Herodotus¶
Herodotus is an Android banking trojan discovered by ThreatFabric in October 2025, sold as a malware-as-a-service (MaaS) platform on underground forums by a threat actor using the handle "K1R0." Its standout feature is a human behavior mimicry system that introduces natural typing delays, variable input speeds, and randomized interaction patterns during remote control sessions to evade anti-fraud behavioral biometric systems. Reverse engineering reveals code-level connections to Brokewell through shared obfuscation techniques and a dynamically loaded Brokewell module, though Herodotus is a distinct threat with its own operator and distribution model rather than a direct evolution.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | October 2025 |
| Status | Active |
| Type | Banking trojan, MaaS, device-takeover |
| Aliases | None known |
| Attribution | Threat actor "K1R0" (underground forum handle) |
| Distribution | MaaS model, active campaigns in Italy and Brazil |
Origin and Lineage¶
ThreatFabric discovered Herodotus in October 2025 while tracking new threats on underground forums. The malware was being advertised as a MaaS platform by "K1R0," who offered it to affiliates for conducting banking fraud campaigns.
Reverse engineering of Herodotus samples revealed significant code-level connections to Brokewell, a banking trojan discovered by ThreatFabric in April 2024 and attributed to the developer "Baron Samedit Marais." The two families share obfuscation techniques, and Herodotus dynamically loads a Brokewell module at runtime. Despite these technical links, Herodotus operates under a different threat actor, uses a different distribution model (MaaS versus direct operation), and introduces novel capabilities not present in Brokewell. This pattern suggests that Brokewell's codebase was adopted, licensed, or forked by the K1R0 operator to build a new product rather than representing a linear evolution of the original malware.
Distribution¶
| Vector | Details |
|---|---|
| MaaS platform | Sold to affiliates on underground forums by "K1R0" |
| Affiliate-driven | Individual operators distribute through their own channels |
| Active campaigns | Observed targeting users in Italy and Brazil |
As a MaaS operation, Herodotus follows the same model as families like Octo and Hook. The developer provides the malware, C2 infrastructure, and builder tools. Affiliates purchase access and handle distribution through their own methods, which may include sideloading, phishing, or dropper apps. ThreatFabric observed active campaigns targeting Italy and Brazil at the time of discovery, indicating at least two distinct affiliate operations.
Capabilities¶
Core Features¶
| Capability | Implementation |
|---|---|
| Device-takeover | Full interactive remote control of infected devices |
| Human behavior mimicry | Simulates natural typing delays and variable input speeds during remote sessions |
| Overlay attacks | WebView-based inject screens for credential harvesting |
| Accessibility abuse | Leverages accessibility services for device interaction and data capture |
| Remote control | Real-time device control through screen streaming and command execution |
Human Behavior Mimicry¶
The defining innovation in Herodotus is its approach to evading behavioral biometric anti-fraud systems. Modern banking apps and fraud detection platforms analyze how a user interacts with the device, measuring typing speed, touch pressure patterns, swipe velocity, and input cadence. When a remote-control trojan operates a device, the interaction patterns are typically mechanical: uniform delays between inputs, constant speeds, and perfectly precise tap coordinates. Behavioral biometric systems flag these robotic patterns as anomalous.
ThreatFabric documented how Herodotus addresses this by introducing controlled randomness into its remote control actions:
- Typing is performed character by character with variable delays between keystrokes, mimicking natural human typing rhythm
- Input speed varies across different fields and sessions, avoiding the constant cadence of automated input
- Touch interactions include slight coordinate variations and timing inconsistencies consistent with human imprecision
- Pauses and hesitations are injected between actions to simulate human decision-making
This technique represents an escalation in the arms race between device-takeover malware and behavioral analytics defenses, moving beyond simply controlling a device to controlling it in a way that appears human.
Device-Takeover¶
Herodotus provides affiliates with full device-takeover capability, allowing operators to interact with the victim's device as if physically holding it. This enables on-device fraud (ODF) where transactions are initiated from the victim's own device within authenticated banking sessions, bypassing new-device detection and device fingerprinting controls.
Technical Details¶
Brokewell Module Loading¶
The most significant technical finding from ThreatFabric's reverse engineering is the dynamic loading of a Brokewell module. At runtime, Herodotus decrypts and loads a module that shares code and obfuscation patterns with the Brokewell banking trojan. This module provides core banking trojan functionality while Herodotus layers its own innovations, particularly the behavior mimicry system, on top.
Anti-Analysis¶
| Technique | Details |
|---|---|
| Shared obfuscation | Uses obfuscation techniques also found in Brokewell samples |
| Dynamic loading | Core banking module loaded at runtime rather than bundled statically |
| Behavioral evasion | Human mimicry specifically designed to defeat behavioral analytics |
MaaS Infrastructure¶
As a MaaS platform, Herodotus provides affiliates with:
- Builder tools for generating customized APKs
- C2 infrastructure for managing infected devices
- Operator panels for conducting remote sessions
- Inject kits for targeting specific banking applications
Target Regions¶
| Period | Primary Targets |
|---|---|
| October 2025 | Italy, Brazil |
ThreatFabric observed active campaigns in Italy and Brazil at the time of discovery. As a MaaS platform, targeting is expected to expand as additional affiliates adopt the service and launch campaigns in their regions of focus.
Notable Campaigns¶
October 2025: ThreatFabric disclosed Herodotus as a new MaaS banking trojan sold by "K1R0" on underground forums. Active campaigns were identified in Italy and Brazil. The malware's human behavior mimicry during remote control sessions was highlighted as a novel evasion technique targeting behavioral biometric anti-fraud systems. Code analysis revealed connections to Brokewell through shared obfuscation and a dynamically loaded module.
Related Families¶
| Family | Relationship |
|---|---|
| Brokewell | Shares obfuscation techniques and code structures. Herodotus dynamically loads a Brokewell module at runtime, indicating code reuse or licensing from Brokewell's developer. |
| Octo | Comparable MaaS banking trojan with device-takeover capability, though Octo does not implement behavioral mimicry. |