ERMAC V3.0 Banking Trojan Source Code Leak Exposes Full Malware Infrastructure
Summary
Hide β²
Show βΌ
The source code and infrastructure of the ERMAC V3.0 Android banking trojan have been leaked, revealing extensive capabilities and vulnerabilities. ERMAC V3.0 targets over 700 financial and cryptocurrency applications, with advanced features including SMS interception, call forwarding, and data theft. The leak exposes significant security flaws in the malware's infrastructure, providing defenders with new insights to disrupt active operations. ERMAC V3.0 is an evolution of earlier malware families, including Cerberus and BlackRock, and is attributed to the threat actor DukeEugene. The leak includes the full source code of the malware-as-a-service (MaaS) offering, detailing its backend, frontend, exfiltration server, and Android builder panel. The source code was discovered in an open directory by Hunt.io researchers in March 2024, revealing critical weaknesses and operational details.
Timeline
-
16.08.2025 13:41 π° 2 articles Β· β± 1mo ago
ERMAC V3.0 Source Code and Infrastructure Leaked
The source code and infrastructure of the ERMAC V3.0 banking trojan have been leaked, revealing extensive capabilities and vulnerabilities. The leak includes the complete source code of the malware-as-a-service (MaaS) offering, detailing its backend, frontend, exfiltration server, and Android builder panel. The malware targets over 700 financial and cryptocurrency applications, with advanced features for data theft and device control. The leak exposes significant security flaws, providing defenders with new insights to disrupt active operations. The source code was discovered in an open directory by Hunt.io researchers in March 2024, revealing critical weaknesses and operational details. The article also traces the evolution of ERMAC from earlier malware families and highlights the advanced capabilities of ERMAC V3.0, including its targeting of over 700 applications and its use of a PHP command-and-control backend, React front-end panel, and Go-based exfiltration server.
Show sources
- ERMAC V3.0 Banking Trojan Source Code Leak Exposes Full Malware Infrastructure β thehackernews.com β 16.08.2025 13:41
- ERMAC Android malware source code leak exposes banking trojan infrastructure β www.bleepingcomputer.com β 18.08.2025 21:12
Information Snippets
-
ERMAC V3.0 targets over 700 banking, shopping, and cryptocurrency applications.
First reported: 16.08.2025 13:41π° 2 sources, 2 articlesShow sources
- ERMAC V3.0 Banking Trojan Source Code Leak Exposes Full Malware Infrastructure β thehackernews.com β 16.08.2025 13:41
- ERMAC Android malware source code leak exposes banking trojan infrastructure β www.bleepingcomputer.com β 18.08.2025 21:12
-
The malware can send SMS, initiate phone calls, and set up call forwarding.
First reported: 16.08.2025 13:41π° 2 sources, 2 articlesShow sources
- ERMAC V3.0 Banking Trojan Source Code Leak Exposes Full Malware Infrastructure β thehackernews.com β 16.08.2025 13:41
- ERMAC Android malware source code leak exposes banking trojan infrastructure β www.bleepingcomputer.com β 18.08.2025 21:12
-
ERMAC V3.0 can capture contact lists, SMS messages, installed apps, and take pictures using the front camera.
First reported: 16.08.2025 13:41π° 2 sources, 2 articlesShow sources
- ERMAC V3.0 Banking Trojan Source Code Leak Exposes Full Malware Infrastructure β thehackernews.com β 16.08.2025 13:41
- ERMAC Android malware source code leak exposes banking trojan infrastructure β www.bleepingcomputer.com β 18.08.2025 21:12
-
The source code leak includes the complete backend, frontend, exfiltration server, and Android builder panel.
First reported: 16.08.2025 13:41π° 2 sources, 2 articlesShow sources
- ERMAC V3.0 Banking Trojan Source Code Leak Exposes Full Malware Infrastructure β thehackernews.com β 16.08.2025 13:41
- ERMAC Android malware source code leak exposes banking trojan infrastructure β www.bleepingcomputer.com β 18.08.2025 21:12
-
The malware's infrastructure includes a PHP and Laravel backend, React-based frontend, Golang exfiltration server, and Android builder panel.
First reported: 16.08.2025 13:41π° 2 sources, 2 articlesShow sources
- ERMAC V3.0 Banking Trojan Source Code Leak Exposes Full Malware Infrastructure β thehackernews.com β 16.08.2025 13:41
- ERMAC Android malware source code leak exposes banking trojan infrastructure β www.bleepingcomputer.com β 18.08.2025 21:12
-
The leak reveals critical weaknesses, such as hardcoded JWT secrets, default root credentials, and open account registration on the admin panel.
First reported: 16.08.2025 13:41π° 2 sources, 2 articlesShow sources
- ERMAC V3.0 Banking Trojan Source Code Leak Exposes Full Malware Infrastructure β thehackernews.com β 16.08.2025 13:41
- ERMAC Android malware source code leak exposes banking trojan infrastructure β www.bleepingcomputer.com β 18.08.2025 21:12
-
ERMAC V3.0 uses AES-CBC encrypted communications and avoids infecting devices in the Commonwealth of Independent States (CIS).
