< Back
A blurred silhouettes

Tags:

Threat intelligence
29 October 2025

Weekly Summary Cyberattacks October 23-29

New Android Malware Herodotus Mimics Human Behaviour to Evade Detection   

Cybersecurity researchers have discovered a new Android banking Trojan called Herodotus, a sophisticated malware designed to perform device-takeover attacks while mimicking human behaviour to evade behavioural biometrics and detection systems. Herodotus was identified after analysts observed unknown malicious samples being distributed alongside well-known Android malware such as Hook and Octo. However, technical analysis revealed closer ties to Brokewell, a separate banking Trojan discovered in 2024. While Herodotus shares parts of Brokewell's code, it appears to be a new malware family developed by an actor known as K1R0, who has already promoted it as a Malware-as-a-Service (MaaS) offering on underground forums.Herodotus is distributed via side-loading, potentially through SMiShing links, leading victims to download a dropper that installs the main payload while bypassing Android 13+ restrictions on Accessibility Services. Reverse-engineering shows that Herodotus reuses portions of Brokewell's native code, including encrypted strings such as "BRKWL_JAVA," and that it invokes limited Brokewell modules for coordinate-based clicking. However, incompatibilities between the two families' communication protocols suggest that Herodotus's developers only partially integrated Brokewell components, possibly reusing source code fragments rather than full modules. The malware remains under active development, and its operators are expected to expand its functionality and geographic reach.  

GhostGrab Android Malware   

Cybersecurity researchers at CYFIRMA have analyzed GhostGrab, a newly identified, highly sophisticated Android malware family that combines large-scale data theft with covert cryptocurrency mining. The campaign represents a new evolution in mobile threats, designed to generate dual revenue streams for cybercriminals by simultaneously harvesting victims' financial data and exploiting device resources to mine Monero. Distributed through a fake banking application, the infection begins when users are tricked into downloading a dropper APK. Once executed, the dropper abuses the REQUEST_INSTALL_PACKAGES permission to install hidden payloads, hides its icon, and maintains persistence using silent audio playback and foreground services that prevent system termination. 

The Smishing Deluge: China-Based Campaign Flooding Global Text Messages   

Cybersecurity researchers have uncovered a massive global smishing campaign attributed to the China-based cybercriminal group known as the Smishing Triad. The operation, which began targeting U.S. residents in April 2024, has evolved into a highly decentralized, sophisticated phishing-as-a-service (PhaaS) ecosystem affecting victims worldwide. The campaign distributes fraudulent SMS messages posing as toll violation notices, package delivery failures, and government notifications, enticing recipients to click links that lead to phishing pages designed to steal personal and financial data. Investigators identified over 194,000 malicious domains and 136,933 root domains registered since January 2024, mostly through Dominet (HK) Limited, a Hong Kong-based registrar, using Chinese nameservers but hosted mainly on U.S. cloud services.

Dissecting YouTube's Malware Distribution Network   

Check Point Research revealed the existence of the YouTube Ghost Network, a sophisticated and persistent malware distribution ecosystem operating within YouTube since at least 2021. This coordinated network relies on thousands of compromised and fake accounts that systematically exploit the platform's features (videos, community posts, and comment sections) to distribute malware under the guise of legitimate software content. Researchers identified and reported more than 3,000 malicious videos linked to this activity, most of which have since been removed by Google, though the overall operation remains active and increasingly effective. In 2025 alone, the number of malicious uploads tripled compared to previous years, illustrating the scalability and continuing success of this distribution model. The YouTube Ghost Network operates by weaponizing trust. Threat actors compromise legitimate accounts or create convincing fake profiles to promote malicious content disguised as game cheats, cracked software, or pirated applications.

Jingle Thief: Inside a Cloud-Based Gift Card Fraud Campaign   

Cybersecurity researchers uncovered a large-scale cloud-based fraud operation named Jingle Thief, run by financially motivated threat actors operating from Morocco. The group, tracked internally as CL-CRI-1032 and assessed to overlap with Atlas Lion and STORM-0539, specializes in exploiting Microsoft 365 environments to conduct gift-card fraud during festive and high-spending periods. Their operations primarily target global enterprises in the retail and consumer services sectors, abusing trusted cloud identity features instead of deploying traditional malware. The campaign begins with phishing and smishing campaigns that deliver counterfeit Microsoft 365 login pages. These are sent via self-hosted PHP mailers on compromised WordPress servers and often use deceptive URL structures such as "organization[.]com@malicious.tld" to disguise the real domain. Victims are tricked into entering their credentials, granting the attackers direct access to corporate cloud accounts.