On April 24, 2026, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) issued a joint cybersecurity advisory regarding the activities of China-nexus cyber actors. The advisory, supported by international partners from the Five Eyes intelligence alliance, details the use of large-scale covert networks composed of compromised Small Office/Home Office (SOHO) routers and Internet of Things (IoT) devices. These networks are being utilized to conduct long-term espionage and maintain persistent access to global critical infrastructure.
A primary focus of the advisory is the discovery of a sophisticated backdoor named FIRESTARTER, which was identified within a Cisco Firepower device at a U.S. federal agency. Technical analysis reveals that FIRESTARTER is a persistent malware variant that resides within the device firmware, specifically targeting the Cisco Firepower Threat Defense (FTD) software. The backdoor affects FTD versions prior to 7.4.1 and exploits undocumented vulnerabilities in the Cisco Firepower Extensible Operating System (FXOS). By operating at the firmware level, FIRESTARTER can survive system reboots and standard software updates, providing attackers with a durable foothold within the network.
The advisory reports that the China-linked actors have established a global botnet consisting of more than 250,000 compromised devices. These units, which include routers from various manufacturers and unpatched IoT hardware such as IP cameras and network-attached storage (NAS) devices, function as operational relay boxes (ORBs). This infrastructure allows the actors to mask their malicious traffic by routing it through legitimate consumer and small business IP addresses, complicating attribution and bypassing traditional geographic-based blocking filters.
CISA Director Jen Easterly stated that the scale and technical sophistication of these networks represent a significant evolution in state-sponsored cyber operations. The FBI noted that the actors are prioritizing living off the land techniques, utilizing native administrative tools on compromised devices to avoid detection by endpoint security solutions. The advisory includes over 50 specific indicators of compromise (IOCs) and provides detailed guidance for network administrators to identify and remediate infected devices.
Cisco has responded to the findings by releasing a series of security patches and a dedicated technical bulletin. The company recommends that all users of Firepower 1000, 2100, 3100, and 4100 series appliances immediately verify their firmware versions and apply the necessary updates. The agencies further advise organizations to decommission any SOHO equipment that has reached its end-of-life status, as these devices often lack the security architecture necessary to defend against modern firmware-level exploits.