First reported: 16.08.2025 13:41π° 2 sources, 2 articlesShow sources
- ERMAC V3.0 Banking Trojan Source Code Leak Exposes Full Malware Infrastructure β thehackernews.com β 16.08.2025 13:41
- ERMAC Android malware source code leak exposes banking trojan infrastructure β www.bleepingcomputer.com β 18.08.2025 21:12
-
The ERMAC V3.0 source code was discovered in an open directory by Hunt.io researchers in March 2024.
First reported: 18.08.2025 21:12π° 1 source, 1 articleShow sources
- ERMAC Android malware source code leak exposes banking trojan infrastructure β www.bleepingcomputer.com β 18.08.2025 21:12
-
ERMAC V3.0 was first documented in September 2021 by ThreatFabric as an evolution of the Cerberus banking trojan.
First reported: 18.08.2025 21:12π° 1 source, 1 articleShow sources
- ERMAC Android malware source code leak exposes banking trojan infrastructure β www.bleepingcomputer.com β 18.08.2025 21:12
-
ERMAC V2.0 was spotted by ESET in May 2022, targeting 467 apps and rented to cybercriminals for $5,000 per month.
First reported: 18.08.2025 21:12π° 1 source, 1 articleShow sources
- ERMAC Android malware source code leak exposes banking trojan infrastructure β www.bleepingcomputer.com β 18.08.2025 21:12
-
In January 2023, ThreatFabric observed BlackRock promoting a new Android malware tool named Hook, an evolution of ERMAC.
First reported: 18.08.2025 21:12π° 1 source, 1 articleShow sources
- ERMAC Android malware source code leak exposes banking trojan infrastructure β www.bleepingcomputer.com β 18.08.2025 21:12
-
ERMAC V3.0 uses a PHP command-and-control (C2) backend, React front-end panel, Go-based exfiltration server, and Kotlin backdoor.
First reported: 18.08.2025 21:12π° 1 source, 1 articleShow sources
- ERMAC Android malware source code leak exposes banking trojan infrastructure β www.bleepingcomputer.com β 18.08.2025 21:12
-
ERMAC V3.0 can extract Gmail subjects and messages.
First reported: 18.08.2025 21:12π° 1 source, 1 articleShow sources
- ERMAC Android malware source code leak exposes banking trojan infrastructure β www.bleepingcomputer.com β 18.08.2025 21:12
-
ERMAC V3.0 can access files via 'list' and 'download' commands.
First reported: 18.08.2025 21:12π° 1 source, 1 articleShow sources
- ERMAC Android malware source code leak exposes banking trojan infrastructure β www.bleepingcomputer.com β 18.08.2025 21:12
-
ERMAC V3.0 can display fake push notifications for deception.
First reported: 18.08.2025 21:12π° 1 source, 1 articleShow sources
- ERMAC Android malware source code leak exposes banking trojan infrastructure β www.bleepingcomputer.com β 18.08.2025 21:12
-
ERMAC V3.0 can uninstall itself remotely for evasion.
First reported: 18.08.2025 21:12π° 1 source, 1 articleShow sources
- ERMAC Android malware source code leak exposes banking trojan infrastructure β www.bleepingcomputer.com β 18.08.2025 21:12
-
The ERMAC operators had several opsec failures, including hardcoded JWT tokens and default root credentials.
First reported: 18.08.2025 21:12π° 1 source, 1 articleShow sources
- ERMAC Android malware source code leak exposes banking trojan infrastructure β www.bleepingcomputer.com β 18.08.2025 21:12
-
The source code leak weakens the malware operation by eroding customer trust and improving threat detection solutions.
First reported: 18.08.2025 21:12π° 1 source, 1 articleShow sources
- ERMAC Android malware source code leak exposes banking trojan infrastructure β www.bleepingcomputer.com β 18.08.2025 21:12
Similar Happenings
Fourth Spyware Campaign Targeting French Apple Users in 2025
Apple has notified French users of a fourth spyware campaign in 2025. The Computer Emergency Response Team of France (CERT-FR) confirmed the alerts on September 3, 2025. The campaign targets individuals based on their status or function, including journalists, lawyers, activists, politicians, and senior officials. The alerts are part of a series of notifications sent throughout the year, with previous alerts on March 5, April 29, and June 25. These alerts indicate that at least one device linked to the users' iCloud accounts may have been compromised in highly-targeted attacks. The campaign follows a previous incident involving a security flaw in WhatsApp (CVE-2025-55177) and an Apple iOS bug (CVE-2025-43300), which were used in zero-click attacks. Apple has been sending these notifications since November 2021. Apple introduced Memory Integrity Enforcement (MIE) in the latest iPhone models to combat memory corruption vulnerabilities.
