FIRESTARTER Backdoor

An official website of the United States government

Here’s how you know

Here’s how you know

**Official websites use .gov**

A **.gov** website belongs to an official government organization in the United States.

**Secure .gov websites use HTTPS**

A **lock** () or **https://** means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

**Due to the lapse in federal funding, this website will not be actively managed.****Read More**

[×](javascript:void(0) "Clear search box")

[×](javascript:void(0) "Clear search box")

| Malware Name | FIRESTARTER | | --- | | Original Publication | April 23, 2026 | | Executive Summary | The Cybersecurity and Infrastructure Security Agency (CISA) analyzed a sample of FIRESTARTER malware obtained from a forensic investigation. CISA and the United Kingdom National Cyber Security Centre (NCSC) assess advanced persistent threat (APT) actors are using FIRESTARTER malware for persistence, specifically targeting publicly accessible Cisco Firepower and Secure Firewall devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software. CISA and the NCSC are releasing this Malware Analysis Report to share analysis of one FIRESTARTER malware sample operating as a backdoor and urge organizations to take key response actions. **Note:** The release of this Malware Analysis Report aligns with CISA’s update to V1: Emergency Directive (ED) 25-03: Identify and Mitigate Potential Compromise of Cisco Devices and Supplemental Direction ED 25-03: Core Dump and Hunt Instructions. The malware outlined in this report is relevant for both Cisco Firepower and Secure Firewall devices; however, CISA has only observed a successful implant of the malware in the wild on a Cisco Firepower device running ASA software. | | Key Actions for U.S. FCEB Agencies | * **Collect and submit core dumps** to CISA’s Malware Next Generation platform. * **Immediately report the submission** via CISA’s 24/7 Operations Center; CISA will reach out with next steps. * **Take no additional action until CISA provides further guidance.** | | Key Actions for All Other Organizations | * **Use the YARA rules** to detect FIRESTARTER malware against either a disk image or core dump of a device. * **Report any findings to CISA or the NCSC.** * **If compromise is confirmed**, conduct incident response actions. | | Intended Audience | **Organizations:** Government and critical infrastructure organizations (**Note:** While this publication supplements CISA ED 25-03, the guidance is applicable to all organizations, including U.K.

• Maintain all systems and software with the latest security patches, prioritizing expedited remediation of vulnerabilities

CISA Central[1-844-Say-CISA](tel:1-844-Say-CISA)[[email protected]](mailto:[email protected])

An official website of the U.S. Department of Homeland Security