A Chinese national posed as a U.S. researcher, tricking NASA staff in a phishing campaign to steal sensitive data tied to defense software and exports.

A Chinese national ran a spear-phishing campaign by posing as a U.S. researcher and tricked NASA employees into sharing sensitive information. The NASA Office of Inspector General (OIG) and federal partners discovered the scheme that also targeted government agencies, universities, and private firms.

U.S. export controls limit sharing sensitive technology, and NASA’s OIG enforces them to protect critical data and defense-related assets. Investigators uncovered a long-running phishing scheme in which Chinese national Song Wu impersonated a trusted aerospace professor to trick targets into sharing export-controlled software and source code. Between 2017 and 2021, he targeted dozens of victims across NASA, the U.S. military, government agencies, universities, and private firms.

“According to U.S. Attorney Buchanan, the indictment, and other information presented in court: Song allegedly engaged in a multi-year “spear phishing” email campaign in which he created email accounts to impersonate U.S.-based researchers and engineers and then used those imposter accounts to obtain specialized restricted or proprietary software used for aerospace engineering and computational fluid dynamics.” reads the press release published by DoJ in 2024. “This specialized software could be used for industrial and military applications, such as development of advanced tactical missiles and aerodynamic design and assessment of weapons.”

While carrying out spear phishing attacks, Song was employed as an engineer at Aviation Industry Corporation of China (“AVIC”), a Chinese state-owned aerospace and defense conglomerate headquartered.  AVIC is one of the largest defense contractors in the world.

Song faces charges for wire fraud and aggravated identity theft, with up to 20 years per fraud count plus a 2-year sentence for identity theft. He remains at large.

“In September of 2024, following a joint investigation by NASA OIG and the Federal Bureau of Investigation, Song was indicted on 14 counts of wire fraud and 14 counts of aggravated identity theft.” reads the press release published by the OIG. “He faces a maximum sentence of 20 years in prison for each count of wire fraud, and a two-year consecutive sentence if convicted of aggravated identity theft. He remains at large and there is a federal warrant for his arrest.”

NASA OIG warns that export control compliance and vigilance in daily emails are critical to protect sensitive technology. In the Song Wu case, red flags included repeated requests for the same software, unclear justifications, unusual payments, and attempts to hide identity or bypass restrictions. By identifying and prosecuting such schemes, OIG helps safeguard research, national security, and economic interests.

“Song Wu is wanted for wire fraud and aggravated identity theft arising from his alleged efforts to fraudulently obtain computer software and source code created by the National Aeronautics and Space Administration (NASA), research universities, and private companies.” reads the statement published by the FBI on the U.S. Most Wanted List. “The specialized software could be used for industrial and military applications, such as development of advanced tactical missiles and aerodynamic design and assessment of weapons.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, spear-phishing)

CISA said a federal Cisco Firepower ASA device was infected with the FIRESTARTER backdoor in Sept 2025, and it survived security patches.

CISA revealed that a U.S. federal civilian agency’s Cisco Firepower device running ASA software was compromised in September 2025 by the FIRESTARTER backdoor. The malware reportedly persisted even after security patches were applied, showing strong stealth and resilience against detection and remediation efforts.

FIRESTARTER is a backdoor identified by CISA and the UK NCSC, used for remote access and control in a likely APT campaign targeting Cisco ASA devices. It exploits now-patched flaws including CVE-2025-20333, which allowed remote code execution with VPN credentials, and CVE-2025-20362, which enabled unauthenticated access to restricted endpoints via crafted HTTP requests.

“The Cybersecurity and Infrastructure Security Agency (CISA) analyzed a sample of FIRESTARTER malware obtained from a forensic investigation. CISA and the United Kingdom National Cyber Security Centre (NCSC) assess that FIRESTARTER—a backdoor that allows remote access and control—is part of a widespread campaign that afforded an advanced persistent threat (APT) actor initial access to Cisco Adaptive Security Appliance (ASA) firmware by exploiting CVE-2025-20333 [CWE-862: Missing Authorization] and/or CVE-2025-20362 [CWE-120: Classic Buffer Overflow].” reads the report published by CISA.

