ZeroFox Daily Intelligence Brief - November 17, 2025

ZeroFox Daily Intelligence Brief - November 17, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• ZeroFox Intelligence Flash Report - New DanaBot Malware Variant Emerges After Takedown
• ZeroFox Intelligence Flash Report - Series of UK Cyberattacks Inspires New Cybersecurity Law
• U.S. Justice Department Counters Schemes Generating Revenue for DPRK

ZeroFox Intelligence Flash Report - New DanaBot Malware Variant Emerges After Takedown

Source: https://www.zerofox.com/advisories/36828/

What we know: ZeroFox operatives have observed a new variant of DanaBot malware—six months after a law enforcement operation removed 300 servers and 650 domains that were used as part of the DanaBot network infrastructure.

Context: Unlike previous iterations of DanaBot, the new variant reportedly harnesses standard IP-based command and control (C2) domains and dark web addresses to facilitate delivery of other modules and configuration files. This enables enhanced persistence and continuous execution.

Analyst note: The re-emergence of DanaBot reveals the “whack-a-mole” nature of disrupting cybercrime networks. These groups are very likely to reorganize under familiar branding until their administrators are fully identified and arrested.

ZeroFox Intelligence Flash Report - Series of UK Cyberattacks Inspires New Cybersecurity Law

Source: https://www.zerofox.com/advisories/36834/

What we know: The new Cyber Security and Resilience Bill in the United Kingdom proposes to enhance the country’s existing cybersecurity law and improve defenses against cyberattacks that are increasingly targeting European Union (EU) critical infrastructure.

Context: ZeroFox has projected ransomware and digital extortion (R&DE) incidents targeting European critical infrastructure in 2025 will increase at least 1.7 percent year-over-year. The reform bill follows major 2025 cyberattacks that disrupted UK infrastructure and retailers such as M&S and the Co-op.

Analyst note: Political and ideological attacks are likely to continue targeting the UK government and organizations despite stronger cybersecurity laws. However, stronger laws and ongoing European enforcement action is likely to reduce the scale of incidents and deter low-skilled actors from targeting the United Kingdom.

U.S. Justice Department Counters Schemes Generating Revenue for DPRK

Source: https://www.justice.gov/opa/pr/justice-department-announces-nationwide-actions-combat-illicit-north-korean-government

What we know: On November 14, the Justice Department announced five guilty pleas and more than USD 15 million in civil forfeiture actions against the Democratic People’s Republic of Korea (DPRK) remote IT work and virtual currency heist schemes.

Context: These campaigns affected more than 136 U.S. companies, generated over USD 2.2 million for the regime, and exposed the identities of at least 18 U.S. individuals. Additionally, DPRK military hacking group APT38 carried out several multimillion-dollar virtual currency heists across four overseas platforms in 2023.

Analyst note: The revenue pipelines from these heist schemes strengthen DPRK’s weapons programs. The U.S. sanctions and asset seizures are likely to cause certain disruptions in the DPRK’s ability to convert the stolen cryptocurrency into geopolitical leverage or even financial aid to support its nuclear programs.

DEEP AND DARK WEB INTELLIGENCE

DoorDash Data Breach: DoorDash disclosed a breach after an employee fell for a social-engineering scam, which allowed an intruder to access customer names, addresses, emails, and phone numbers across multiple countries. The incident marks the company’s third major security event since 2019, and the exposed data could enable more targeted phishing and smishing attempts.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-64446: This is a relative path traversal vulnerability that is likely to enable an unauthenticated malicious actor to execute administrative commands on a system via specially crafted HTTP or HTTPS requests. CISA added CVE-2025-64446 to its Known Exploited Vulnerabilities Catalog on November 14, 2025.

Affected products: The affected products have been listed in Fortinet’s advisory.