ERMAC 3.0 Source Code Leak Reveals Expanding Threat
August 17, 2025
Hunt.io got ERMAC 3.0’s source code, showing its evolution from Cerberus and Hook, now targeting 700+ banking, shopping, and crypto apps.
Hunt.io cybersecurity researchers obtained the full source code of the Android banking trojan ERMAC 3.0, revealing its evolution from Cerberus and Hook (ERMAC 2.0), targeting 700+ apps.
The experts also spotted exploitable weaknesses in its infrastructure that defenders can exploit to disrupt campaigns.
“Its earliest versions were built using the leaked Cerberus source code, and by late 2023, version 2.0 had incorporated large portions of the Hook botnet’s codebase. The newly uncovered version 3.0 reveals a significant evolution of the malware, expanding its form injection and data theft capabilities to target more than 700 banking, shopping, and cryptocurrency applications.” reads the report published by Hunt.io.
Researchers from ThreatFabric first discovered ERMAC in July 2021, the initial version was almost fully based on the popular banking trojan Cerberus. The source code of Cerberus was released in September 2020 on underground hacking forums after its operators failed an auction. According to the experts, ERMAC is operated by DukeEugene, the threat actor behind the BlackRock mobile malware.
The leak of the ERMAC 3.0 code exposed flaws like hardcoded secrets, static tokens, and weak credentials. Version 3.0 supports new injection methods, a C2 panel, Android backdoor, and AES-CBC comms, confirming ERMAC as an active MaaS platform.
“ERMAC primarily leverages form injects for capturing sensitive data, which is done by serving custom form injects through the public/injects directory.” continues the post. “ERMAC targets primarily financial applications with a large focus on mobile banking and cryptocurrency applications with it, capturing sensitive data such as login credentials or credit card data.”
Hunt.io discovered the full ERMAC V3.0 source code on an open directory on 141[.]164[.]62[.]236. The leak includes backend (PHP/Laravel C2), frontend (React), Golang exfiltration server, Docker configs, and builder. Analysis showed extensive operator control via form injects targeting 700+ apps, mainly banking and crypto, exfiltrating credentials via Android callbacks. Researchers uncovered multiple vulnerabilities, including a hardcoded JWT, default root credentials, and open registration. Panels and exfil servers remain active, confirming ERMAC as an evolving MaaS platform.
ERMAC 3.0 relies on the Kotlin backdoor that supports 71 languages and encrypts traffic with AES-CBC. The malware does not target systems in CIS regions and avoid running in emulators. The malicious code requests elevated permissions for its execution, it can exfiltrate device data, and execute extensive commands, from stealing SMS and contacts to pushing fake overlays, call forwarding, Gmail theft, file access, and even taking photos. A web-based builder lets operators customize campaigns. Hunt.io mapped its live C2 panels, APIs, and exfil servers via HuntSQL queries, aiding defenders in tracking and disrupting ERMAC’s infrastructure.
“ERMAC targets users of banking, shopping, and other financial applications primarily through web injects. It relies on Android’s WebView API to place an overlay on top of legitimate apps, capturing credentials and payment information. Implementing secure Android permissions such as FLAG_SECURE and using code to detect or block overlays can reduce exposure to this technique.” concludes the report. “Defenders can also focus on identifying and disrupting ERMAC infrastructure. Regularly scan for active C2 and exfiltration servers, and block Android applications that reference known ERMAC IPs or domains.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, ERMAC 3.0)
