The Everest ransomware group posted breach claims against sportswear giant Under Armour and Brazilian petroleum company Petrobras on its dark web leak site in mid-November 2025, with the Petrobras claims appearing on November 14 and Under Armour on November 16. When the actual intrusions occurred remains unknown.
The Under Armour Claims
Everest claims to have exfiltrated 343 GB of data from Under Armour, including millions of customer records with transaction histories, email addresses, phone numbers, passport details, and employee data from multiple countries. The Baltimore-based company, which operates in 190 countries, has not publicly confirmed or denied the breach.
The stolen data allegedly includes customer shopping history, product identifiers, prices, purchase timestamps, store preferences, location data, marketing campaign logs, and identifiers tied to user accounts. The inclusion of passport details stands out as particularly unusual for a retail company’s systems.
Everest gave Under Armour a seven-day deadline to make contact via Tox messenger. A countdown timer on the leak site warns that failure to respond will result in the full release of stolen data.
The Petrobras Claims
Everest posted two separate entries targeting Petrobras on November 14, 2025. The first involves Petrobras and SAExploration, with the group claiming to have stolen over 176 gigabytes of seismic navigation data, with more than 90 gigabytes belonging directly to Petrobras. The second listing focuses on Petrobras’ Campos Basin seismic surveys, including 3D and 4D data sets, totaling more than 90 gigabytes.
The files allegedly contain highly detailed technical information, including ship positioning, equipment configurations, hydrophone readings, and depth measurements, along with quality control documents, metadata, and processed reports.
Petrobras issued a statement saying the intrusion involves a third-party exploration service provider and does not affect the company’s operations, clients or employees. Everest also gave Petrobras a deadline to contact them via Tox messenger before the data is publicly released or sold.
Who Is Everest?
Active since at least December 2020, Everest has evolved from data extortion and ransomware operations to increasingly acting as an Initial Access Broker, selling access to compromised networks. The Russia-linked group has been connected to the BlackByte ransomware family and uses double-extortion tactics: stealing data, then threatening to leak it if ransom demands aren’t met.
Recent victims include Coca-Cola Europacific Partners, Mediclinic, the Abu Dhabi Department of Culture and Tourism, Collins Aerospace, and AT&T. The Collins Aerospace attack in October 2025 disrupted MUSE check-in software used at major European airports, causing widespread travel delays.
According to dark web monitoring, Everest has listed more than 250 victims since 2023, with over 100 victims in the past 12 months alone. Unlike many ransomware groups that prefer Bitcoin, Everest specifically requests payment in Monero (XMR), a cryptocurrency known for enhanced privacy features that make transactions far more difficult to trace.
Attack Methods
Everest uses remote access tools like AnyDesk, Splashtop Remote Desktop, and Atera for command and control, conducting data exfiltration through the file transfer capabilities of tools like Splashtop. The group employs publicly available tools including ProcDump for credential dumping, SoftPerfect Network Scanner for network discovery, and WinRAR for data archiving.
When Everest does deploy ransomware, data is encrypted using AES and DES algorithms, with encrypted files renamed with the “.EVEREST” file extension.
Everest commonly exploits weak or stolen credentials to gain initial access. In October 2023, security researchers observed threat actors associated with Everest seeking to offer corporate insiders cash payments in return for remote access to company networks.
What’s Next
Petrobras pointed to a third-party vendor breach while Under Armour still hasn’t said anything publicly. For Under Armour customers: change your passwords, enable two-factor authentication, and watch for phishing emails disguised as breach notifications. Attackers frequently exploit public concern following data breaches to launch secondary attacks.
With over 100 victims in just the past year and a documented willingness to leak data when demands aren’t met Cybernews, Everest poses a serious, ongoing threat to organizations worldwide.
