Line Dancer
Line Dancer is a memory-only Lua-based shellcode loader associated with the ArcaneDoor campaign. Line Dancer allows an adversary to upload and execute arbitrary shellcode on victim devices.[1][2]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Line Dancer uses HTTP POST requests to interact with compromised devices.[1][2] |
| Enterprise | T1059 | .008 | Command and Scripting Interpreter: Network Device CLI |
Line Dancer can execute native commands in networking device command line interfaces.[1][2] |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
Line Dancer shellcode payloads are base64 encoded when transmitted to compromised devices.[2] |
|
| Enterprise | T1041 | Exfiltration Over C2 Channel |
Line Dancer exfiltrates collected data via command and control channels.[1] |
|
| Enterprise | T1562 | .003 | Impair Defenses: Impair Command History Logging |
Line Dancer can disable syslog on compromised devices.[1] |
| Enterprise | T1040 | Network Sniffing |
Line Dancer can create and exfiltrate packet captures from compromised environments.[1] |
|
| Enterprise | T1653 | Power Settings |
Line Dancer can modify the crash dump process on infected machines to skip crash dump generation and proceed directly to device reboot for both persistence and forensic evasion purposes.[1] |
|
| Enterprise | T1014 | Rootkit |
Line Dancer can hook both the crash dump process and the Autehntication, Authorization, and Accounting (AAA) functions on compromised machines to evade forensic analysis and authentication mechanisms.[1] |
|
| Enterprise | T1082 | System Information Discovery |
Line Dancer can gather system configuration information by running the native |
|
Campaigns
| ID | Name | Description |
|---|---|---|
| C0046 | ArcaneDoor |
Line Dancer is uniquely associated with the ArcaneDoor campaign.[2][1] |