ERMAC V3.0 Banking Trojan: Full Source Code Leak and Infrastructure Analysis
Essential information
- Published
- 15/08/2025 05:29
- Modified
- 15/08/2025 13:07
- Tags
- 2025-08-15 android malware banking trojan c2 backend cerberus encrypted communications ermac exfiltration server form injection hook infrastructure analysis malware-as-a-service source code leak
- Related entities
- 1 intrusion sets (apt), 10 techniques (mitre), 3 malware, 1 others
Description
The complete source code for ERMAC V3.0, an advanced banking trojan, was discovered and analyzed, providing rare insight into this active Malware-as-a-Service platform. ERMAC has evolved to target over 700 financial and cryptocurrency apps, employing sophisticated form injection techniques and encrypted communications. The analysis revealed critical vulnerabilities, including hardcoded credentials and default tokens, which could be exploited to disrupt operations. The malware's infrastructure consists of a Laravel-based C2 backend, React control panel, Golang exfiltration service, and an obfuscated Android backdoor. This comprehensive examination exposes the operational risks of the MaaS model and equips defenders with concrete methods to track, detect, and disrupt active ERMAC campaigns.