Skip to content

S1186 Line Dancer

Line Dancer is a memory-only Lua-based shellcode loader associated with the ArcaneDoor campaign. Line Dancer allows an adversary to upload and execute arbitrary shellcode on victim devices.21

Item Value
ID S1186
Associated Names
Type MALWARE
Version 1.0
Created 06 January 2025
Last Modified 15 April 2025
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Line Dancer uses HTTP POST requests to interact with compromised devices.21
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.008 Network Device CLI Line Dancer can execute native commands in networking device command line interfaces.21
enterprise T1140 Deobfuscate/Decode Files or Information Line Dancer shellcode payloads are base64 encoded when transmitted to compromised devices.1
enterprise T1041 Exfiltration Over C2 Channel Line Dancer exfiltrates collected data via command and control channels.2
enterprise T1562 Impair Defenses -
enterprise T1562.003 Impair Command History Logging Line Dancer can disable syslog on compromised devices.2
enterprise T1040 Network Sniffing Line Dancer can create and exfiltrate packet captures from compromised environments.2
enterprise T1653 Power Settings Line Dancer can modify the crash dump process on infected machines to skip crash dump generation and proceed directly to device reboot for both persistence and forensic evasion purposes.2
enterprise T1014 Rootkit Line Dancer can hook both the crash dump process and the Autehntication, Authorization, and Accounting (AAA) functions on compromised machines to evade forensic analysis and authentication mechanisms.2
enterprise T1082 System Information Discovery Line Dancer can gather system configuration information by running the native show configuration command.2

References

  1. Canadian Centre for Cyber Security. (2024, April 24). Cyber Activity Impacting CISCO ASA VPNs. Retrieved January 6, 2025. 

  2. Cisco Talos. (2024, April 24). ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices. Retrieved January 6, 2025.