A state-sponsored threat actor used two Cisco Firepower zero-days to compromise a U.S. federal agency and maintain persistent access for months — through a backdoor installed on the very devices meant to defend the perimeter. That incident anchors today’s brief, alongside an npm supply-chain compromise hitting security tooling and a joint advisory warning that Chinese APTs are routing attacks through hijacked consumer IoT at industrial scale.

In the News

CISA Confirms Federal Agency Breach via Cisco Firepower Zero-Days

CISA disclosed that UAT-4356 — the threat actor tracked by Cisco Talos as ArcaneDoor — exploited two vulnerabilities in Cisco Firepower FXOS (CVE-2025-20333 and CVE-2025-20362) to breach a U.S. federal agency’s perimeter firewalls. After gaining initial access through the chained exploits, the group deployed a custom implant designated FIRESTARTER that maintained persistent command-and-control access through at least March 2026.

The operational significance is difficult to overstate. The compromised devices were network security appliances — the infrastructure layer that organizations trust to enforce policy and inspect traffic. When the perimeter device itself is the persistence mechanism, every detection assumption positioned behind it fails. Traffic inspection, logging integrity, and policy enforcement all become unreliable because the adversary controls the enforcement point.

CISA’s advisory urges organizations running Cisco Firepower to immediately verify patch status against the two CVEs, perform firmware integrity checks, and hunt for FIRESTARTER indicators of compromise published by Cisco Talos. Beyond patching, this incident reinforces the need for network detection and response capabilities that monitor traffic flowing to and from edge devices — not just traffic transiting through them.

What defenders should do: Patch CVE-2025-20333 and CVE-2025-20362 immediately. Verify firmware integrity on all Cisco Firepower appliances. Deploy NDR sensors that can detect anomalous outbound connections from perimeter devices. Hunt for FIRESTARTER IOCs published by Talos. MITRE ATT&CK: Initial Access (T1190 — Exploit Public-Facing Application), Persistence (T1542.004 — Pre-OS Boot: ROMMONkit — functional equivalent for appliance persistence).

Bitwarden CLI npm Package Compromised in Supply-Chain Campaign

The threat actor TeamPCP compromised @bitwarden/cli version 2026.4.0 on the npm registry, injecting code that exfiltrated developer credentials from CI/CD environments. This is the same group responsible for compromising the Checkmarx KICS package 48 hours earlier, establishing a clear pattern: the campaign is systematically targeting security and DevOps tooling distributed through public package registries.

The attack vector exploits a fundamental trust assumption in modern software development. When a developer or pipeline installs a package from npm, the implicit trust is that the registry’s published version matches the maintainer’s intended code. TeamPCP subverted that trust, and the credentials harvested from developer workstations and CI/CD runners provide initial access to any downstream system those credentials can reach — source code repositories, cloud environments, production infrastructure.

Two supply-chain compromises in 48 hours targeting security tooling specifically signals an escalation. The attacker is not going after low-value consumer libraries; they are targeting the tools that security and infrastructure teams rely on, which means the compromised credentials likely have elevated privileges.

What defenders should do: Pin package versions and verify checksums in CI/CD pipelines. Audit for @bitwarden/cli version 2026.4.0 in any environment and rotate credentials exposed to that package. Deploy software composition analysis that checks package integrity against known-good hashes before build. MITRE ATT&CK: Initial Access (T1195.002 — Supply Chain Compromise: Compromise Software Supply Chain).

NCSC Warns Chinese APTs Are Building Proxy Botnets from Hijacked Consumer IoT

The UK’s National Cyber Security Centre (NCSC), alongside allied intelligence agencies, issued a joint advisory warning that China-nexus threat groups are compromising consumer routers, IP cameras, and NAS devices at massive scale to construct proxy networks. These botnets route attack traffic through residential and small-business IP addresses in the target country, effectively laundering the traffic’s origin.

This technique defeats two detection strategies that many organizations still rely on: IP reputation scoring and source geolocation analysis. When an APT’s command-and-control traffic or lateral movement originates from a compromised home router on the same ISP as the target organization, reputation-based blocklists will not flag it. GeoIP filters designed to block traffic from foreign ASNs will not trigger. The traffic looks domestic, residential, and benign.

The advisory specifically notes that these proxy networks are not limited to a single APT group — multiple Chinese state-sponsored actors are using this shared infrastructure, which makes attribution even harder. For defenders, the implication is that behavioral analytics and identity-based access controls must replace or supplement network-layer indicators as primary detection mechanisms.

What defenders should do: Shift detection logic away from sole reliance on IP reputation and geolocation. Deploy behavioral analytics that baseline normal traffic patterns and flag deviations regardless of source IP. Segment IoT and consumer-grade devices from production networks. Review NCSC advisory IOCs and update threat-hunting playbooks. MITRE ATT&CK: Resource Development (T1584.005 — Compromise Infrastructure: Botnet), Command and Control (T1090.002 — Proxy: External Proxy).

