ERMAC 3.0 MaaS source code leak
Data Leak
Summary
Hide ▲
Show ▼
A source-code leak exposed the full ERMAC 3.0 malware-as-a-service stack, including its backend, frontend, exfiltration server, and Android builder panel. That exposure matters because it reveals how the operation is built, managed, and used to move stolen data. It also gives defenders concrete infrastructure details for tracking and disrupting the malware ecosystem.
Timeline
-
16.08.2025 13:41 1 articles · 9mo ago
ERMAC 3.0 source code leak exposes malware infrastructure
Initial DisclosureResearchers detailed an Android banking trojan called ERMAC 3.0 after obtaining the malware-as-a-service source code from an open directory on 141.164.62[.]236:443. The exposed stack includes a PHP and Laravel backend, a React-based frontend, a Golang exfiltration server, an Android builder panel, and an Android backdoor, while the leak also reveals hardcoded JWT secret material, a static admin bearer token, default root credentials, and open account registration on the admin panel. The exposure shows ERMAC 3.0 expanding form injection and data theft capabilities to target more than 700 banking, shopping, and cryptocurrency applications.
Show sources
- ERMAC V3.0 Banking Trojan Source Code Leak Exposes Full Malware Infrastructure — thehackernews.com — 16.08.2025 13:41