15.08.2025
2 min
545
Researchers from Hunt.io have revealed technical details of ERMAC 3.0, an Android banking Trojan whose source code leak revealed serious flaws in cybercriminals’ infrastructure. ERMAC 3.0 turned out to be a significant step in the evolution of the malware: it now attacks over 700 banking, trading, and cryptocurrency applications, employs new forms of injection, and uses AES-CBC encryption.
Hunt.io reported that the full set of source code was found in an open directory at IP address 141.164.62[.]236:443. It included a PHP and Laravel backend, a React frontend, a Golang exfiltration server, and a constructor for creating Android backdoors.
The architecture of the Trojan includes:
A C2 server that manages infected devices and collects stolen data (SMS, accounts, technical information).
A front-end panel that allows criminals to interact with devices and manage overlays.
An exfiltration server for data transfer.
An ERMAC backdoor written in Kotlin that allows remote control of a device by stealing data.
A campaign builder that allows attackers to customize their own versions of the Trojan.
The researchers also found critical vulnerabilities: a hard-coded JWT secret, a static admin token, default root credentials, and open registration in the admin panel. This opens up the possibility of tracking and neutralizing active operations.
ERMAC was first documented in 2021 by ThreatFabric as a derivative of the Cerberus and BlackRock Trojans. Its various generations (including ERMAC 2.0, known as Hook) shared features with other samples — Pegasus and Loot. The main goal has always remained the same: stealing banking and cryptocurrency data through pop-up windows on top of legitimate applications. Attribution leads to a cybercriminal nicknamed DukeEugene, who offered ERMAC in a malware-as-a-service format, providing clients with the infrastructure for mass attacks.
The ERMAC 3.0 code leak was a double whammy: it confirmed the Trojan’s enhanced capabilities, but at the same time exposed the vulnerabilities of the infrastructure. This gives security experts new tools to monitor, detect, and block campaigns. Such leaks can be a strategic advantage in the fight against cybercriminals, who increasingly operate under the “crime-as-a-service” model.
