Daily Brief

Cybersecurity researchers have identified a new Android banking trojan, Herodotus, targeting users in Italy and Brazil through device takeover attacks. Herodotus is distributed as part of a malware-as-a-service model, functioning on Android versions 9 to 16, and advertised in underground forums. The malware employs obfuscation techniques similar to the Brokewell trojan, utilizing accessibility services to execute its malicious activities. It uses dropper apps disguised as Google Chrome, distributed via SMS phishing, to conduct credential theft and intercept two-factor authentication codes. Herodotus introduces random delays in remote actions to mimic human typing, aiming to bypass behavior-based anti-fraud systems. Overlay pages targeting financial institutions in the U.S., Turkey, the U.K., and Poland suggest the trojan's operators are expanding their targets. The trojan is under active development, focusing on persisting within live sessions rather than merely stealing static credentials.

Kaspersky reports North Korea-linked BlueNoroff's new campaigns, GhostCall and GhostHire, targeting Web3 and blockchain sectors, part of the long-running SnatchCrypto operation. GhostCall targets macOS devices of tech executives globally, using fake Zoom calls to deploy malware, affecting countries like Japan, Italy, and Singapore. GhostHire lures Web3 developers via Telegram, using booby-trapped GitHub repositories, primarily impacting Japan and Australia. Both campaigns employ sophisticated social engineering tactics, leveraging platforms like LinkedIn and Telegram to gain victims' trust. The malware, including DownTroy, bypasses macOS security controls to harvest sensitive data from various applications and cloud services. Attackers have adapted tactics to use Microsoft Teams alongside Zoom, indicating a flexible approach to infection vectors. The campaigns reflect an advanced threat actor's ability to target both Windows and macOS systems, using generative AI to enhance malware development. Organizations in the blockchain and tech sectors should enhance security measures, focusing on phishing awareness and robust endpoint protection.

Privacy advocacy group Noyb filed a criminal complaint against Clearview AI for unauthorized data scraping, targeting the company's executives for potential criminal penalties. Clearview AI allegedly ignored GDPR fines from multiple EU countries, amassing over $100 million in unpaid penalties, with only the UK fine being contested and lost. The complaint, lodged with Austrian prosecutors, leverages Article 84 of the GDPR, allowing member states to pursue criminal proceedings for data protection breaches. Clearview AI claims to have collected over 60 billion images to enhance law enforcement facial recognition, raising significant privacy concerns across Europe. Austria deemed Clearview's practices illegal in 2023, though no fines were imposed; Noyb seeks criminal accountability for the company's management. The case underscores challenges in enforcing EU data protection laws against non-EU companies, highlighting potential gaps in cross-border regulatory frameworks. This development may prompt EU authorities to strengthen enforcement mechanisms to ensure compliance with data protection regulations globally.

Varonis Threat Labs has spotlighted the BiDi Swap vulnerability, which manipulates URL text direction to create deceptive links, posing a significant risk for phishing attacks. This vulnerability exploits the handling of Right-to-Left (RTL) and Left-to-Right (LTR) scripts, allowing attackers to craft URLs that appear legitimate but redirect users to malicious sites. BiDi Swap builds on past Unicode-based spoofing tactics, demonstrating the ongoing challenge of securing text directionality in web browsers. The vulnerability affects major browsers like Chrome and Firefox, with varying degrees of mitigation; Chrome's navigation suggestions only partially address the issue. Firefox attempts to mitigate risks by highlighting key domain parts in the address bar, aiding users in identifying suspicious links. Microsoft marked the issue as resolved in Edge, although URL representation concerns remain. Varonis recommends integrating advanced threat detection tools, such as Varonis Interceptor, to enhance email and browser security against phishing threats.

Atroposia, a new malware-as-a-service platform, offers a remote access trojan with features like persistent access, data theft, and local vulnerability scanning for a $200 monthly subscription. Discovered by Varonis researchers, Atroposia is designed as a "plug and play" toolkit, making it accessible to low-skilled cybercriminals alongside other platforms like SpamGPT and MatrixPDF. The malware communicates over encrypted channels, bypasses User Account Control on Windows, and maintains stealthy access, posing significant risks to corporate environments. Atroposia's local vulnerability scanner identifies outdated software and unpatched systems, potentially allowing deeper access and exploitation within targeted networks. The emergence of Atroposia lowers the technical barrier for cybercriminals, facilitating the execution of sophisticated attacks by less experienced threat actors. Organizations are advised to download software from reputable sources, avoid pirated content, and exercise caution with online commands to mitigate risks associated with this malware.

