ZeroFox Daily Intelligence Brief - November 20, 2025

ZeroFox Daily Intelligence Brief - November 20, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Global Agencies Sanction Russia-Based Bulletproof Hosting Service Provider
• Threat Actors Share Samples of In-Development “ShinySp1d3r” RaaS Platform
• Cyber Intrusions Becoming Tools in Physical Warfare

Global Agencies Sanction Russia-Based Bulletproof Hosting Service Provider

Source: https://home.treasury.gov/news/press-releases/sb0319

What we know: The United States, Australia, and the United Kingdom have announced coordinated sanctions targeting Media Land, a Russia-based bulletproof hosting (BPH) service provider, for its role in supporting ransomware operations and other forms of cybercrime.

Context: Three members of Media Land’s leadership team and three of its sister companies have also been sanctioned. Prolific ransomware actors such as Lockbit, BlackSuit, and Play have used Media Land’s BPH services. CISA also released a guide to combat BPH cybercrime.

Analyst note: The sanctions are very likely to deter Western businesses from engaging with Media Land or its subsidiaries and enable law enforcement in the three countries to confiscate or freeze assets belonging to the sanctioned entities and individuals.

Threat Actors Share Samples of In-Development “ShinySp1d3r” RaaS Platform

Source: https://www.bleepingcomputer.com/news/security/meet-shinysp1d3r-new-ransomware-as-a-service-created-by-shinyhunters/

What we know: A new in-development build of a ransomware-as-a-service (RaaS) platform named “ShinySp1d3r” has emerged online linked to a notorious threat collective.

Context: The RaaS build was reportedly spotted on the Telegram channel belonging to the threat collective “Scattered Lapsus$ Hunters.” The collective has been claiming to have stolen data from multiple major organizations such as Jaguar Land Rover and Salesforce on Telegram for the past few months.

Analyst note: Threat actors behind Scattered Lapsus$ Hunters are likely using their recent claims and infamy to launch the RaaS platform for further financial gains. The claim is likely credible given the recent data breaches confirmed by the affected organizations, even though the specific threat actor has not yet been verified.

Cyber Intrusions Becoming Tools in Physical Warfare

Source: https://www.securityweek.com/amazon-details-irans-cyber-enabled-kinetic-attacks-linking-digital-spying-to-physical-strikes/

What we know: Researchers warn of an emerging hybrid-warfare technique where cyber intrusions give attackers the intelligence needed to plan, time, and precisely conduct physical attacks, including missile strikes.

Context: Researchers have observed that Iran-associated advanced persistent threat (APT) Imperial Kitten hacked real-time ship data transmission systems and surveillance cameras to track a vessel for years, which was later targeted in a Houthi missile strike. Similarly, Iran-associated APT MuddyWater compromised live Jerusalem camera feeds in 2025 before Iran’s missile attacks on the city.

Analyst note: Threat actors are likely to increasingly prioritize access to real-time sensor networks, such as automatic identification systems (AISs), traffic cameras, and security systems, for actionable intelligence that can be directly used to carry out precise physical attacks.

DEEP AND DARK WEB INTELLIGENCE

DarkForums user 888: Threat actor 888 is advertising internal data allegedly from Samsung Medison, obtained via a breach of a third-party contractor. The data reportedly includes source code, private keys, SMTP credentials, database records, and personal user information from healthcare backups. Interested buyers are likely to leverage access to third-party contractor systems to target other connected companies, expanding the scope of compromise.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-58034: Fortinet has disclosed a second zero‑day vulnerability in its FortiWeb web application firewall (WAF) line shortly after disclosing another exploited flaw (CVE‑2025‑64446) earlier. CVE-2025-58034 is a command injection flaw that enables an authenticated attacker to execute code via crafted HTTP requests and commands. Attackers could run arbitrary commands on affected FortiWeb devices, gaining control of the WAF and pivoting to internal networks.

Affected products: The affected products are listed in this advisory.