ERMAC V3.0 Banking Trojan: Full Source Code Leak and Infrastructure Analysis

Aug. 15, 2025, 1:07 p.m.

Description

The complete source code for ERMAC V3.0, an advanced banking trojan, was discovered and analyzed, providing rare insight into this active Malware-as-a-Service platform. ERMAC has evolved to target over 700 financial and cryptocurrency apps, employing sophisticated form injection techniques and encrypted communications. The analysis revealed critical vulnerabilities, including hardcoded credentials and default tokens, which could be exploited to disrupt operations. The malware's infrastructure consists of a Laravel-based C2 backend, React control panel, Golang exfiltration service, and an obfuscated Android backdoor. This comprehensive examination exposes the operational risks of the MaaS model and equips defenders with concrete methods to track, detect, and disrupt active ERMAC campaigns.

External References

https://hunt.io/blog/ermac-v3-banking-trojan-source-code-leak
https://otx.alienvault.com/pulse/689ec5b0e65be6f6469fc2f8
Tags
malware-as-a-service
banking trojan
infrastructure analysis
hook
ermac
android malware
cerberus
2025-08-15
exfiltration server
c2 backend
source code leak
encrypted communications
form injection

Date

  • Created: Aug. 15, 2025, 5:29 a.m.
  • Published: Aug. 15, 2025, 5:29 a.m.
  • Modified: Aug. 15, 2025, 1:07 p.m.

Attack Patterns

  • ERMAC
  • Hook
  • Cerberus
  • ERMAC

Additional Informations

  • Finance