Recent research indicates that AI browsers, including OpenAI's Atlas, are vulnerable to prompt injection attacks, posing significant security risks by allowing unauthorized actions on users' behalf. Prompt injection occurs when malicious commands are embedded in content, which AI interprets as user instructions, potentially leading to unauthorized data exfiltration or manipulation. Researchers demonstrated vulnerabilities in AI browsers like Comet and Fellou, where hidden instructions in web content triggered unintended actions such as data extraction from Gmail. Indirect prompt injection can manipulate AI to perform tasks without user consent, while direct injection involves pasting crafted URLs into browsers, leading to data leaks or file deletions. Cross-site request forgery vulnerabilities further compound risks by allowing malicious sites to send commands to AI bots as authenticated users, affecting session data persistence. Security experts acknowledge that prompt injection is a persistent challenge, with no complete solution, as AI systems inherently process untrusted data that can influence outcomes. Mitigation strategies include limiting AI privileges, requiring user consent for actions, and treating all external content as potentially untrustworthy to reduce risk exposure. The growing capabilities of agentic AI, such as automated transactions and data access, necessitate robust security controls to prevent exploitation and protect sensitive information.

A 2022 data breach of the UK's Ministry of Defence Afghan relocation scheme has resulted in severe threats and fatalities among affected individuals and their families. Of the 231 individuals impacted, 49 reported deaths of family or colleagues, and 87% experienced personal risks due to Taliban reactions. Nearly 100 individuals faced direct threats to their lives, with reports of home raids and severe intimidation by the Taliban. Mental health issues, including anxiety and depression, were widespread, affecting 89% of respondents and their families. Affected individuals have called for expedited relocation processes, with many still facing danger in Afghanistan despite offers of resettlement. The UK government is urged to review cases and provide protection to those whose data was compromised, ensuring their safety. The full report on this breach's impact is expected to be published in November, following submission to the Defence Committee.

Early threat detection is crucial for minimizing incident costs and maximizing business continuity, transforming cybersecurity from a reactive cost center to a proactive growth enabler. Organizations that invest in threat intelligence and early detection mechanisms maintain operational confidence, facilitating smoother digital transformations and customer onboarding. A mature cybersecurity posture, demonstrated through early detection capabilities, becomes essential for compliance and business expansion into new markets and sectors. Threat intelligence provides strategic insights into attacker behaviors, enabling organizations to predict and prevent attacks rather than merely reacting to them. ANY.RUN's Threat Intelligence Feeds and Lookup services offer real-time insights, reducing incident timelines and operational costs by providing instant context and prioritization for SOC teams. By leveraging continuous visibility and enriched alerts, businesses can maintain trust and reputation, ensuring long-term stability and competitive advantage. The integration of advanced threat intelligence tools empowers security operations centers to shift from overwhelmed to proactive, focusing on resolving critical threats efficiently.

Google refuted reports of a major Gmail breach affecting 183 million accounts, attributing the claims to misinterpretation of old credential data. The confusion originated from the addition of a large dataset to Have I Been Pwned, collected from infostealer malware logs over several years. This dataset, shared by Synthient, was mistakenly perceived as a new breach, though it reflects long-term infostealer activity rather than a targeted Gmail attack. Google emphasized that Gmail's security remains robust, with proactive measures in place to scan for stolen credentials and prompt password resets. The incident highlights the rapid spread of misinformation and the importance of context in cybersecurity reporting. Users are advised to enable two-step verification, consider passkeys, and update passwords in response to breach notifications. The situation underscores the need for media literacy and careful interpretation of cybersecurity news to prevent unnecessary panic.

Many startups rely on Google Workspace, which prioritizes collaboration over security, posing risks for lean IT teams tasked with protection. Key security practices include enforcing multi-factor authentication (MFA) and hardening admin access to prevent unauthorized account compromises. Adjusting default sharing settings and controlling OAuth app access are crucial to mitigate data leaks and unauthorized access. Email threats remain a significant concern; implementing robust detection and response mechanisms is essential to counter phishing and impersonation attacks. Proactive monitoring and automated alerts can aid in detecting and containing account takeovers before they escalate. Understanding and classifying sensitive data within Google Workspace is vital, with data loss prevention (DLP) tools offering limited but necessary support. Solutions like Material Security can enhance Google Workspace by providing advanced threat detection and unified security management.