CISA and the NCSC warn that FIRESTARTER can persist on Cisco ASA or Firepower Threat Defense systems even after patching, allowing attackers to regain access without re-exploiting vulnerabilities. U.S. federal agencies must follow CISA Emergency Directive 25-03. Organizations are urged to use provided YARA rules to detect the malware in disk images or core dumps and report any findings to CISA or the NCSC.

CISA detected suspicious activity on a U.S. federal Cisco Firepower ASA device through continuous monitoring. After validation and forensic analysis, it found a malware sample named FIRESTARTER. Attackers had initially used LINE VIPER for post-exploitation, then deployed FIRESTARTER to maintain persistence.

“In this incident, APT actors initially deployed LINE VIPER as a post-exploitation implant and subsequently used FIRESTARTER as a persistence mechanism to maintain continued access to the compromised device.” continues the alert. “Although Cisco’s patches addressed CVE-2025-20333 and CVE-2025-20362, devices compromised prior to patching may remain vulnerable because FIRESTARTER is not removed by firmware updates.”

FIRESTARTER is a Linux ELF malware targeting Cisco Firepower and Secure Firewall devices, acting as a command-and-control backdoor for remote access. It maintains persistence by intercepting termination signals and automatically relaunching, allowing it to survive reboots and even firmware updates unless a full power cycle is performed.

The malware embeds itself in the LINA network processing engine by installing a hook that intercepts normal XML handling functions. This enables execution of attacker-supplied shellcode and deployment of additional payloads like LINE VIPER.

“FIRESTARTER attempts to install a hook—a way to intercept and modify normal operations—within LINA, the device’s core engine for network processing and security functions.” states CISA. “This hook enables the execution of arbitrary shell code provided by the APT actors, including the deployment of LINE VIPER.”

Upon execution, FIRESTARTER loads itself from disk into memory, registers handlers for multiple termination signals, and performs cleanup and self-reinstallation routines. It manipulates system files to restore modified components, deletes traces, and re-establishes itself under a new persistent path.

For persistence, it writes itself into reboot-persistent log locations and recreates missing configuration files used for execution. It then appends scripts that move the malware binary into system directories, makes it executable, and runs it in the background while suppressing errors.

The malware also scans LINA memory to locate key structures, injects shellcode into shared libraries like libstdc++, and installs detours for XML handlers. It only activates payload execution after verifying victim-specific identifiers embedded in WebVPN traffic, ensuring targeted deployment.

CISA and the NCSC urge organizations to follow baseline cybersecurity practices aligned with CPG 2.0, including rapid patching of known vulnerabilities, though current fixes may not remove FIRESTARTER persistence. They recommend inventorying network edge devices, especially Cisco systems, and monitoring for suspicious activity. Organizations should audit privileged accounts, enforce least privilege, rotate passwords regularly, and modernize access controls using secure protocols like TACACS+ over TLS 1.3 to reduce credential exposure and improve detection.

“We recommend that Cisco customers follow the steps recommended in Cisco’s advisory, with particular attention to any applicable software upgrade recommendations. Organizations impacted can initiate a TAC request for Cisco support.” reads the report published by Cisco Talos. “A FIRESTARTER infection may be mitigated on all affected devices by reimaging the devices. On Cisco FTD software that is not in lockdown mode, there is also the option of killing the lina_cs process then reloading the device:”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, FIRESTARTER backdoor)

The post Arcane Door Reopened: The Cisco Firepower Backdoor That Only a Hard Reboot Can Kill appeared first on Daily CyberSecurity.

Last week on Malwarebytes Labs:

• Leaks show Intellexa burning zero-days to keep Predator spyware running
• How scammers use fake insurance texts to steal your identity
• Canadian police trialing facial recognition bodycams
• Update Chrome now: Google fixes 13 security issues affecting billions
• Attackers have a new way to slip past MFA in educational orgs
• How attackers use real IT tools to take over your computer
• Fileless protection explained: Blocking the invisible threat others miss
• “Sleeper” browser extensions woke up as spyware on 4 million devices
• Air fryer app caught asking for voice data (re-air) (Lock and Code S06E24)
• Whispering poetry at AI can make it break its own rules
• Google patches 107 Android flaws, including two being actively exploited
• New Android malware lets criminals control your phone and drain your bank account
• Malwarebytes joins Global Anti-Scam Alliance (GASA) as supporting member

Stay safe!

We don’t just report on privacy—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.