Phone : +91 95 8290 7788 | Email :

Register & Request Quote | Submit Support Ticket

Home » Cyber Security News » Vulnerabilities & Exploits » China-Linked Hackers Suspected in ArcaneDoor Cyberattacks Targeting Network Devices

China-Linked Hackers Suspected in ArcaneDoor Cyberattacks Targeting Network Devices

China-Linked Hackers Suspected in ArcaneDoor Cyberattacks Targeting Network Devices

May 06, 2024NewsroomNetwork Security / Malware

The recently uncovered cyber espionage campaign targeting perimeter network devices from several vendors, including Cisco, may have been the work of China-linked actors, according to new findings from attack surface management firm Censys.

Dubbed ArcaneDoor, the activity is said to have commenced around July 2023, with the first confirmed attack against an unnamed victim detected in early January 2024.

The targeted attacks, orchestrated by a previously undocumented suspected sophisticated state-sponsored actor tracked as UAT4356 (aka Storm-1849), entailed the deployment of two custom malware dubbed Line Runner and Line Dancer.

The initial access pathway used to facilitate the intrusions has yet to be discovered, although the adversary has been observed leveraging two now-patched flaws in Cisco Adaptive Security Appliances (CVE-2024-20353 and CVE-2024-20359) to persist Line Runner.

Telemetry data gathered as part of the investigation has revealed the threat actor’s interest in Microsoft Exchange servers and network devices from other vendors, Talos said last month.


Censys, which further examined the actor-controlled IP addresses, said the attacks point to the potential involvement of a threat actor based in China.

This is based on the fact that four of the five online hosts presenting the SSL certificate identified as associated with the attackers’ infrastructure are associated with Tencent and ChinaNet autonomous systems (AS).

In addition, among the threat actor-managed IP addresses is a Paris-based host (212.193.2[.]48) with the subject and issuer set as “Gozargah,” which is likely a reference to a GitHub account that hosts an anti-censorship tool named Marzban.

The software, in turn, is “powered” by another open-source project dubbed Xray that has a website written in Chinese.

This implies that “some of these hosts were running services associated with anti-censorship software likely intended to circumvent The Great Firewall,” and that “a significant number of these hosts are based in prominent Chinese networks,” suggesting that ArcaneDoor could be the work of a Chinese actor, Censys theorized.

Nation-state actors affiliated with China have increasingly targeted edge appliances in recent years, leveraging zero-day flaws in Barracuda Networks, Fortinet, Ivanti, and VMware to infiltrate targets of interest and deploy malware for persistent covert access.


The development comes as French cybersecurity firm Sekoia said it successfully sinkholed a command-and-control (C2) server linked to the PlugX trojan in September 2023 by spending $7 to acquire the IP address tied to a variant of the malware with capabilities to propagate in a worm-like fashion via compromised flash drives.

A closer monitoring of the sinkholed IP address (45.142.166[.]112) has revealed the worm’s presence in more than 170 countries spanning 2.49 million unique IP addresses over a six-month period. A majority of the infections have been detected in Nigeria, India, China, Iran, Indonesia, the U.K., Iraq, the U.S., Pakistan, and Ethiopia.

“Many nations, excluding India, are participants in China’s Belt and Road Initiative and have, for most of them, coastlines where Chinese infrastructure investments are significant,” Sekoia said. “Numerous affected countries are located in regions of strategic importance for the security of the Belt and Road Initiative.”

“This worm was developed to collect intelligence in various countries about the strategic and security concerns associated with the Belt and Road Initiative, mostly on its maritime and economic aspects.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Information Security - InfoSec - Cyber Security - Firewall Providers Company in India













What is Firewall? A Firewall is a network security device that monitors and filters incoming and outgoing network traffic based on an organization's previously established security policies. At its most basic, a firewall is essentially the barrier that sits between a private internal network and the public Internet.


Secure your network at the gateway against threats such as intrusions, Viruses, Spyware, Worms, Trojans, Adware, Keyloggers, Malicious Mobile Code (MMC), and other dangerous applications for total protection in a convenient, affordable subscription-based service. Modern threats like web-based malware attacks, targeted attacks, application-layer attacks, and more have had a significantly negative effect on the threat landscape. In fact, more than 80% of all new malware and intrusion attempts are exploiting weaknesses in applications, as opposed to weaknesses in networking components and services. Stateful firewalls with simple packet filtering capabilities were efficient blocking unwanted applications as most applications met the port-protocol expectations. Administrators could promptly prevent an unsafe application from being accessed by users by blocking the associated ports and protocols.


Firewall Firm is an IT Monteur Firewall Company provides Managed Firewall Support, Firewall providers , Firewall Security Service Provider, Network Security Services, Firewall Solutions India , New Delhi - India's capital territory , Mumbai - Bombay , Kolkata - Calcutta , Chennai - Madras , Bangaluru - Bangalore , Bhubaneswar, Ahmedabad, Hyderabad, Pune, Surat, Jaipur, Firewall Service Providers in India

Sales Number : +91 95 8290 7788 | Support Number : +91 94 8585 7788
Sales Email : | Support Email :

Register & Request Quote | Submit Support Ticket