ZeroFox Daily Intelligence Brief - November 14, 2025

ZeroFox Daily Intelligence Brief - November 14, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Akira Threat Actors Adopt New Encryptors, Backdoors in Recent Campaigns
• Europol Dismantles Rhadamanthys, VenomRAT, Elysium in Operation Endgame
• AI Coding Tool Powers Chinese State-Sponsored Espionage Campaign

Akira Threat Actors Adopt New Encryptors, Backdoors in Recent Campaigns

Source: https://www.cisa.gov/news-events/news/cisa-fbi-and-partners-unveil-critical-guidance-protect-against-akira-ransomware-threat

What we know: Multiple agencies, including CISA, have released updated guidance on the Akira ransomware strain, including new tactics, indicators of compromise (IoCs), targeted sectors, and mitigating measures to detect, prevent, and respond to Akira ransomware activity.

Context: IoCs against Akira infections include ransomware encryptors reportedly involving multiple encryptors, backdoors, scripts, and credential-harvesting tools observed between June 2023 and August 2025, and must be vetted by defenders before blocking.

Analyst note: The newly observed IoCs likely indicate an expanding malware ecosystem that could enable threat actors faster intrusion and lateral movement across targeted sectors. Organizations could face increased risk of network compromise, data theft, and operational disruption as Akira threat actors continue refining their toolset.

Europol Dismantles Rhadamanthys, VenomRAT, Elysium in Operation Endgame

Source: https://www.europol.europa.eu/media-press/newsroom/news/end-of-game-for-cybercrime-infrastructure-1025-servers-taken-down

What we know: Europol announced the takedowns of Rhadamanthys, the Remote Access Trojan VenomRAT, and the botnet Elysium infostealers as part of Operation Endgame between November 10 and November 13, 2025.

Context: The alleged main suspect behind VenomRAT was arrested in Greece on November 3, 2025, with access to over 100,000 victim crypto wallets worth millions. Law enforcement searched 11 European locations, took down 1,025 servers worldwide, and seized 20 domains.

Analyst note: Europol’s animated video showing infostealer admins hoarding valuable data and giving customers low-value scraps, likely aims to undermine trust in the malware-as-a-service market. The VenomRAT suspect’s arrest, along with the alleged Rhadamanthys admin’s November 11 alert to customers, is likely to help authorities find further leads.

AI Coding Tool Powers Chinese State-Sponsored Espionage Campaign

Source: https://www.theregister.com/2025/11/13/chinese_spies_claude_attacks/

What we know: In an automatic and mostly autonomous espionage campaign, Chinese state-sponsored hackers reportedly tried to breach into about thirty global organizations by leveraging an AI coding tool’s agentic abilities.

Context: According to reports, the hackers were able to complete 80 to 90 percent of the attack with only minimal human oversight. Cybersecurity professionals were able to thwart the campaign, but only after four successful intrusions.

Analyst note: Leveraging AI-driven operational framework to conduct attacks majorly independent of human intervention is likely to enable threat actors to scale cyber operations, evolve strategies, and use lesser resources for more impactful attacks. However, since the campaign was stopped, it is very likely that security measures to mitigate such attacks will also evolve.

DEEP AND DARK WEB INTELLIGENCE

Telegram user Keymous: On November 13, 2025, North African threat group "Keymous," known for its pro-Palestinian stance, claimed distributed denial-of-service (DDoS) attacks on BlueBird Aero Systems and multiple Morocco based government websites on Telegram. BlueBird Aero Systems is an Israeli manufacturer of unmanned aerial systems. Hacktivist targeting has continued amid the conflict between Israel and Hamas, but major impact is unlikely.

VULNERABILITY AND EXPLOIT INTELLIGENCE

Fortinet FortiWeb bug under active exploitation: This Fortinet FortiWeb path traversal vulnerability is reportedly being actively exploited to create unauthorized admin accounts on exposed devices, affecting versions 8.0.1 and earlier. Administrators are urged to update to FortiWeb 8.0.2. Exploiting this FortiWeb vulnerability could enable threat actors to gain administrative control over affected devices, enabling them to modify configurations, create backdoors, and persist in networks.

Affected products: Fortinet FortiWeb versions 8.0.1 and earlier