The Institute for Strategic Dialogue (ISD) examined responses from four major AI chatbots, revealing that Russian state-attributed content appeared in up to 25% of war-related queries. Chatbots such as OpenAI's ChatGPT and Google's Gemini were tested across five languages, highlighting concerns over AI's potential role in spreading disinformation. The study found that biased or malicious prompts significantly increased the likelihood of chatbots citing Kremlin-aligned sources, with ChatGPT showing a threefold increase in such cases. Google's Gemini demonstrated the most effective safety measures, featuring fewer Kremlin-aligned sources and recognizing the risks of biased prompts. The ISD's findings suggest that AI models can be manipulated to echo state-sponsored narratives, raising questions about the enforcement of EU regulations against Russian disinformation. The study emphasizes the need for AI firms to implement stricter content moderation and scrutiny to prevent the dissemination of manipulated information. With AI chatbots increasingly used as search engines, the potential impact on public perception and policy enforcement is significant, necessitating regulatory attention.

Herodotus is a new Android malware family using random delay injection to mimic human typing, helping it evade detection by security software. Offered as malware-as-a-service, Herodotus targets Italian and Brazilian users via SMS phishing, exploiting a custom dropper to bypass Android 13's Accessibility restrictions. The malware's 'humanizer' mechanism introduces random delays in text input, making automated actions appear more human-like to avoid behavior-based anti-fraud systems. Threat Fabric identified Herodotus being spread by multiple threat actors, with seven distinct subdomains indicating its growing adoption in the wild. Users are advised to avoid downloading APKs from untrusted sources and ensure Google Play Protect is active, while scrutinizing and revoking risky app permissions. Herodotus' innovative delay tactic represents a novel challenge for current detection systems, emphasizing the need for enhanced behavioral analysis in cybersecurity strategies.

Marks & Spencer replaced Tata Consultancy Services as its IT service desk provider after a procurement process that began in January, aiming to refresh its IT support infrastructure. The decision to switch providers follows a significant cyber incident affecting M&S's operations, notably disrupting Click & Collect orders and impacting profits by an estimated £300 million. The National Crime Agency arrested four individuals in connection with the attack, which targeted M&S and other British retailers over several weeks. Despite the change in service desk providers, TCS continues to support other IT services for M&S, maintaining a strategic partnership. M&S has gradually restored services, including Click & Collect, although some functionalities like Scan and Shop and online stock checking remain affected. The cyber incident has prompted M&S to reassess its IT strategy, reflecting the ongoing challenges in securing retail operations against cyber threats. TCS clarified that vulnerabilities did not originate from their networks, as they do not provide cybersecurity services to M&S, which are managed by another partner.

Kaspersky identified a Chrome zero-day vulnerability (CVE-2025-2783) exploited to deliver LeetAgent spyware, developed by Italian firm Memento Labs, targeting Russian organizations. The flaw, a sandbox escape vulnerability, allowed attackers to execute remote code and distribute espionage tools via phishing emails with personalized links. Operation ForumTroll, active since February 2024, targeted media, universities, research centers, and government bodies in Russia and Belarus, focusing on espionage. Memento Labs, formed from a merger involving HackingTeam, has a history of providing offensive cyber tools to governments and corporations. The attack chain involved a validator script to verify genuine users, followed by exploitation of the zero-day to deploy the LeetAgent malware. LeetAgent connects to command-and-control servers to execute tasks, with links to broader malicious activities dating back to 2022, involving phishing emails. Positive Technologies and BI.ZONE also tracked the activity, noting connections between LeetAgent and the more sophisticated Dante spyware. The campaign underscores the persistent threat posed by advanced spyware and the need for robust defenses against targeted phishing and zero-day exploits.

SideWinder has launched a new campaign targeting South Asian diplomats, including a European embassy in New Delhi, using a ClickOnce-based infection chain. The attack spans multiple organizations in Sri Lanka, Pakistan, and Bangladesh, employing spear-phishing emails with malicious PDF and Word documents. The campaign introduces the use of ModuleInstaller and StealerBot malware, enabling data collection, reverse shell access, and further malware deployment. Attackers employ legitimate applications like MagTek's ReaderConfiguration.exe for side-loading malicious DLLs, complicating detection and analysis. The phishing emails mimic official communications, using domains resembling the Ministry of Defense of Pakistan to enhance credibility. SideWinder's tactics reflect an advanced understanding of geopolitical dynamics, tailoring lures to specific diplomatic targets in the region. The campaign's persistence and sophistication highlight the ongoing threat posed by state-sponsored actors in geopolitical espionage activities.