ZeroFox Daily Intelligence Brief - November 24, 2025

ZeroFox Daily Intelligence Brief - November 24, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• ZeroFox Intelligence Flash Report - Powerful New RaaS from Scattered Lapsu$ Hunters
• China-Linked APT Targets Russian Government Through IT Sectors
• Major Financial Vendor SitusAMC Faces Data Breach

ZeroFox Intelligence Flash Report - Powerful New RaaS from Scattered Lapsu$ Hunters

Source: https://www.zerofox.com/advisories/36970/

What we know: On November 19, 2025, reports surfaced of the emergence of an in-development build of new ransomware-as-a-service (RaaS) platform “ShinySp1d3r.” It is the result of a collaboration between ransomware and digital extortion (R&DE) collectives Scattered Spider, Lapsus$, and ShinyHunters.

Context: The threat actors, known collectively as Scattered Lapsus$ Hunters (SLSH), have been responsible for at least 51 cyberattacks over the past year. ShinySp1d3r encryptor combines both common and novel features.

Analyst note: The development of ShinySp1d3r represents a leap in capability for SLSH and suggests a successful merger. The ransomware encryptor will almost certainly give the collective a secure platform from which to conduct sophisticated attacks against organizations.

China-Linked APT Targets Russian Government Through IT Sectors

Source: https://thehackernews.com/2025/11/china-linked-apt31-launches-stealthy.html

What we know: China-associated threat group APT31 has conducted a long-term cyber-espionage campaign against Russia’s IT sector, specifically targeting companies that support Russian government agencies. Researchers observe that some intrusions date back to late 2022, pointing toward a multi-year intelligence operation.

Context: According to researchers, APT31 remained undetected for extended periods by abusing legitimate Russian cloud services, like Yandex Cloud, for command and control and exfiltration. The group used spear-phishing lures and a diverse toolkit of custom and publicly available malware to harvest credentials, move laterally, and quietly steal sensitive files.

Analyst note: APT31’s multi-year intrusion likely indicates that sensitive Russian government and contractor data has already been exfiltrated. Likely compromises include internal communications, credentials, long-term project documentation, and sensitive files from key IT systems as well.

Major Financial Vendor SitusAMC Faces Data Breach

Source: https://www.nytimes.com/2025/11/22/business/bank-data-hack.html

What we know: A data breach at major mortgage and real-estate loan services provider SitusAMC has exposed sensitive residential loan data, impacting major U.S. banks. SitusAMC has confirmed that corporate records and legal documents were exposed in the breach, and some customer data has possibly been affected as well.

Context: SitusAMC is associated with top U.S. banks, holding extensive sensitive customer and regulatory data. SitusAMC’s regulatory compliance work gives it access to highly sensitive, nonpublic data on banks’ internal operations, including detailed risk information on loan portfolios.

Analyst note: Threat actors could weaponize the stolen loan information in phishing and impersonation scams aimed at borrowers, especially during mortgage payments, refinancing, or loan servicing cycles.

DEEP AND DARK WEB INTELLIGENCE

Exploit user samy01: Untested threat actor “samy01” has advertised an auction for remote desktop (RDWeb) access with domain user rights to an unnamed UK-based company providing automotive, aerospace, and defense related services on Exploit. According to samy01, the company generates USD 39 million in revenue. If the auction is legitimate, the access is likely to be used for network intrusion to the victim company and data theft involving sensitive defense technological details.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-61757: This is an already-patched pre-authentication remote code execution (RCE) vulnerability in the Identity Manager product of Oracle Fusion Middleware. The vulnerability enables unauthenticated attackers with network access via HTTP to compromise Identity Manager. CISA has warned the bug is being actively exploited. Successful exploitation is likely to result in takeover of Identity Manager.

Affected products: Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0