Skuggaheimar/Threat Intelligence/ArcaneDoor Campaign
ARCANEDOOR CAMPAIGN
ARCANEDOOR
CAMPAIGN / BREACH
CHINA
Threat IntelligenceCampaignMay 15, 202515 min read

ArcaneDoor Campaign: Threat Intelligence Profile

Cisco ASA/FTD zero-day exploitation

Scroll

ArcaneDoor Campaign (also known as ArcaneDoor, UAT4356, Storm-1849) is a campaign / breach active since 2024. Cisco ASA/FTD zero-day exploitation. Key characteristics include: Cisco ASA zero-days (CVE-2024-20353/20359), Line Dancer/Line Runner implants, state-sponsored espionage.

Overview & Background

Cisco ASA/FTD zero-day exploitation. First identified in 2024, this threat is attributed to China (suspected).

Threat Assessment

ArcaneDoor Campaign remains an active threat. Organizations should implement detection rules and monitor for indicators associated with this campaign / breach.

Technical Analysis

ArcaneDoor Campaign employs the following capabilities and techniques:

MITRE ATT&CK Mapping

TacticTechniqueUsage
Initial AccessT1566.001 Phishing AttachmentCommon delivery vector
ExecutionT1204.002 Malicious FileUser-triggered execution
PersistenceT1547.001 Registry Run KeysAutostart persistence
Defense EvasionT1027 Obfuscated FilesPayload obfuscation
C2T1071.001 Web ProtocolsHTTP/HTTPS C2

Detection & Defense

Defend Against ArcaneDoor Campaign

Mjolnir Security provides detection and response capabilities against ArcaneDoor Campaign and similar threats.

Threat DetectionIncident ResponseThreat HuntingMDR ServicesThreat Intelligence
  • Proactive Threat Hunting Hunt for ArcaneDoor Campaign indicators and TTPs within your environment.
  • Threat Intelligence Monitor ArcaneDoor Campaign campaigns and infrastructure changes.
  • 24/7 Incident Response Rapid containment and forensic investigation. Call +1 833 403 5875.
Written by: Mjolnir Security  |  Published: May 15, 2025
Related Reports
APT

Salt Typhoon: Telecom Espionage

Read Report →
Breach

VPN Breach: SonicWall Zero-Day

Read Report →