New HybridPetya Ransomware Exploits UEFI Secure Boot Bypass Vulnerability
A new ransomware variant, HybridPetya, has been discovered. It resembles the Petya/NotPetya malware but includes the ability to bypass UEFI Secure Boot using the CVE-2024-7344 vulnerability. HybridPetya encrypts the Master File Table (MFT) on NTFS-formatted partitions and can compromise modern UEFI-based systems. The ransomware operates through a bootkit and an installer, with the bootkit managing encryption and decryption processes. The ransomware has been observed in samples uploaded to VirusTotal in February 2025, with no evidence of active use in the wild. The vulnerability exploited by HybridPetya was patched in January 2025. The ransomware encrypts the MFT and displays a fake CHKDSK message to deceive victims. It demands a $1,000 ransom in Bitcoin, with a total of $183.32 received between February and May 2025. The ransom note provides an option for victims to enter a decryption key after payment, which triggers the decryption process. The bootkit also recovers legitimate bootloaders from backups created during installation. The ransomware triggers a system crash during bootloader changes, ensuring the bootkit binary is executed upon reboot. HybridPetya may be a research project, proof-of-concept, or early version of a cybercrime tool under limited testing. HybridPetya combines the destructive capabilities of NotPetya, the recoverable encryption functionality of Petya ransomware, and the ability to bypass Secure Boot protections. It can deploy malicious UEFI payloads directly to the EFI System Partition and encrypt the Master File Table (MFT). HybridPetya's ability to install harmful code directly into a computer's UEFI firmware makes it hard for security teams to detect. The emergence of HybridPetya highlights the growing threat from UEFI bootkits that reside at a computer's startup sequence level.
Resurfaced ChillyHell macOS Backdoor Discovered
A new version of the ChillyHell modular backdoor malware targeting macOS has been discovered. The malware, first seen in 2022, was used in attacks against Ukrainian officials and has now resurfaced with updated capabilities. ChillyHell provides remote access, payload delivery, and password brute-forcing. The malware was notarized by Apple in 2021 and has been publicly hosted on Dropbox since then. The malware disguises itself as an executable applet and deploys as a persistent backdoor, capable of retrieving sensitive data and evading detection. It employs multiple persistence mechanisms and can communicate over different protocols. It also features timestamping to cover its tracks. Apple has revoked the notarization of the developer certificates associated with the malware after being notified. ChillyHell is written in C++ and targets Intel architectures. It is attributed to an uncategorized threat cluster dubbed UNC4487, which has been active since at least October 2022. UNC4487 is suspected to be an espionage actor targeting Ukrainian government entities.
Microsoft September 2025 Patch Tuesday fixes 81 vulnerabilities, including two zero-days
Microsoft released updates for 80 vulnerabilities on September 2025 Patch Tuesday. None of these vulnerabilities were zero-days. The updates address eight critical flaws, including five remote code execution vulnerabilities, one information disclosure, and two elevation of privilege vulnerabilities. The vulnerabilities span various categories: 38 elevation of privilege, 2 security feature bypass, 22 remote code execution, 14 information disclosure, 3 denial of service, and 1 spoofing. One zero-day vulnerability was fixed in Windows SMB Server. The updates also include hardening features for SMB Server to mitigate relay attacks, with recommendations for administrators to enable auditing. The patch includes 38 elevation of privilege vulnerabilities, the highest number among all categories. CVE-2025-54918 is an EoP vulnerability in Windows NT LAN Manager (NTLM) marked as critical. CVE-2025-54111 and CVE-2025-54913 are EoP flaws in Windows UI XAML, allowing privilege escalation via phished credentials or malicious Microsoft Store apps. CVE-2025-55232 is an RCE vulnerability in the Microsoft High Performance Compute (HPC) Pack with a CVSS score of 9.8. CVE-2025-54916 is an RCE vulnerability in Windows NTFS that can be triggered by authenticated users. Microsoft's patch update includes recommendations for preparing for the end-of-life of Windows 10 and mandatory multifactor authentication (MFA) for Azure in October 2025.
MostereRAT Malware Campaign Targets Japanese Windows Users
A new malware campaign involving MostereRAT, a banking malware-turned-remote access Trojan (RAT), has been identified. This campaign uses sophisticated evasion techniques, including the use of an obscure programming language, disabling of security tools, and mutual TLS (mTLS) for command-and-control communications to maintain long-term access to compromised systems. The malware targets Microsoft Windows users in Japan, deploying through phishing emails and weaponized Word documents. MostereRAT's capabilities include persistence, privilege escalation, AV evasion, and remote access tool deployment. The campaign highlights the importance of removing local administrator privileges and blocking unapproved remote access tools. The malware's design reflects long-term, strategic, and flexible objectives, with capabilities to extend functionality, deploy additional payloads, and apply evasion techniques. These features point to an intent to maintain persistent control over compromised systems, maximize the utility of victim resources, and retain ongoing access to valuable data.