The Australian Signals Directorate (ASD) has issued a critical alert regarding the BADCANDY malware, which is actively exploiting a Cisco vulnerability to compromise hundreds of devices across Australia. The non-persistent web shell allows attackers to reinfect unpatched systems repeatedly.
Nvidia’s rebound is more than a stock story. Trillions in AI chips, supercomputers, and data-centre buildouts are redrawing geopolitics. Compute is the new energy. Whoever controls the silicon stack will shape economies, security, next decade of growth and daily life. The race favors builders.
183 million credentials, including confirmed Gmail login details, has been added to the Have I Been Pwned database. The data, sourced from infostealer malware logs, highlights the persistent threat of credential-stealing software and the critical need for multi-factor authentication and passkeys.
The Australian Signals Directorate (ASD) has issued a critical alert regarding the BADCANDY malware, which is actively exploiting a Cisco vulnerability to compromise hundreds of devices across Australia. The non-persistent web shell allows attackers to reinfect unpatched systems repeatedly.
Cyber News Centre's cyber update for 3rd November 2025: The Australian Signals Directorate (ASD) has raised concerns about a new wave of intrusions targeting local networks through a malware strain known as BADCANDY. The implant takes advantage of a serious flaw in Cisco IOS XE software, allowing unauthorised access to affected systems.
The Update: The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) has issued an advisory about ongoing attacks exploiting a critical vulnerability (CVE-2023-20198) in Cisco IOS XE software. The attacks install a Lua-based web shell dubbed BADCANDY. According to the ASD, more than 400 devices in Australia have been compromised since July 2025, with over 150 still infected as of late October.
The BADCANDY implant is non-persistent, meaning it is removed upon reboot; however, threat actors are actively re-exploiting unpatched devices. The ASD has observed that attackers can detect when the implant is removed and will reinfect the vulnerable system. The vulnerability allows a remote, unauthenticated attacker to create a privileged account and take full control of the device. The ASD has attributed the activity to both criminal and state-sponsored actors, including the China-linked group Salt Typhoon.
Why It Matters: This campaign highlights the ongoing threat to critical network infrastructure. Cisco IOS XE is widely used in enterprise and service provider networks, making it a high-value target for attackers. The fact that threat actors are actively re-exploiting devices even after the implant is removed underscores the importance of timely patching.
A simple reboot is not enough to secure these devices. The involvement of state-sponsored actors like Salt Typhoon, known for targeting critical infrastructure, raises the stakes. This is not just about financial gain; it is about espionage and potentially disruptive attacks. Organisations must follow the ASD’s advice to patch immediately, harden their devices, and search for signs of compromise to protect themselves from this ongoing threat.
Get the stories that matter to you.
Subscribe to Cyber News Centre and update your preferences to follow our Daily 4min Cyber Update, Innovative AI Startups, The AI Diplomat series, or the main Cyber News Centre newsletter — featuring in-depth analysis on major cyber incidents, tech breakthroughs, global policy, and AI developments.
183 million credentials, including confirmed Gmail login details, has been added to the Have I Been Pwned database. The data, sourced from infostealer malware logs, highlights the persistent threat of credential-stealing software and the critical need for multi-factor authentication and passkeys.
US pharmacy benefit manager MedImpact Healthcare Systems has confirmed a ransomware attack by the prolific Qilin gang. The group claims to have exfiltrated 160GB of data, including financial operation details and claims reports, raising significant concerns for the healthcare sector.
Microsoft has issued an out-of-band security update for a critical Remote Code Execution vulnerability, CVE-2025-59287, in its Windows Server Update Service. The flaw, which has a CVSS score of 9.8, is under active exploitation by threat actors, prompting a high-priority alert from CISA.
Japanese retail giant Muji has suspended all online sales after a ransomware attack crippled its logistics partner, Askul Corporation, affecting multiple major retailers and highlighting critical supply chain vulnerabilities.
Where cybersecurity meets innovation, the CNC team delivers AI and tech breakthroughs for our digital future. We analyze incidents, data, and insights to keep you informed, secure, and ahead. Sign up for free!
