This month focuses on the Rise in AI Phishing Attacks, ‘Herodotus’ the Very Smart Android Trojan, and the now-patched Chrome Zero-day exploit.

AI-driven Cyberattacks Continue To Be On The Rise

Cybercriminals in Africa are increasingly leveraging AI to enhance phishing, impersonation, and deepfake attacks, leading to a sharp rise in AI-fueled cybercrime across the continent.

Summary

• Deepfake-related fraud has nearly tripled in the past year, driven largely by voice cloning scams and generative AI-powered deception tactics, according to several reports.
• Phishing remains the most common attack on African organizations, with AI-generated, culturally tailored messages achieving a 54% click-through rate — 4.5 times higher than traditional phishing methods.
• Attackers now use regional languages and localized cultural cues to make phishing and impersonation campaigns appear more authentic and convincing.
• AI has drastically reduced reconnaissance time, enabling attackers to create synthetic identities, deepfakes, and cloned voices at scale, overwhelming traditional detection systems.
• Both Microsoft and Group-IB report a surge in AI-integrated attacks, including the tripling of synthetic identity use to bypass verification checks.
• Egypt, Morocco, Algeria, and South Africa are the top four countries most targeted by these attacks, with total attack detections in Africa doubling over the past year.
• Business Email Compromise (BEC) is now the most successful cyberattack type in Africa, with South Africa and Nigeria emerging as major hubs for BEC infrastructure and money-mule recruitment.
• While BEC makes up only 2% of global threats, it accounts for 21% of successful attacks in Africa, followed by ransomware at 16%, underscoring the continent’s growing exposure to AI-augmented cybercrime.

• Read more about it here

Herodotus

Security Researchers recently disclosed Herodotus, a fresh Android banking trojan used in recent device takeover (DTO) campaigns, and is now offered via a malware-as-a-service (MaaS) model.

Summary

• First advertised on September 7, 2025, on underground forums, Herodotus is sold as part of a Malware-as-a-Service (MaaS) operation, supporting Android versions 9–16.
• Although not a direct evolution, Herodotus borrows several techniques and code references (e.g., “BRKWL_JAVA”) from the Brokewell banking trojan.
• The malware spreads through dropper apps disguised as Google Chrome (com.cd3.app) and delivered via SMS phishing or other social engineering methods.
• It exploits Android Accessibility Services to take full control of devices, display fake overlay screens, and steal login credentials from financial apps.
• Herodotus can intercept SMS 2FA codes, capture screen content, grant itself permissions, steal PINs or patterns, and install remote APK files for deeper control.
• The trojan introduces random typing delays (300–3000 ms) during remote actions to imitate human input, helping it evade behavior-based anti-fraud detection systems.
• Unlike traditional malware that only steals credentials, Herodotus is designed to persist during live sessions to execute real-time account takeovers.
• The discovery aligns with broader Android malware campaigns like GhostGrab, which combine data theft, credential harvesting, and cryptocurrency mining, highlighting escalating mobile security risks.
• Read more about it here.

The Zero-Day Chrome Vulnerability Exploited to Deliver Italian Memento Labs’ LeetAgent Spyware

A zero-day vulnerability in Google Chrome, CVE-2025-2783 (CVSS 8.3), was exploited in a targeted espionage campaign known as Operation ForumTroll, according to Kaspersky.

Summary

• The attacks primarily targeted organizations in Russia and Belarus, including media, universities, research centers, government bodies, and financial institutions, through spear-phishing emails with malicious forum links.
• The exploit led to the delivery of spyware tools from Memento Labs, an Italian surveillance technology vendor previously known as HackingTeam, which has a history of selling intrusive software to governments.
• The main payload was a new spyware dubbed LeetAgent, capable of command execution, file operations, shellcode injection, keylogging, and data theft via a command-and-control (C2) infrastructure.
• The attack began with a validator script that checked for real browsers before using the Chrome vulnerability to escape the sandbox, execute remote code, and drop the LeetAgent loader.
• The LeetAgent spyware shares overlaps with Dante spyware, including similar persistence methods, file paths, and code, suggesting both are part of the same toolset and operator group.
• Dante, considered a successor to the Remote Control System (RCS), features anti-debugging, encrypted strings, and self-deletion mechanisms to evade detection and forensic analysis.
• Memento Labs’ CEO Paolo Lezzi confirmed the spyware was theirs but claimed an outdated version was exposed by a government customer, and that the company has since halted Windows malware use.
• The incident echoes past controversies, including HackingTeam’s 2015 data breach and Italy’s export ban, highlighting ongoing risks of commercial spyware misuse.
• The findings underscore how commercial surveillance tools, initially marketed for legitimate law enforcement, are being repurposed for espionage, reinforcing global concerns about the abuse of spyware and digital intrusion technology.
• Read more about it here

Sources

• https://www.darkreading.com/cyberattacks-data-breaches/cybersecurity-firms-see-surge-in-ai-powered-attacks-across-africa?utm_source=chatgpt.com
• https://thehackernews.com/2025/10/new-android-trojan-herodotus-outsmarts.html
• https://thehackernews.com/2025/10/chrome-zero-day-exploited-to-deliver.html