ZeroFox Daily Intelligence Brief - November 11, 2025

ZeroFox Daily Intelligence Brief - November 11, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Initial Access Broker Pleads Guilty in Yanluowang Ransomware Attacks
• GlassWorm Malware Makes Comeback in VS Code Extensions
• Geopolitical Focus: Disruption, Violence, and Casualties

Initial Access Broker Pleads Guilty in Yanluowang Ransomware Attacks

Source: https://www.bleepingcomputer.com/news/security/yanluowang-initial-access-broker-pleaded-guilty-to-ransomware-attacks/

What we know: An individual pleaded guilty to acting as an initial access broker (IAB) for the Yanluowang ransomware group, selling access to at least eight breached U.S. corporate networks used in extortion attacks between July 2021 and November 2022.

Context: The accused, known online as “chubaka.kor” and “nets,” collaborated with ransomware operators by supplying stolen credentials and negotiating ransom shares. The investigation uncovered chat logs, cryptocurrency trails, and iCloud data linking the broker to the operation and even to a suspected LockBit affiliate.

Analyst note: Further prosecutions or indictments will likely follow as investigators trace financial and communication links, potentially uncovering additional IABs or affiliates connected to Yanluowang and related ransomware operations like LockBit.

GlassWorm Malware Makes Comeback in VS Code Extensions

Source: https://thehackernews.com/2025/11/glassworm-malware-discovered-in-three.html

What we know: The GlassWorm malware has reportedly resurfaced in the Open VSX registry, hidden in three infected Visual Studio (VS) Code extensions with around 10,000 downloads. The malware was first spotted in mid-October 2025 before being contained and removed.

Context: The malware steals developer credentials from Open VSX, GitHub, and Git, along with cryptocurrency funds, and deploys remote access tools. It evades detection using invisible Unicode characters and spreads by infecting more extensions using stolen credentials. Researchers link it to a Russian-speaking actor targeting victims across the United States, South America, Europe, and Asia.

Analyst note: The reemergence of GlassWorm indicates the continued supply chain risks posing software developer infrastructure. Threat actors are likely to use the malware to infect trusted repositories, which can later compromise downstream users and organizations.

Geopolitical Focus: Disruption, Violence, and Casualties

• Following drone incursions, in September 2025, that caused Polish airspace violations, Russian propaganda networks flooded media channels with pro-Russia, anti-NATO, and anti-West narratives, while blaming Ukraine. In a mitigating effort to help high-risk locations and facilities counter drones, CISA has released guidance outlining how to select, deploy, and integrate drone detection systems.
• An explosion in India’s capital, Delhi, on November 10, killed at least eight people and injured 20. A fire broke out afterward, and the blast reportedly came from a car that detonated while stopped at a red light outside a metro station. Ongoing investigations have identified the suspect behind this explosion.
• Thailand has suspended its recently signed “peace deal” with Cambodia after a landmine explosion injured Thai soldiers near the border in Sisaket province. Bangkok had cited ongoing security threats, while Cambodia said it remains committed to the agreement to end ongoing border disputes.
• Syrian authorities have thwarted two Islamic State (IS) plots to assassinate President Ahmed al-Sharaa over the past few months. The assassination plots surfaced just before the Syrian President scheduled a meeting with U.S. President Donald Trump at the White House, the first ever by a Syrian head of state. During the visit, Syria is reportedly expected to join the U.S.-led global anti-IS coalition.
• Typhoon Fung-wong hit the northern Philippines, causing floods, landslides, and power outages, killing at least 10 and displacing over 1.4 million people. The storm has now moved toward Taiwan after devastating multiple provinces still reeling from Typhoon Kalmaegi.

DEEP AND DARK WEB INTELLIGENCE

Telegram user HawkSec: On November 10, 2025, pro-Palestinian hacktivist group "LazurGroup" announced it was rebranding as “HawkSec” and hinted at upcoming campaigns. On the same day, a likely affiliate of the group advertised data allegedly stolen from RESANA, a French government collaborative platform, exposing personal and work information of users. The involvement of affiliates are likely part of a wider network of actors looking to sell or leak further sensitive data in the future.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-34299: A critical pre-authentication Remote Code Execution (RCE) bug in Monsta FTP enables attackers to force the application to download and write malicious payloads anywhere on the host, enabling full server takeover. Approximately 5,000 exposed instances were discovered, and Monsta FTP released a patch in v2.11.3. If left unpatched, unauthenticated code execution is likely to cause rapid escalation and lateral movement that could expose sensitive data and enable ransomware or supply-chain attacks.

Affected products: Monsta FTP versions 2.11 and earlier