The U.K. NCSC has issued a critical alert regarding an ongoing cyber campaign orchestrated by a state-sponsored threat actor. This group has been actively exploiting recently disclosed zero-day vulnerabilities (CVE-2025-20362 and CVE-2025-20333) in Cisco ASA firewalls to deploy two new, highly sophisticated malware families, RayInitiator and LINE VIPER. These attacks represent a significant evolution in the threat landscape, demonstrating advanced evasion techniques and a high degree of complexity. The NCSC and Cisco strongly recommend that organizations follow vendor best practices for detection and remediation, stressing the urgent need to migrate away from end-of-life devices, which are particularly vulnerable to these types of attacks.
The core of the attack chain is a new, persistent GRUB bootkit called RayInitiator. This bootkit is specifically designed to target and flash firmware on older Cisco ASA 5500-X devices that lack Secure Boot or Trust Anchor protections. RayInitiator is notable for its ability to survive reboots and even firmware upgrades, ensuring a persistent foothold on the compromised device. Once loaded, its primary function is to deploy the second stage of the attack: a user-mode loader known as LINE VIPER. The presence of this multi-stage malware highlights the attackers’ focus on stealth and long-term access, making it incredibly difficult for standard security tools to detect and remove.
LINE VIPER is a highly versatile and dangerous shellcode loader. It can receive commands through multiple channels, including WebVPN client authentication and specially crafted network packets. To secure its operations and the exfiltration of stolen data, the malware uses unique tokens and RSA keys for each victim. Once activated, its capabilities are extensive: it can execute device commands, capture network traffic, bypass authentication controls, and even manipulate system logs to hide its activity. In an effort to frustrate forensic analysis, the malware can also record command-line input and trigger delayed reboots. This level of functionality allows the threat actor to maintain control and covertly collect sensitive information.
The investigation into these attacks began in May 2025 when multiple government agencies reported suspicious activity on their Cisco ASA 5500-X firewalls. Cisco’s subsequent analysis confirmed a state-backed hacking campaign linked to their previously reported ArcaneDoor campaign. The attackers exploited a memory corruption flaw in the ASA software and utilized multiple zero-day vulnerabilities in a chained attack. Their advanced evasion techniques included disabling logging, intercepting CLI commands, and intentionally crashing devices to prevent diagnostic analysis. This level of sophistication, according to Cisco, required an extensive, multidisciplinary response across their engineering and security teams.
The attackers specifically targeted Cisco ASA 5500-X models (running software versions 9.12/9.14) with enabled VPN web services but without Secure Boot or Trust Anchor protections. The compromised devices include several models that are either already end-of-support or are scheduled to be by September 30, 2025. This underscores the critical risk associated with running outdated hardware. In response to these findings, Cisco has also patched an additional critical vulnerability (CVE-2025-20363) with a CVSS score of 8.5/9.0, which could enable remote code execution across multiple Cisco platforms, further highlighting the urgency for organizations to apply all available security updates.
Reference:
