A sophisticated Android banking trojan named Herodotus has emerged on the mobile threat landscape, introducing groundbreaking techniques to evade detection systems.

During routine monitoring of malicious distribution channels, the Mobile Threat Intelligence service discovered unknown malicious samples distributed alongside notorious malware variants like Hook and Octo.

Despite sharing distribution infrastructure, these samples revealed closer similarities to Brokewell, a malware family previously identified by ThreatFabric analysts.

However, Herodotus represents a distinct threat combining Brokewell elements with original code designed for advanced evasion.

Active campaigns have been observed targeting users in Italy and Brazil, with the malware offered as Malware-as-a-Service by threat actor K1R0 on underground forums.

ThreatFabric researchers identified that Herodotus follows modern banking trojan trends while introducing a capability distinguishing it from other device takeover malware—mimicking human behaviour during remote control sessions to bypass behavioural biometrics detection.

The malware operates through an infection chain beginning with side-loading, potentially involving SMiShing campaigns leading victims to malicious download links.

Once deployed, Herodotus leverages a custom dropper designed to bypass Android 13+ restrictions on Accessibility Services.

After installation, the dropper automatically launches the payload and opens Accessibility Service settings, prompting victims to enable the service while displaying a deceptive loading screen overlay that conceals granting dangerous permissions.

Following successful deployment, Herodotus collects installed application lists and transmits this data to its command-and-control server, which responds with targeted application lists and corresponding overlay links.

The trojan deploys fake credential-harvesting screens over legitimate banking applications, capturing login credentials and two-factor authentication codes through SMS interception.

Humanising Fraudulent Transactions

What sets Herodotus apart is its approach to text input automation during device takeover attacks.

Traditional remote access trojans set text directly in input fields using the ACTION_SET_TEXT function or clipboard manipulation, delivering complete text strings instantaneously.

However, this machine-like behaviour creates suspicious patterns that behavioural anti-fraud systems detect as automated attack indicators.

Herodotus implements a novel technique where operator-specified text is split into individual characters, with each character set separately at randomized intervals.

The malware introduces delays ranging from 300 to 3000 milliseconds between character input events, replicating natural human typing patterns.

This randomization attempts to evade rudimentary behavioural detection systems measuring input timing, though sophisticated systems modeling individual behaviour identify anomalies.

The malware panel includes a checkbox labeled “Delayed text” that operators toggle to enable human-like input simulation.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New Android Malware Herodotus Mimic Human Behaviour to Bypass Biometrics Detection appeared first on Cyber Security News.

Cybercriminals have developed a sophisticated phishing technique that exploits invisible characters embedded within email subject lines to evade automated security filters.

This attack method leverages MIME encoding combined with Unicode soft hyphens to disguise malicious intent while appearing legitimate to human readers.

The technique represents an evolution in social engineering tactics, targeting email filtering mechanisms that rely on keyword detection and pattern matching.

The attack surfaced when security researchers discovered phishing messages with subject lines displaying unusual behavior in email clients. When viewed in the message list, the subject appeared garbled or incomplete, but upon opening the email, the text rendered as normal, readable content.

This discrepancy indicated the presence of invisible characters strategically inserted throughout the subject line to break up recognizable keywords and patterns.

The campaign primarily targets credential theft through fake webmail login pages. Victims receive emails with subjects like “Your Password is about to Expire,” where invisible characters fragment these trigger words that would typically alert security systems.

The phishing messages direct recipients to compromised domains hosting generic credential harvesting portals designed to capture login information.

Internet Storm Center analysts identified this technique while reviewing malicious messages delivered to their handler inbox.

The discovery highlighted a relatively uncommon application of invisible character obfuscation, particularly within email subject lines rather than message bodies alone.

Technical Implementation and Evasion Mechanism

The attackers implement this technique through MIME encoded-word formatting as specified in RFC 2047.

The subject line structure follows the pattern encoded-word = “=?” charset “?” encoding “?” encoded-text, where content is UTF-8 character set data encoded in Base64 format.

Analysis of captured samples revealed subject headers formatted as:-

Subject: =?UTF-8?B?WcKtb3XCrXIgUMKtYXPCrXN3wq1vwq1yZCBpwq
=?UTF-8?B?dMKtbyBFwq14wq1wwq1pcsKtZQ==?=

When decoded, the strings contain soft hyphen characters (Unicode U+00AD, HTML entity ­) inserted between individual letters.

These characters remain invisible in most email clients, including Outlook, effectively fragmenting keywords like “password” into “p-a-s-s-w-o-r-d” at the code level while displaying normally to users.

The technique extends beyond subject lines into message bodies, where soft hyphens break up entire words to defeat content scanning engines.

Captured phishing URLs pointed to compromised legitimate domains hosting credential theft pages formatted as generic webmail login interfaces.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New Phishing Attack Using Invisible Characters Hidden in Subject Line Using MIME Encoding appeared first on Cyber Security News.

A sophisticated information-stealing malware named Anivia Stealer has emerged on underground forums, marketed by a threat actor known as ZeroTrace.

The malware represents a dangerous evolution in credential theft operations, specifically designed to compromise Windows systems from legacy XP installations through the latest Windows 11 environments.

Built using C++17, Anivia Stealer incorporates advanced evasion techniques and comprehensive data exfiltration capabilities that pose significant risks to individual users and enterprise networks alike.

The malware’s advertising campaign highlights its ability to bypass User Account Control mechanisms through automatic elevation techniques, allowing it to execute privileged operations without triggering security warnings that typically alert users to suspicious activity.

KrakenLabs researchers identified the threat actor’s promotional efforts across cybercriminal marketplaces, where Anivia Stealer is being offered on a subscription model ranging from €120 for one month to €680 for lifetime access.

Analysis reveals that the stealer targets an extensive range of sensitive information including browser credentials, authentication cookies, cryptocurrency wallets, messaging tokens, Local Security Authority credentials, and system screenshots.

The malware maintains encrypted communication channels with its command-and-control infrastructure and features automatic update capabilities to evade detection signatures.

Threat intelligence suggests that Anivia Stealer may represent a rebrand or fork of the previously identified ZeroTrace Stealer, with GitHub commit history and developer metadata linking both projects to the same malicious actor who has also distributed Raven Stealer.

UAC Bypass and Privilege Escalation Mechanisms

The core functionality enabling Anivia Stealer’s effectiveness lies in its User Account Control bypass implementation.

The malware exploits Windows privilege escalation vectors to achieve automatic elevation without user interaction, effectively neutralizing one of the operating system’s primary security boundaries.

This technique allows the stealer to access protected system areas, registry hives containing cached credentials, and memory spaces holding authentication secrets that would normally require administrative approval.

The malware’s claim of requiring no external dependencies suggests it packages all necessary exploitation code within its binary, reducing forensic artifacts and simplifying deployment across diverse target environments while complicating detection efforts by security solutions.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Threat Actors Advertising Anivia Stealer Malware on Dark Web bypassing UAC Controls appeared first on Cyber Security News.