Analytics Story: ArcaneDoor

Date: 2025-09-23 ID: 7f2b9eac-0df5-4d0c-9e35-2b8fd552c9f1 Author: Bhavin Patel, Micheal Haag, Splunk Product: Splunk Enterprise Security

Description

Attackers were observed to have exploited multiple zero-day vulnerabilities targeting certain Cisco Adaptive Security Appliance (ASA) 5500-X Series devices that were running Cisco Secure Firewall ASA Software with VPN web services enabled to implant malware, execute commands, and potentially exfiltrate data from the compromised devices.

Why it matters

ArcaneDoor, a state-sponsored cyberespionage campaign targeting perimeter network devices from multiple vendors.

In May 2025, Cisco was engaged by multiple government agencies that provide incident response services to government organizations to support the investigation of attacks that were targeting certain Cisco Adaptive Security Appliance (ASA) 5500-X Series devices that were running Cisco Secure Firewall ASA Software with VPN web services enabled to implant malware, execute commands, and potentially exfiltrate data from the compromised devices. Cisco assesses with high confidence that this new activity is related to the same threat actor as the ArcaneDoor attack campaign that Cisco reported in early 2024.

This analytic story is designed to help security teams detect and respond to ArcaneDoor-related activity, including the identification of suspicious behaviors on network edge devices, post-exploitation techniques, and the presence of advanced backdoors.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Cisco ASA - Core Syslog Message Volume Drop	Impair Defenses	Hunting
Cisco Secure Firewall - Intrusion Events by Threat Activity	Exfiltration Over C2 Channel, Asymmetric Cryptography	Anomaly

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
Cisco ASA Logs	N/A	`cisco:asa`	`cisco:asa`
Cisco Secure Firewall Threat Defense Intrusion Event	N/A	`cisco:sfw:estreamer`	`not_applicable`

References

Source: GitHub | Version: 2