BADCANDY
BADCANDY is a Lua-based web shell implant targeting Cisco IOS XE devices, including routers, switches, and wireless controllers. The reported infection vector is exploitation of Cisco IOS XE web UI vulnerabilities, primarily CVE-2023-20198, with some reporting also referencing CVE-2023-20273. After exploitation, attackers can create unauthorized privileged or local administrator accounts and deploy BADCANDY to obtain root-level access on the device. Reported capabilities include arbitrary command execution, reconnaissance, data exfiltration, and creation of unauthorized accounts on compromised devices. Multiple sources in the content describe the implant as stealthy and non-persistent: it is removed by rebooting the device, but attackers can detect its removal and re-exploit unpatched systems to reinstall it. The Australian Signals Directorate / ACSC warned of ongoing activity since October 2023 with renewed activity in 2024-2025, including widespread infections in Australia, with reporting citing more than 400 affected Cisco IOS XE devices and other reports citing at least 150 infected devices at specific points in time. The content also states attackers often apply a non-persistent patch after compromise to mask the device's vulnerability status. Reported indicators and signs of compromise include suspicious local accounts such as cisco_tac_admin, cisco_support, cisco_sys_manager, or cisco, as well as unknown tunnel interfaces and suspicious configuration changes. Cisco Talos incident response reporting also noted activity consistent with BADCANDY on Cisco IOS XE, including use of the implant to create an unauthorized account, and assessed one observed case appeared automated with no follow-on interactive activity. The content links BADCANDY activity to Salt Typhoon in some reporting, but attribution should be treated cautiously because it is not uniformly established across all cited material. Targeting described in the content includes enterprise, government, telecommunications, and critical infrastructure environments operating exposed or unpatched Cisco IOS XE infrastructure.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
BADCANDY is a stealthy Lua-based web shell implant deployed by threat actors after exploiting the CVE-2023-20198 web UI privilege escalation vulnerability. This implant grants attackers root-level access to compromised Cisco IOS XE networking devices such as routers, switches, and wireless controllers. | The Australian Signals Directorate (ASD) recently issued a high-severity alert about an ongoing cyber attack campaign exploiting a critical vulnerability in Cisco IOS XE devices, tracked as CVE-2023-20198. This vulnerability has a perfect CVSS score of 10.0, reflecting its extreme risk, and has been actively exploited since 2023.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
BADCANDY is a stealthy Lua-based web shell implant deployed by threat actors after exploiting the CVE-2023-20198 web UI privilege escalation vulnerability. This implant grants attackers root-level access to compromised Cisco IOS XE networking devices such as routers, switches, and wireless controllers.
Recent activity
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Implant used to create an unauthorized account on Cisco IOS XE; activity appeared automated with no observed interactive follow-on actions.
Lua-based web shell/implant on Cisco IOS XE; post-compromise actors may apply a non-persistent patch to mask the device’s vulnerable status; presence indicates compromise via CVE-2023-20198.
A stealthy Lua-based web shell implant used on compromised Cisco IOS XE devices to provide root-level access, execute arbitrary commands, conduct network reconnaissance, and exfiltrate data. It is described as non-persistent and disappears after reboot, but attackers can reinstall it by re-exploiting unpatched devices.
Malware infecting Cisco IOS XE routers at scale in Australia; infections attributed to exploitation of unpatched 2023 issues and linked in reporting to activity by a China-nexus espionage group.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.