LMDeploy SSRF Flaw Exploited in the Wild 13 Hours After Disclosure

CVE-2026-33626, a server-side request forgery (SSRF) vulnerability in LMDeploy — a widely used open-source toolkit for serving large language models — was exploited in the wild within 13 hours of its public disclosure. The flaw (CVSS 7.5) allows unauthenticated attackers to forge requests from the LLM serving endpoint to internal services, turning the AI infrastructure into a pivot point for deeper network access.

Thirteen hours. That is the window between disclosure and exploitation — not days, not weeks. For organizations deploying LLM infrastructure with the assumption that AI/ML tooling has the same patch cadence flexibility as traditional applications, this is a concrete counterexample. AI-serving infrastructure is internet-facing by design (it serves API requests), which means SSRF vulnerabilities provide direct reach into internal networks.

What defenders should do: Update LMDeploy immediately. Restrict network access to LLM serving endpoints — they should not have unrestricted outbound access to internal services. Deploy API gateway controls with request validation. Audit all AI/ML infrastructure for SSRF-class vulnerabilities. MITRE ATT&CK: Initial Access (T1190 — Exploit Public-Facing Application).

Today’s Deep Dive — SaaS Platforms as C2 Infrastructure: GopherWhisper and the Collaboration-App Evasion Pattern

A previously unreported China-nexus APT group designated GopherWhisper compromised 12 Mongolian government systems using Go-based malware that tunnels command and control through Microsoft 365, Slack, and Discord. This is not the first time legitimate SaaS platforms have been abused for C2 — but the multi-platform approach and the targeting pattern represent a maturation of the technique.

The mechanism is straightforward. The malware uses the legitimate APIs of collaboration platforms to send and receive commands. Outbound traffic from the infected host is an HTTPS connection to api.slack.com, graph.microsoft.com, or discord.com — all domains that appear in normal enterprise traffic, all connections that pass through TLS inspection as expected SaaS usage. Traditional network detection that looks for connections to known-bad infrastructure or unusual domains will not trigger.

This is happening in parallel with two other campaigns using the same pattern. Tropic Trooper is distributing trojanized SumatraPDF installers that deploy AdaptixC2 and abuse VS Code’s remote tunnel feature for persistence (source). UNC6692 is impersonating IT help desk staff in Microsoft Teams chats to deliver custom SNOW malware (source). Three distinct threat actors, all abusing collaboration and developer platforms for either initial access or command and control.

The detection challenge is that blocking these domains is not feasible — they are business-critical services. The signal is in the behavioral anomalies: an endpoint making API calls to Slack at 3 AM when the user has no active session, a workstation establishing a VS Code remote tunnel to an unknown tenant, a Teams conversation with an external user followed immediately by a PowerShell execution. These require user and entity behavior analytics (UEBA) and SaaS security posture management (SSPM) that can baseline normal usage and flag deviations.

MITRE ATT&CK: Command and Control (T1102 — Web Service), Initial Access (T1566.003 — Phishing: Spearphishing via Service), Persistence (T1133 — External Remote Services for VS Code tunnel abuse).

Detection Spotlight — Hunting for SaaS-Based C2 via Anomalous API Timing

GopherWhisper’s use of Slack and Microsoft 365 APIs for C2 means the traffic is legitimate at the protocol level. Detection shifts to behavioral signals — specifically, API call patterns that deviate from the user’s established baseline. The following Splunk SPL query hunts for endpoints making Microsoft Graph API calls outside of the user’s normal working hours, which is a high-fidelity indicator when correlated with the absence of an active user session.

index=proxy sourcetype=web_proxy
  (dest="graph.microsoft.com" OR dest="api.slack.com" OR dest="discord.com")
| eval hour=strftime(_time, "%H")
| where hour >= 0 AND hour <= 5
| stats count AS api_calls, dc(dest) AS unique_saas_domains, values(dest) AS saas_targets BY src_ip, user
| where api_calls > 10 AND unique_saas_domains >= 2
| join type=left user [
  | search index=windows sourcetype="WinEventLog:Security" EventCode=4624 Logon_Type=2
  | stats max(_time) AS last_interactive_logon BY user
]
| eval hours_since_logon=round((_time - last_interactive_logon) / 3600, 1)
| where hours_since_logon > 4 OR isnull(last_interactive_logon)
| table _time, src_ip, user, saas_targets, api_calls, hours_since_logon

This query looks for endpoints making more than 10 API calls to two or more SaaS collaboration platforms between midnight and 5 AM, where the associated user has not had an interactive logon in over 4 hours. False positive rate is low in environments where SaaS API integrations are catalogued — legitimate automation (bots, scheduled workflows) should be baselined and excluded. Any match without a known automation justification warrants immediate investigation of the endpoint for malware using SaaS APIs as C2 channels.

References

Subscribe to the it-learn Brief

Get the daily cybersecurity brief in your inbox every weekday morning — news, SE angles, and detection queries.