STORM-1849

UAT4356, or STORM-1849, is a state-sponsored threat actor known for targeting government networks worldwide through a campaign called ArcaneDoor. They exploited two zero-day vulnerabilities in Cisco Adaptive Security Appliances to deploy custom malware implants named "Line Runner" and "Line Dancer." Demonstrating an in-depth understanding of Cisco systems, UAT4356 employed anti-forensic techniques and took deliberate measures to evade detection. Their sophisticated attack chain enabled them to perform malicious activities such as modifying configurations, conducting reconnaissance, capturing and exfiltrating network traffic, and potentially moving laterally across compromised devices.