Research from November 2025 reveals an alarming new pattern of cyberattacks across several global sectors. Attackers are exploiting recently discovered software vulnerabilities, implementing advanced persistence tactics, and targeting enterprises with both malware and phishing campaigns. This update details the most significant, technically complex incidents reported since early November 2025, alongside closely examined mechanisms and implications for digital defenders.
Exploitation of Internet Information Services (IIS) COM Object Vulnerability Enables Remote Code Execution
Security researchers have warned of an unpatched vulnerability in Microsoft Internet Information Services (IIS) Inbox COM Objects, which allows unauthorized attackers to remotely execute arbitrary code. The flaw is rooted in improper permissions within the COM object registration, exposing IIS servers when they handle specially crafted requests. Attackers can leverage this flaw to elevate privileges or conduct lateral movement in corporate networks.
Attack Mechanics and Exploitation Path
The vulnerability is exploited by sending malicious HTTP requests that manipulate the IIS COM runtime. Upon successful exploitation, attackers can execute system-level commands or deploy follow-on malware. This leverages the inherent trust in the IIS process and often bypasses endpoint security controls by masquerading as legitimate service activity.
Technical Exposure and Mitigations
Affected IIS configurations lack the necessary access control restrictions on their COM interfaces, allowing attackers to remotely inject code. Organizations are advised to restrict access to management interfaces, apply network segmentation, and monitor IIS server logs for anomalous request patterns until an official patch is released.
A threat campaign targeting Indian Android users is using the guise of regional government transport apps to distribute GhostBat, a new banking Trojan. The malware is targeting financial credentials and personal data at scale, with indications of a broader regional cybercrime operation.
GhostBat RAT Pretends to be Indian Regional Transport Office Apps
Researchers discovered that fake Android applications—masquerading as official Regional Transport Office (RTO) apps—are distributing GhostBat, a Remote Access Trojan (RAT) with banking credential theft capabilities. Campaign operators are employing phishing links and SMS lures that redirect victims to download these trojanized apps from unofficial app stores.
Functional Analysis of GhostBat
Once installed, GhostBat requests invasive permissions such as SMS access, accessibility services, and overlay capabilities. The malware actively monitors for banking app launches, intercepts one-time passwords (OTPs), captures keystrokes, and exfiltrates the data to attacker-controlled servers. The use of accessibility services enables it to bypass multifactor authentication protections.
Scale and Impact
Incident telemetry suggests hundreds of thousands of downloads among Indian mobile users, with indicators of ongoing evolution in the malware code. Law enforcement agencies are collaborating with cybersecurity vendors to initiate takedown efforts targeting command-and-control (C2) infrastructure.
A coordinated attack campaign has been launched against global developer communities by the threat actor dubbed TigerJack, who has infiltrated major VS Code extension marketplaces to propagate malicious Visual Studio Code (VS Code) extensions.
Malicious Visual Studio Code Extensions Compromise Developer Supply Chains
TigerJack is responsible for uploading fraudulent packages to official VS Code extension repositories. These packages, when installed, act as loaders for advanced persistent malware, including data exfiltration tools and password stealers that target developer credentials, SSH keys, and environment variables.
How Infiltration Occurred
The perpetrator exploited incomplete vetting mechanisms in the extension marketplaces, leveraging social engineering techniques and copycat naming conventions to attract unsuspecting developers. The malicious extensions have been found to communicate with remote servers for command execution and data extraction.
Implications for the Developer Ecosystem
The incident highlights the growing risk to the software supply chain, where compromised developer machines could lead to downstream compromise of enterprise applications and continuous integration pipelines. Security teams are urged to enable strict extension whitelisting and regularly audit installed packages for anomalous activity.
Security analysts have uncovered a sophisticated campaign by the China-linked APT group known as Flax Typhoon, which employs geo-mapping and targeting software to retain year-long unauthorized access to enterprise networks.
Flax Typhoon Leverages Geo-Mapping Techniques for Persistent Enterprise Intrusions
Flax Typhoon’s operations involve the deployment of custom malware that integrates with legitimate geo-mapping applications widely used in logistics and transport. This allows the APT group to blend into normal operator activity, using the trusted software as a conduit for lateral movement and information gathering.
Technical Modus Operandi
By exploiting previously unknown vulnerabilities in these applications, Flax Typhoon achieves remote code execution and often installs persistent backdoors. The malware is designed to avoid triggering heuristics-based detection, remaining effective in highly monitored environments by mimicking standard user and software behaviors.
Strategies for Long-Term Stealth
Attackers have established robust command-and-control channels over encrypted protocols, periodically rotating infrastructure and employing data exfiltration techniques tailored to evade anomaly-based detection. Enterprise defenders are encouraged to audit the integrity of third-party mapping tools and scrutinize network connections for repeated C2 patterns.
On November 1, 2025, the Australian Signals Directorate (ASD) warned of ongoing widespread exploitation of a vulnerability affecting Cisco IOS XE routers and switches, with particular focus on the powerful BADCANDY malware framework being used to automate these intrusions.
BADCANDY Malware Campaign Automates Cisco IOS XE Vulnerability Attacks
The BADCANDY framework exploits an unpatched flaw in Cisco IOS XE, automating reconnaissance, exploitation, and lateral movement across enterprise and government networks. The malware is capable of installing persistent implants, manipulating configuration files, and securely communicating with attacker-controlled infrastructure.
Attack Surface and Risk
Most at risk are internet-facing Cisco routers running outdated IOS XE versions. The attack vector typically begins with automated network scanning, followed by remote code execution using BADCANDY’s modular exploit chains. Once inside the network, attackers can pivot further into sensitive segments.
Recommended Defensive Steps
Organizations should prioritize patching all vulnerable Cisco equipment, enforce solid network segmentation policies, and deploy network-level anomaly detection tools to identify unauthorized management activity. The current campaign has raised concerns about global supply chain risk given the ubiquity of impacted Cisco devices.