NCSC Exposes Advanced Bootkit: RayInitiator and LINE VIPER Malware Found on Cisco ASA Devices

The UK’s National Cyber Security Centre (NCSC) has released a detailed malware analysis report exposing RayInitiator and LINE VIPER, two highly sophisticated tools targeting Cisco ASA devices. These represent a significant evolution over previously documented threats LINE DANCER and LINE RUNNER.

The NCSC describes RayInitiator as “a persistent multi-stage bootkit which facilitates the deployment of LINE VIPER to Cisco ASA 5500-X series devices without secure boot.” By patching the GRUB bootloader, RayInitiator gains early execution during the device’s startup process, allowing it to survive reboots and firmware upgrades.

The report emphasizes the danger: “All observed targeted models have either passed their last day of support, or the last date is September 30, 2025.” This reliance on end-of-life hardware without secure boot makes exploitation far more feasible.

Once RayInitiator is in place, it loads LINE VIPER, a modular x64 shellcode loader. According to NCSC, “LINE VIPER is a user-mode shellcode loader with associated modules” that can be delivered either via WebVPN client authentication sessions over HTTPS or through ICMP with responses over raw TCP.

Its capabilities are extensive:

• Execute privileged CLI commands (e.g., “show vpn-sessiondb anyconnect”).
• Perform stealth packet captures of sensitive protocols such as RADIUS, LDAP, and TACACS.
• Bypass AAA authentication for attacker-controlled devices.
• Harvest administrator commands from the Cisco CLI.
• Force delayed reboots or trigger immediate reboots to thwart forensics.

The malware also features defense evasion enhancements, including “suppression of specific syslog messages” rather than the crude disabling methods seen in earlier campaigns.

One of the most alarming findings is the use of victim-specific tokens and encryption. NCSC highlights that “LINE VIPER uses per-victim RSA keys for securing tasking and exfiltration via the WebVPN client authentication method.”

This means that even if defenders intercept the malicious traffic, the communications are protected by asymmetric key exchanges and AES-encrypted channels, making analysis and decryption nearly impossible without the attacker’s private keys.

The NCSC notes that this malware campaign shows clear lessons learned from the 2024 ArcaneDoor incident. “The deployment of LINE VIPER via a persistent bootkit, combined with a greater emphasis on defence evasion techniques, demonstrates an increase in actor sophistication and improvement in operational security compared to the ArcaneDoor campaign publicly documented in 2024.”

Cisco has issued guidance and patches, but detection remains challenging due to the malware’s anti-forensics design. The NCSC warns:

• “Whilst a device might be compromised with RayInitiator, LINE VIPER might not necessarily be deployed.”
• Devices that reboot instead of producing a core dump may already be infected.
• Specialized YARA signatures for both RayInitiator and LINE VIPER have been published for defenders.

Organizations are strongly advised to replace obsolete Cisco ASA hardware, implement Cisco’s patches, and use NCSC’s detection guidance to hunt for indicators of compromise.

Related Posts:

• Stealthy UEFI Bootkit Targets Windows Kernel, Raising Security Concerns
• The Adtech as a Threat Actor: How Vane Viper Is Hiding in Plain Sight
• Beware: Spyware Hidden in Fake Arabic Dating App
• ESET Unveils “Bootkitty”: The First UEFI Bootkit Targeting Linux Systems
• Due to misconfigured server, CalAmp allows anyone to access account data