Herodotus: New Android Malware Mimics Human Typing to Evade Behavioural Detection
A newly identified Android malware family, dubbed Herodotus, employs sophisticated tactics to evade detection by behavioural security systems. Researchers at Threat Fabric report that Herodotus introduces a novel “humaniser” mechanism into its input routines: the malware injects random delays between text-input events to mimic the natural rhythm of human typing, thereby reducing the likelihood of detection by anti-fraud and behaviour-based defences. This technique represents a refinement of timing-based evasion that leverages the subtle difference between machine-speed automation and human interaction.
Distribution of Herodotus is occurring via SMS phishing (smishing), with active campaigns observed against users in Italy and Brazil; the malicious messages deliver a link to a bespoke dropper that installs the primary payload. Threat actors behind the new malware are offering it as malware-as-a-service (MaaS), reportedly linked to operators associated with the Brokewell ecosystem, which facilitates wider adoption by lower-skill criminals. Although the codebase is described as still under development, detections indicate that multiple threat actors have already begun testing and deploying the platform.
A key vector exploited by Herodotus is Android’s Accessibility permission model. The dropper is designed to open the Accessibility settings and socially engineer the victim into granting the service, while a fraudulent overlay presents a fake loading screen to conceal the permission-granting steps. Once Accessibility access is obtained, the malware can automate interactions with the device user-interface – tapping coordinates, swiping, navigating back, and entering text either by pasting from the clipboard or by simulating keyboard input.
Beyond the human-typing evasion, the Herodotus toolkit supplies operators with a comprehensive suite of fraud-oriented capabilities. These include an administrative control panel (with configurable SMS text), opaque overlay pages that mimic banking and cryptocurrency applications for credential harvesting, an SMS-stealer capable of intercepting two-factor authentication codes, and functionality to capture screen content. Such features demonstrate the malware’s explicit design to facilitate financial fraud and account takeover.
Android users are urged to avoid installing APKs from untrusted sources, ensure Google Play Protect is enabled, and scrutinise or revoke Accessibility and other sensitive permissions granted to recently installed apps. Organisations should incorporate behavioural-pattern awareness into their mobile-security controls and educate users on the risks of smishing and overlay-based social engineering.
References:
- New Android Malware Herodotus Mimics Human Behaviour to Evade Detection (threatfabric.com)
- New Herodotus Android malware fakes human typing to avoid detection (bleepingcomputer.com)
AzureHound Penetration Testing Tool Weaponised in Azure & Entra ID Attacks
Cloud discovery is increasingly becoming a focal point in adversary activity, and AzureHound is an illustrative example of how legitimate security tools can be repurposed for malicious ends. Originally developed as part of the BloodHound suite for red-teaming and penetration testing, AzureHound is a Go-language tool designed to enumerate an organisation’s Microsoft Entra ID (formerly Azure AD) and Azure resource infrastructure via the Microsoft Graph and Azure REST APIs. While its legitimate use is to map identity and resource relationships and thus help organisations strengthen their security posture, threat actors have begun to use it for post-compromise reconnaissance in cloud environments.
In the hands of adversaries, AzureHound enables rapid and extensive enumeration of identities, groups, apps, storage accounts, virtual machines and other cloud resources. Once inside a compromised environment, threat actors can execute AzureHound to gather details such as user display names, roles, last password change timestamps, job titles, service-principals, and resource role assignments. This depth of visibility aids attackers in identifying high-value targets – typically accounts with privileged roles such as Global Administrator or Privileged Role Administrator – and potential privilege escalation paths.
AzureHound maps neatly to several tactics in the MITRE ATT&CK Cloud Matrix, notably the Discovery tactic. For instance, the technique T1087.004 (Account Discovery: Cloud) describes enumeration of cloud identities, which AzureHound automates via commands like list users, list service-principals and list devices. Similarly, the tool supports permissions-group enumeration (T1069.003) through commands such as list groups, list role-assignments, and list subscription-role-assignments. Beyond identities and permissions, AzureHound also supports storage object discovery (T1619), service discovery (T1526), and infrastructure discovery (T1580) through commands targeting storage accounts, web apps, function apps, virtual machines, key vaults and the subscription hierarchy.
