Cyware Daily Threat Intelligence, November 03, 2025

Australia is facing persistent cyberattacks targeting unpatched Cisco IOS XE devices. Attackers are exploiting an older vulnerability to install the BadCandy webshell, which allows them to create admin accounts. Despite a patch being available since 2023, hundreds of devices remain infected.

A new nation-state malware named Airstalk has been discovered, likely spread through a supply chain attack. The malware cleverly uses the AirWatch API for its C2 communications. Its .NET variant is designed to steal sensitive data, including browser cookies and history, from enterprise systems.

Progress Software has issued critical security patches for a high-severity flaw in its MOVEit Transfer platform. The vulnerability could allow an unauthenticated attacker to cause a DoS condition.

Top Malware Reported in the Last 24 Hours

Bronze Butler exploits Lanscope 0-day

The China-linked Bronze Butler (Tick) threat group exploited a zero-day vulnerability (CVE-2025-61932) in Motex LANSCOPE Endpoint Manager to gain unauthorized access and steal confidential information. This vulnerability enabled attackers to execute arbitrary commands with SYSTEM privileges. The group utilized Gokcpdoor malware, which established a command and control connection, and the Havoc C2 framework for remote access. Additionally, they employed legitimate tools like goddi, remote desktop applications, and 7-Zip for lateral movement and data exfiltration, leveraging cloud storage services for their operations.

Australia warns of BadCandy infections

Australia is facing ongoing cyberattacks targeting unpatched Cisco IOS XE devices, with the BadCandy webshell being used to compromise routers. Exploiting the CVE-2023-20198 vulnerability, attackers can create local admin users through the web interface, allowing them to take control of the devices. Despite Cisco addressing this flaw in October 2023, many devices remain unpatched, leading to over 400 reported infections by July 2025, with around 150 still compromised as of late October 2025. The BadCandy webshell enables remote attackers to execute commands with root privileges, and its presence can be reintroduced after device reboots if the vulnerability remains unaddressed. The Australian Signals Directorate has noted signs of re-exploitation, indicating a persistent threat from attackers, some of whom are believed to be state-sponsored actors.

CL-STA-1009 drops new Airstalk malware

Nation-state hackers are distributing a new malware called Airstalk, linked to a suspected supply chain attack and tracked under the threat cluster name CL-STA-1009. This malware exploits the AirWatch API for mobile device management, enabling covert C2 communication. Airstalk exists in both PowerShell and .NET variants, with the .NET version offering enhanced capabilities, including targeting enterprise browsers like Microsoft Edge and Island. It can capture sensitive data such as browser cookies, history, and bookmarks, while employing evasion techniques to remain undetected. The malware is believed to leverage stolen certificates for signing and poses significant risks to organizations, particularly in the business process outsourcing sector, where it can exploit MDM-related APIs to access sensitive enterprise environments.

Top Vulnerabilities Reported in the Last 24 Hours

Progress patches MOVEit Transfer bug

Progress Software has released critical security patches for a high-severity vulnerability in its MOVEit Transfer platform. This vulnerability, identified as CVE-2025-10932, allows unauthenticated attackers to exploit inadequate resource allocation controls in the AS2 module, potentially leading to DoS conditions that disrupt business operations. The flaw affects multiple versions of MOVEit Transfer, posing significant risks to users due to its low attack complexity and the platform's extensive deployment across various sectors, including finance and healthcare. 

Elastic patches high severity flaw

Elastic has addressed a high-severity privilege escalation vulnerability (CVE-2025-37736, CVSS 8.8) in Elastic Cloud Enterprise (ECE), affecting versions 3.8.0 to 3.8.2 and 4.0.0 to 4.0.2. This flaw allowed read-only users to exploit improper authorization, enabling them to perform unauthorized operations on critical API endpoints. As a result, attackers could potentially create, modify, or delete user accounts and escalate privileges within managed Elastic environments. The vulnerability stems from inadequate access control on several API endpoints related to user and service account management. Elastic has released patched versions (3.8.3 and 4.0.3) to fix this issue, which impacts all ECE users across on-premises and hybrid deployments.