AT

AttackTrace

Browse techniquesThreat activityBrowse ATLASSearch
HomeThreat Activity
Home

Reviewed threat activity

ArcaneDoor Network Device Compromise

ArcaneDoor activity focused attention on network perimeter devices, showing how exploitation and tooling on appliances can support stealthy access to sensitive environments.

MITRE ATT&CKConfidence: high
T1190T1105T1090T1070.004

How The Activity Unfolds In ATT&CK

ArcaneDoor unfolds at the perimeter: public-facing network devices are compromised, tooling is introduced, traffic is proxied, and cleanup behavior reduces visibility.

  1. T1190 Exploit Public-Facing Application. The actor reaches exposed perimeter systems.
  2. T1105 Ingress Tool Transfer. Tools are moved into the compromised environment.
  3. T1090 Proxy. Compromised infrastructure can become a traffic relay.
  4. T1070.004 File Deletion. Artifact deletion complicates investigation.

Defender Readout

This is a top activity because it reminds defenders that network devices are production systems with attack paths, persistence risk, and investigation requirements.

Evidence And Mapping Rationale

T1190Exploit Public-Facing Application
Exploit Public-Facing Application

MITRE maps ArcaneDoor to exploitation of externally reachable network-device services.

T1105Ingress Tool Transfer
Ingress Tool Transfer

MITRE maps the activity to moving tools into compromised environments.

T1090Proxy
Proxy

MITRE maps proxy behavior used to route traffic through compromised infrastructure.

T1070.004File Deletion
File Deletion

MITRE maps file deletion activity used to remove artifacts.