Brian Sims
Editor

HID Global | July 2025 | Skyscraper
HID Global | July 2025 | Skyscraper

NCSC warns of persistent malware campaign targeting Cisco devices

Posted to News on Thursday, September 25, 2025 Share:

THE NATIONAL Cyber Security Centre (NCSC) – which is part of GCHQ – has issued further advice in order to help network defenders mitigate the malicious targeting of certain Cisco devices.

In a significant update on a previous malicious campaign exposed last year, Cisco has said the same threat actor has exploited new vulnerabilities in Cisco Adaptive Security Appliance (ASA) 5500-X Series devices to implant malware, execute commands and potentially exfiltrate data from compromised devices. 

The NCSC is calling on network defenders using affected products to urgently investigate this activity and has published new analysis of the malware components – dubbed RayInitiator and LINE VIPER – to assist with detection and mitigation. 

Organisations are urged to follow Cisco’s recommended remediation advice, including the application of security updates, and to report any evidence of compromise to the NCSC.

Give that some Cisco ASA 5500-X models will be out of support from this month and in August 2026, the NCSC strongly recommends, where practicable, such devices should be replaced or upgraded. Obsolete and end-of-life devices present a significant security risk to organisations.

Detection and remediation 

The NCSC’s chief technology officer Ollie Whitehouse said: “It’s critical for organisations to take note of the recommended actions highlighted by Cisco, and particularly so in terms of detection and remediation. We strongly encourage network defenders to follow vendor Best Practice and engage with the NCSC’s malware analysis report to assist with their investigations.” 

Whitehouse added: “End-of-life technology presents a significant risk for organisations. Systems and devices should be promptly migrated to modern versions to address vulnerabilities and strengthen resilience.”

The alert follows on from a joint advisory published last year with international partners, which included detailed analysis of malware, dubbed LINE DANCER and LINE RUNNER. 

The RayInitiator and LINE VIPER malware represents a significant evolution on that used in the previous campaign, both in terms of sophistication and its ability to evade detection. More information on managing obsolete and end of life devices can be found in the device security guidance.

Migration to Windows 11 

The NCSC recently published a blog highlighting that organisations should prepare for Windows 10 coming to end of life in October and prioritise migration to Windows 11. 

Cisco has provided further information and detection advice on its website at https://sec.cloudapps.cisco.com/security/center/resources/detection_guide_for_continued_attacks

Company Info

Western Business Media

Dorset House
64 High Street
East Grinstead, England, United Kingdom
RH19 3DE
UNITED KINGDOM

01342 33 3714

More from Western Business Media
Related Topics
Cisco
LINE DANCER
LINE RUNNER
LINE VIPER
National Cyber Security Centre
NCSC
RayInitiator
Related Articles
Latest Webinars
‘The Power of the Cloud’: Streamlining Security Management
The Power of the Cloud: How Cloud Technology Streamlined Security Management
Biometric access control: are fingerprint cards the future?
Biometric access control: are fingerprint cards the future?
Bandweaver signposts webinar on optical fiber for perimeter security
Related Resources
UK bolsters national security with Foreign Influence Registration Scheme.
Security Matters Podcast – Episode 35 now live to view
Security Matters Podcast – Episode 34 now live to view
Latest News
Midland Alarm Services builds recurring revenue stream with HKC Security
Great Place to Work recognises HID’s investment in people
i-PRO marks sixth anniversary as independent company

Login / Sign up