CISA and NCSC identified FIRESTARTER, a persistent Linux ELF backdoor deployed by APT actors on Cisco Firepower and Secure Firewall devices. The malware hooks into the LINA engine, survives firmware updates and soft reboots, and facilitates the deployment of secondary payloads like LINE VIPER to establish unauthorized VPN sessions.