Actors
Naming registry
Threats
Is my stack targeted?
Campaigns
Track campaigns
Compare
Attribution by source
Search
Full text search
high_confidence

ArcaneDoor

[ArcaneDoor](https://attack.mitre.org/campaigns/C0046) is a campaign targeting networking devices from Cisco and other vendors between July 2023 and April 2024, primarily focused on government and critical infrastructure networks. [ArcaneDoor](https://attack.mitre.org/campaigns/C0046) is associated with the deployment of the custom backdoors [Line Runner](https://attack.mitre.org/software/S1188) and [Line Dancer](https://attack.mitre.org/software/S1186). [ArcaneDoor](https://attack.mitre.org/campaigns/C0046) is attributed to a group referred to as UAT4356 or STORM-1849, and is assessed to be a state-sponsored campaign.(Citation: Cisco ArcaneDoor 2024)(Citation: CCCS ArcaneDoor 2024)

Start date
1 July 2023
End date
1 April 2024
Techniques
25

Indicators of compromise

1
1 url

Attributed actors

Volt Typhoon· primary

Techniques (25)

collection2
T1119Automated Collection
T1557Adversary-in-the-Middle
command-and-control2
T1102.003One-Way Communication
T1071.001Web Protocols
credential-access3
T1556Modify Authentication Process
T1557Adversary-in-the-Middle
T1040Network Sniffing
defense-impairment3
T1556Modify Authentication Process
T1685Disable or Modify Tools
T1690Prevent Command History Logging
discovery2
T1082System Information Discovery
T1040Network Sniffing
execution1
T1059Command and Scripting Interpreter
exfiltration2
T1041Exfiltration Over C2 Channel
T1020Automated Exfiltration
initial-access2
T1133External Remote Services
T1190Exploit Public-Facing Application
persistence4
T1556Modify Authentication Process
T1037Boot or Logon Initialization Scripts
T1133External Remote Services
T1653Power Settings
privilege-escalation2
T1037Boot or Logon Initialization Scripts
T1055Process Injection
resource-development4
T1587.001Malware
T1583.006Web Services
T1587.003Digital Certificates
T1583.003Virtual Private Server
stealth5
T1014Rootkit
T1140Deobfuscate/Decode Files or Information
T1070.004File Deletion
T1055Process Injection
T1036Masquerading

Indicators of compromise (1)

URL1
http://142.250.151.94:80medium