An important aspect of AzureHound’s misuse lies in the logging and visibility gaps it exploits. While many Graph API calls are logged and available to defenders, certain Azure REST API enumeration requests – such as listing storage accounts or key vaults – do not always appear in standard activity logs. Enumeration via the Azure REST endpoint (management.azure.com) may generate no record in the subscription-level activity logs, presenting a blind spot. This omission makes it harder for defenders to detect enumeration and reconnaissance activities, particularly when attackers use tools like AzureHound in their default configuration (with the default user-agent string azurehound/<version>).
In conclusion, the misuse of AzureHound by threat actors such as Curious Serpens, Void Blizzard and Storm‑0501 illustrates the evolving nature of cloud-native attack chains. These actors leverage the tool to map cloud environments, identify privileged identities and attack paths, and conduct reconnaissance with a speed and scale that manual techniques cannot match.
References:
- Cloud Discovery With AzureHound (unit42.paloaltonetworks.com)
- AzureHound Penetration Testing Tool Exploited by Threat Actors to Enumerate Azure and Entra ID (cybersecuritynews.com)
European Organisations Confront Escalating Cyber-Extortion and Shorter Attack Timelines
European organisations are encountering an increasingly challenging cyber-threat environment, as ransomware and extortion attacks rise sharply across the continent. According to CrowdStrike’s 2025 European Threat Landscape Report, around 22% of global ransomware and extortion victims are located in Europe, positioning the region as second only to North America in terms of targeting. The countries most frequently cited in this trend include the United Kingdom, Germany, France, Italy and Spain. Notably, the number of entries on dedicated leak sites naming European-based organisations increased by nearly 13% year-on-year.
The sectors identified as being most at risk include manufacturing, professional services, technology, industrial & engineering, and retail. The report highlights several major ransomware and extortion-oriented groups operating in the region since January 2024, including Scattered Spider, LockBit, Akira and RansomHub. One particularly alarming finding is the acceleration of attack-timelines, with some groups now able to deploy ransomware in approximately 24 hours from initial access.
The attractiveness of Europe as a target region is explained by a combination of factors. According to the report, Europe’s legal and regulatory environment – including obligations under frameworks like the General Data Protection Regulation (GDPR) – and the profitability of many European companies make the region a compelling target for threat actors. Moreover, geopolitical tensions, such as the conflict in Ukraine and broader global instability, are cited as underlying drivers that bleed into cyber-activity, contributing to denial-of-service attacks, hack-and-leak operations and website defacements.
The underground cyber-crime ecosystem supporting this surge has become ever more sophisticated. The report documents how initial-access brokers are operating at scale: for example, one count found more than 260 such brokers marketing access to more than 1,400 European organisations. The convergence of criminal and state-sponsored actors, matured malware-as-a-service models and rapid deployment tactics is stretching traditional defensive postures. As a result, organisations are under greater pressure to detect, respond to and contain threats in shorter windows than ever before.
In light of these developments, it is clear that European organisations must sharpen both their defensive strategies and readiness posture. Key recommendations from the observations include the need to bolster identity-centric security controls, eliminate visibility gaps across domains, accelerate detection & response capabilities, and adapt to cloud-based threat-vectors. Additionally, since attackers are now moving at cloud-speed and using automated/AI-driven tools, reliance on legacy processes alone is no longer sufficient.
In conclusion, Europe finds itself in a heightened state of cyber-risk, with ransomware and extortion-focused campaigns increasing in both volume and sophistication. The region’s profile as a target is rising due to regulatory, financial and geopolitical factors, while attackers reduce their timeframes and intensify pressure on victims. Organisations must therefore elevate their cyber resilience efforts, not simply in technical defences but in governance, readiness and rapid response.
References:
- CrowdStrike 2025 European Threat Landscape Report (crowdstrike.com)
- Europe Sees Increase in Ransomware, Extortion Attacks (darkreading.com)
Get Norm’s threat bulletin direct to your inbox
Norm tracks and monitors the latest security trends and cyber threats and collates these into a fortnightly threat bulletin.
You can receive this bulletin for free, every fortnight, by entering your business email address below:
