All news with #malware-as-a-service tag

DanaBot Malware Returns Targeting Windows After Disruption

🔁 Zscaler ThreatLabz has observed a new DanaBot variant (v669) returning to Windows systems after a six-month disruption caused by Operation Endgame. The rebuilt command-and-control infrastructure uses Tor .onion domains and 'backconnect' nodes, and operators are collecting stolen funds via multiple cryptocurrency addresses (BTC, ETH, LTC, TRX). Organizations should add Zscaler's IoCs to blocklists, update detection tools, and harden email and web defenses against malspam, SEO poisoning, and malvertising.

Fantasy Hub: Android RAT sold on Telegram as MaaS service

🔒 Cybersecurity researchers disclosed a new Android remote access trojan, Fantasy Hub, marketed on Russian-speaking Telegram channels under a Malware-as-a-Service model. The MaaS offers turnkey builders, bot-driven subscriptions, custom trojanized APKs and a C2 panel to manage compromised devices and exfiltrate SMS, contacts, media and call logs. Sellers provide fake Google Play landing pages and instruction to abuse the default SMS handler and deploy overlays to intercept banking 2FA and harvest credentials.

Herodotus Android Trojan Mimics Humans to Evade Fraud

⚠️ Herodotus, a new Android banking trojan, has been observed conducting device takeover (DTO) attacks in Italy and Brazil and was advertised as a malware‑as‑a‑service supporting Android 9–16. According to ThreatFabric, it abuses accessibility services and overlay screens to steal credentials and SMS 2FA, intercept the screen, and install remote APKs. Uniquely, operators added randomized typing delays (300–3000 ms) to mimic human input and evade behaviour‑based anti‑fraud detections.

Herodotus Android malware mimics human typing behavior

🛡️ Herodotus is a newly observed Android malware family offered as a MaaS that deliberately mimics human input timing to evade behavior-based detection. Threat Fabric says operators likely linked to Brokewell are distributing a dropper via smishing targeting Italian and Brazilian users. The installer requests Accessibility access and uses deceptive overlays to hide permission flows while a built-in "humanizer" inserts randomized 0.3–3s delays between keystrokes to imitate human typing. Users should avoid sideloading APKs, enable Play Protect, and promptly review or revoke Accessibility permissions for unfamiliar apps.

Rhadamanthys Stealer Adds Fingerprinting, PNG Steganography

🛡️ Check Point researchers report that the Rhadamanthys information stealer (v0.9.2) has been updated to collect extensive device and browser fingerprints and to deliver payloads via steganography embedded in WAV, JPEG and PNG files. The operator—initially known as kingcrete2022 and now marketing as RHAD security/Mythical Origin Labs—offers the malware as a tiered MaaS product with subscription plans and enterprise options. The sample includes sandbox-evasion checks, an embedded Lua runner for plugins, obfuscated configurations, and a PNG-based payload decryption step that requires a shared secret.