Name /th td FIRESTARTER /td /tr tr th Original Publication /th td April 23, 2026 /td /tr tr th Executive Summary /th td p The Cybersecurity and Infrastructure Security Agency (CISA) analyzed a sample of FIRESTARTER malware obtained from a forensic investigation. CISA and the United Kingdom National Cyber Security Centre (NCSC) assess advanced persistent threat (APT) actors are using FIRESTARTER malware for persistence, specifically targeting publicly accessible Cisco Firepower and Secure Firewall devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software. CISA and the NCSC are releasing this Malware Analysis Report to share analysis of one FIRESTARTER malware sample operating as a backdoor and urge organizations to take key response actions. /p p strong Note: /strong The release of this Malware Analysis Report aligns with CISA’s update to a href="https://www.cisa.gov/news-events/directives/v1-ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices" V1: Emergency Directive (ED) 25-03: Identify and Mitigate Potential Compromise of Cisco Devices /a and a href="https://www.cisa.gov/news-events/directives/supplemental-direction-ed-25-03-core-dump-and-hunt-instructions" Supplemental Direction ED 25-03: Core Dump and Hunt Instructions /a . The malware outlined in this report is relevant for both Cisco Firepower and Secure Firewall devices; however, CISA has only observed a successful implant of the malware in the wild on a Cisco Firepower device running ASA software. /p /td /tr tr th Key Actions for U.S. FCEB Agencies /th td ul li strong Collect and submit core dumps /strong to CISA’s Malware Next Generation platform. /li li strong Immediately report the submission /strong via CISA’s 24/7 Operations Center; CISA will reach out with next steps. /li li strong Take no additional action until CISA provides further guidance. /strong /li /ul /td /tr tr th Key Actions for All Other Organizations /th td ul li strong Use the YARA rules /strong to detect FIRESTARTER malware against either a disk image or core dump of a device. /li li strong Report any findings to CISA or the NCSC. /strong /li li strong If compromise is confirmed /strong , conduct incident response actions. /li /ul /td /tr tr th Intended Audience /th td p strong Organizations: /strong Government and critical infrastructure organizations ( strong Note: /strong While this publication supplements CISA ED 25-03, the guidance is applicable to all organizations, including U.K. organizations.) /p p strong Sector /strong : Government Services and Facilities Sector /p p strong Roles: /strong a href="https://niccs.cisa.gov/tools/nice-framework/work-role/digital-forensics" target="_blank" title="Digital forensics analysts" Digital forensics analysts /a , a href="https://niccs.cisa.gov/tools/nice-framework/work-role/incident-response" target="_blank" title="incident responders" incid