November 5th – This Week’s Top Cybersecurity and Dark Web Stories

Warning issued regarding ongoing unpatched Cisco devices

On October 31st the government of Australia issued a warning about an ongoing cyberattack targeting unpatched Cisco IOS XE devices. 

Threat actors are installing an routers with ‘BADCANDY’ on Cisco IOS XE devices that are vulnerable to CVE-2023-20198. Variations of BADCANDY have been observed since October 2023, with renewed activity throughout 2024 and 2025.

BADCANDY does not persist following a device reboot however, where an actor has accessed account credentials or other forms of persistence, the threat actor may retain access to the device or network.

Since July 2025, the Australian Signals Directorate assesses over 400 devices were potentially compromised with BADCANDY in Australia. As at late October 2025, there are still over 150 devices compromised with BADCANDY in Australia.

CVE-2023-20198
This critical vulnerability affects the web user interface (UI) feature of Cisco IOS XE Software. Exploitation of this vulnerability could allow a remote, unauthenticated user to create a highly privileged account on the vulnerable system, allowing them to take control of the system.

This vulnerability has been leveraged by actors such as SALT TYPHOON and was one of the top routinely exploited vulnerabilities in 2023.

While any actor can use this implant, ASD believes that criminal and state sponsored cyber actors may leverage the BADCANDY implant. Cyber actors are known to re-exploit previously compromised devices where the device has not been patched and the interface has been left exposed to the internet. This presents an ongoing risk to Australian networks.

Swedish Power Grid Operator Confirms Data Breach

Svenska kraftnät, Sweden’s primary electricity grid operator, has confirmed that it suffered a data breach after the Russia-linked Everest ransomware gang claimed to have syphoned hundreds of gigabytes of the company’s data.

Svenska kraftnät learned about the attack, after a security expert notified the company that Everest had posted the company’s data on the gang’s dark web leak site.

“It would have been nicer if we had discovered the breach ourselves,” Cem Göcgoren, Svenska kraftnät’s Head of Information Security, told Västerbottens-Kuriren, a Swedish media outlet.

Meanwhile, Everest claims to have stolen 280GB of the power grid operators’ data. The attackers did not share any information about what type of data they might have obtained.

At the same time, Svenska kraftnät released a statement to dissipate any misunderstandings surrounding the data breach. According to Göcgoren, the company takes the data breach “very seriously” and has taken immediate action to mitigate the issue.

“We understand that this may cause concern, but the electricity supply has not been affected by this breach,” Göcgoren said.

The company says that as of now it cannot reveal specific details about what type of information was exposed, as there’s an active police investigation into the matter. According to a statement by Göcgoren, no critical systems were impacted by the attack.

“As soon as we have more information to share, we will communicate this. We are currently unable to provide any specific details about what information has been exposed, but we see no indication at this time that mission-critical systems have been affected,” the company explained.

Svenska kraftnät claims that attackers affected an external file transfer solution, and the company is investigating what information was handled by the service.

Who is the Everest Group?

The Everest ransomware gang has been on a rampage recently, targeting Dublin Airport. The attackers claim they will publish the data of over 1.5 million passengers if their ransomware demands are not met.

The gang, believed to be Russia-linked, was first spotted in 2021. It made headlines after the October 2022 attack on the American telecommunications behemoth AT&T. At the time, Everest said it had access to AT&T’s entire corporate network.

More recently, Everest claimed responsibility for an attack on Allegis Group, a multi-billion-dollar talent management group.

The gang has also targeted Coca-Cola’s Middle East division, eventually leaking the data of nearly 1000 employees. It also claimed a data breach of Crumbl, the North American gourmet cookie shop chain.

Windows Zero-Day Exploited to Spy on European Diplomats

A China-linked hacking group is exploiting a Windows zero-day in attacks targeting European diplomats in Hungary, Belgium, among other European nations.

The attack chain begins with spearphishing emails that lead to the delivery of malicious LNK files themed around NATO defense procurement workshops, European Commission border facilitation meetings, and various other diplomatic events.

These malicious files are designed to exploit a high-severity Windows LNK vulnerability (tracked as CVE-2025-9491) to deploy the PlugX remote access trojan (RAT) malware and gain persistence on compromised systems, allowing them to monitor diplomatic communications and steal sensitive data.

The cyber-espionage campaign has been attributed to a Chinese state-backed threat group tracked as UNC6384 (Mustang Panda), known for conducting espionage operations aligned with Chinese strategic interests and targeting diplomatic entities across Southeast Asia.

While initially focused on Hungarian and Belgian diplomatic entities, they are also targeting other European organizations, including Serbian government agencies and diplomatic entities from Italy and the Netherlands.

The zero-day vulnerability used in this campaign enables attackers to execute arbitrary code remotely on targeted Windows systems. However, user interaction is required for successful exploitation, as it involves tricking potential victims into visiting a malicious page or opening a malicious file.

CVE-2025-9491 exists within the handling of .LNK files, which allows attackers to exploit how Windows displays the shortcut files to evade detection and execute code on vulnerable devices without the user’s knowledge. Threat actors exploit this flaw by hiding malicious command-line arguments within .LNK shortcut files to the COMMAND_LINE_ARGUMENTS structure using padded whitespaces.

In March 2025, it was discovered that CVE-2025-9491 was already being widely exploited by 11 state-sponsored groups and cybercrime gangs, including Evil Corp, APT43 (also known as Kimsuky), Bitter, APT37, Mustang Panda, SideWinder, RedHotel, Konni, and others.

While Microsoft said in March that it would “consider addressing” this zero-day flaw, even though it “does not meet the bar for immediate servicing,” it has yet to release security updates to patch this heavily exploited Windows vulnerability.

“We appreciate the work of the research community in sharing their findings. Microsoft Defender has detections in place to identify and block this threat activity, and Smart App Control provides an additional layer of protection by blocking malicious files from the Internet,” a Microsoft spokesperson said.

“As a security best practice, we strongly encourage customers to heed security warnings and avoid opening files from unknown sources.”