ZeroFox Daily Intelligence Brief - November 12, 2025

ZeroFox Daily Intelligence Brief - November 12, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Cybercriminals Lose Access to Rhadamanthys Infostealer
• Operator of Dark Web Site Threatening Political Figures Arrested in Germany
• WhatsApp-Based Malware Campaign Targets Brazilian Banking Users

Cybercriminals Lose Access to Rhadamanthys Infostealer

Source: https://www.bleepingcomputer.com/news/security/rhadamanthys-infostealer-disrupted-as-cybercriminals-lose-server-access/

What we know: Rhadamanthys infostealer has reportedly been disrupted, with several threat actors using the malware-as-a-service (MaaS) unable to access their servers. Cybercriminals suspect German and the European Union (EU) law enforcement action.

Context: Rhadamanthys is a subscription-based malware stealing credentials and cookies. Users on dark web forums reported being locked users out of its web panels and being redirected to certificate logins. They also warned others to reinstall servers and erase traces claiming alleged German police action.

Analyst note: The disruption is likely to be part of Europol’s Operation Endgame, a law enforcement campaign targeting MaaS operations, with its website currently displaying a timer ahead of a new announcement. Server seizure is likely to enable law enforcement to analyze logs and transactions, and trace MaaS operators along with their customers.

Operator of Dark Web Site Threatening Political Figures Arrested in Germany

Source: https://www.reuters.com/world/german-citizen-arrested-dark-web-death-threats-against-politicians-2025-11-11/

What we know: German police have arrested an individual for allegedly running a dark web site that solicited cryptocurrency donations to carry out murder-hits against prominent politicians.

Context: The site, operating since at least June 2025, included declarations of “death sentences” against politicians, instructions for making explosives, and personal data of potential targets. While authorities did not name specific individuals, former chancellors and other former ministers were reportedly among those listed.

Analyst note: Cybercriminals could stalk or attack political targets by exploiting leaked addresses and schedules. The leaked bomb-making instructions are likely to be used by potential miscreants, who could create physical security risks. Due to deepening polarization caused by several national and international political issues, politicians have become a key target in cyberattacks.

WhatsApp-Based Malware Campaign Targets Brazilian Banking Users

Source: https://thehackernews.com/2025/11/whatsapp-malware-maverick-hijacks.html

What we know: Researchers have observed that threat actors are running a WhatsApp-based propagation campaign in Brazil that involves self-propagating malware strain SORVEPOTEL and banking trojan Maverick.

Context: Maverick is a Brazilian banking malware strain propagated through WhatsApp Web that monitors browser tabs for financial institution URLs. When triggered, it contacts a remote server to steal credentials via phishing pages and gather system data.

Analyst note: The campaign could lead to large-scale credential theft, financial fraud, and unauthorized access to online banking accounts across Brazil. Additionally, the self-propagating nature of SORVEPOTEL is likely to enable rapid propagation through WhatsApp contacts, amplifying infection rates and social engineering attacks.

DEEP AND DARK WEB INTELLIGENCE

Telegram users NoName057(16) and Server Killers: Pro-Russian threat groups "Server Killers" and “NoName057(16)” have claimed distributed denial-of-service (DDoS) attacks against multiple Danish government websites. The groups claimed the attacks were in retaliation for Denmark’s continued support for Ukraine in the war with Russia and Operation Eastwood that targeted NoName057(16). The DDoS attacks are unlikely to have a major impact on the targeted entities due to weak internet infrastructure of the threat actors and strong defenses.

VULNERABILITY AND EXPLOIT INTELLIGENCE

Microsoft November 2025 Patch Tuesday: Microsoft has patched more than 60 vulnerabilities in its November Patch Tuesday security updates. The update has also addressed an actively exploited Windows Kernel zero-day (CVE-2025-62215) that enables attackers to gain system privileges via a race condition. The update has also patched two remote code execution vulnerabilities, one elevation of privileges bug, and one information disclosure flaw. Unpatched systems are likely at risk of complete system takeover, data theft, and operational disruption.

Affected products: The affected products are listed in this advisory.