ZeroFox Daily Intelligence Brief - November 18, 2025

ZeroFox Daily Intelligence Brief - November 18, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Gaming Ecosystems Exploited for Extremist Recruitment and Violence
• Under Armour Hit by Ransomware Group Claiming 343 GB Data Theft
• Dutch Police Seize Thousands of Virtual and 250 Physical Servers

Gaming Ecosystems Exploited for Extremist Recruitment and Violence

Source: https://www.europol.europa.eu/media-press/newsroom/news/europol-and-partner-countries-combat-online-radicalisation-gaming-platforms

What we know: Europol and other agencies have cracked down on terrorist, extremist, and racist content circulating on gaming and gaming-related platforms. The agencies reported thousands of URLs hosting dangerous material, including over 5,400 links to religious-extremist content, over 100 links to racist and xenophobic content, and more.

Context: Perpetrators reportedly re-enacted attacks in 3D games, edited the footage with extremist overtones, and shared it across platforms. Gaming livestream services were also exploited to recruit minors and to broadcast real attacks, violent acts, and even suicides.

Analyst note: The scale and distribution of the flagged URLs likely point to a far broader and highly adaptive extremist network embedded across gaming, streaming, and community platforms. This wide scale network could enable actors to quickly rebuild channels after this takedown and exploit lightly moderated ecosystems, in the near term, especially free-to-play platforms, and games with fewer user verification and community safeguards.

Under Armour Hit by Ransomware Group Claiming 343 GB Data Theft

Source: https://hackread.com/everest-ransomware-under-armour-users-data/

What we know: Everest, a ransomware group, claims to have breached sportswear company Under Armour, stealing 343 GB of internal company data, employee information, and personal data of millions from several countries.

Context: The group reportedly posted sample data on its dark web site, including customer information, shopping histories, product records, and marketing logs, while giving Under Armour seven days to respond via Tox messenger. The company has not confirmed the claim.

Analyst note: If the claim is true and data is released, exposed personal and employee data could be exploited for phishing and identity theft to conduct financial fraud, business email scams, credential stuffing, and other targeted social engineering attacks.

Dutch Police Seize Thousands of Virtual and 250 Physical Servers

Source: https://www.bleepingcomputer.com/news/security/dutch-police-seizes-250-servers-used-by-bulletproof-hosting-service/

What we know: Dutch law enforcement has seized roughly 250 physical servers and thousands of virtual servers from a bulletproof hosting provider that investigators say was used exclusively to support criminal activity.

Context: The service has reportedly appeared in more than 80 cybercrime investigations since 2022. It openly advertised “complete anonymity” and stated that it would not cooperate with law enforcement. It enabled ransomware operations, botnets, phishing campaigns, and the distribution of child sexual abuse material.

Analyst note: The takedown disrupted major infrastructure that allowed cybercriminals to run their illegal operations from a no-KYC and no-logs hosting platform. Additionally, it is likely to help law enforcement track the threat actors using this particular service and disrupt their operations.

DEEP AND DARK WEB INTELLIGENCE

Surveillance tech provider Protei hacked: Hackers defaced surveillance technology provider Protei’s website and have stolen 182 GB of internal data. Protei supplies deep-packet inspection and Securities Operations and Risk Management filtering tools to telecom operators in numerous countries. The stolen emails and technical files could reveal how its systems track and filter users’ communications, exposing both the company’s practices and the people monitored through its tools.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-24893: Threat actors are actively exploiting this critical XWiki RCE flaw patched months ago, but only recently publicized. After the proof-of-concept code was released, crypto-miners, botnets, and other threat actors operators adopted the exploit, indicating that unpatched XWiki servers are very likely to face sustained compromise and monetization attempts.

Affected products: XWiki versions before 15.10.11, 16.4.1, and 16.5.0RC1