Skip to content

Hide Navigation Hide TOC

Line Dancer - S1186 (4c8ad4ed-3bbb-4088-bf14-f4caf2bf62a0)

Line Dancer is a memory-only Lua-based shellcode loader associated with the ArcaneDoor campaign. Line Dancer allows an adversary to upload and execute arbitrary shellcode on victim devices.(Citation: Cisco ArcaneDoor 2024)(Citation: CCCS ArcaneDoor 2024)

Cluster A Galaxy A Cluster B Galaxy B Level
Line Dancer - S1186 (4c8ad4ed-3bbb-4088-bf14-f4caf2bf62a0) Malware Network Device CLI - T1059.008 (818302b2-d640-477b-bf88-873120ce85c4) Attack Pattern 1
Line Dancer - S1186 (4c8ad4ed-3bbb-4088-bf14-f4caf2bf62a0) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 1
Line Dancer - S1186 (4c8ad4ed-3bbb-4088-bf14-f4caf2bf62a0) Malware Network Sniffing - T1040 (3257eb21-f9a7-4430-8de1-d8b6e288f529) Attack Pattern 1
Line Dancer - S1186 (4c8ad4ed-3bbb-4088-bf14-f4caf2bf62a0) Malware Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern 1
Line Dancer - S1186 (4c8ad4ed-3bbb-4088-bf14-f4caf2bf62a0) Malware Power Settings - T1653 (ea071aa0-8f17-416f-ab0d-2bab7e79003d) Attack Pattern 1
Line Dancer - S1186 (4c8ad4ed-3bbb-4088-bf14-f4caf2bf62a0) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 1
Line Dancer - S1186 (4c8ad4ed-3bbb-4088-bf14-f4caf2bf62a0) Malware Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b) Attack Pattern 1
Line Dancer - S1186 (4c8ad4ed-3bbb-4088-bf14-f4caf2bf62a0) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 1
Line Dancer - S1186 (4c8ad4ed-3bbb-4088-bf14-f4caf2bf62a0) Malware Impair Command History Logging - T1562.003 (8f504411-cb96-4dac-a537-8d2bb7679c59) Attack Pattern 1
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Network Device CLI - T1059.008 (818302b2-d640-477b-bf88-873120ce85c4) Attack Pattern 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Impair Command History Logging - T1562.003 (8f504411-cb96-4dac-a537-8d2bb7679c59) Attack Pattern 2