{
	"id": "3bbe03e5-6fbb-4793-a431-5a20239f6ce9",
	"created_at": "2026-04-06T01:32:16.443695Z",
	"updated_at": "2026-04-10T03:21:15.091323Z",
	"deleted_at": null,
	"sha1_hash": "09ccd0af4b62e4ed4aa667cb22ecf1c901d62d07",
	"title": "ERMAC V3.0 Banking Trojan: Full Source Code Leak and Infrastructure Analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4023137,
	"plain_text": "ERMAC V3.0 Banking Trojan: Full Source Code Leak and\r\nInfrastructure Analysis\r\nPublished: 2025-08-14 · Archived: 2026-04-06 00:40:59 UTC\r\nIn March 2024, Hunt.io discovered and obtained the complete ERMAC V3.0 source code, giving us a rare\r\nopportunity to study a live and actively maintained Malware-as-a-Service platform from the inside. Full source\r\ncode leaks of active and operational threats are uncommon, and this one offers a unique chance for attribution,\r\ninfrastructure mapping, and identifying exploitable weaknesses.\r\nIts earliest versions were built using the leaked Cerberus source code, and by late 2023, version 2.0 had\r\nincorporated large portions of the Hook botnet's codebase. The newly uncovered version 3.0 reveals a significant\r\nevolution of the malware, expanding its form injection and data theft capabilities to target more than 700 banking,\r\nshopping, and cryptocurrency applications.\r\nThis post examines the backend, frontend panel, exfiltration server, and builder included in the leak, detailing\r\nERMAC's infrastructure, operational techniques, and multiple vulnerabilities that could be leveraged to disrupt its\r\nactivity.\r\nKey Takeaways\r\nOur analysis of the ERMAC V3.0 leak uncovered technical details, operational weaknesses, and active\r\ninfrastructure that defenders can use to disrupt ongoing campaigns.\r\nHunt.io obtained the full ERMAC V3.0 source code, including its PHP and Laravel backend, React-based\r\nfrontend, Golang exfiltration server, and Android builder panel.\r\nThe leak revealed critical weaknesses, such as a hardcoded JWT secret and a static admin bearer token,\r\ndefault root credentials, and open account registration on the admin panel\r\nVersion 3.0 expands targeting to more than 700 financial, shopping, and cryptocurrency apps, adds new\r\nform injection methods, an overhauled C2 panel, a new Android backdoor, and AES-CBC encrypted\r\ncommunications\r\nAnalysis with HuntSQL linked the leaked files to active ERMAC C2 panels, exfiltration servers, and\r\nbuilder deployments still operating online.\r\nFindings confirm ERMAC's role as a maintained Malware-as-a-Service platform, giving operators flexible\r\ncontrol over targeting, encryption keys, and campaign creation\r\nInitial Discovery\r\nThe investigation began on March 6th, 2024, when our research team, using the AttackCapture™ tool, identified\r\nan open directory on 141[.]164[.]62[.]236:443 containing an archive titled Ermac 3.0.zip. This archive held the\r\nhttps://hunt.io/blog/ermac-v3-banking-trojan-source-code-leak\r\nPage 1 of 26\n\ncomplete ERMAC V3.0 source code.\r\nFig 01: Open directory containing ERMAC's source code, discovered by Hunt.io\r\nUpon further analysis, the Ermac 3.0.zip archive was found to contain 5 different directories:\r\nbackend: The ERMAC C2 backend, written in PHP.\r\nfrontend: The ERMAC C2 frontend, written in React.\r\ngolang: A Go binary that configures an HTTP server used in the exfiltration of data.\r\ndocker: Docker configuration files.\r\nbuilder: Source code to ERMAC 3.0 banking trojan and a panel allowing for compilation and obfuscation\r\nof the APK.\r\nBackend C2 Server\r\nLooking into ERMAC's backend source code, we can see it's developed in PHP and uses Laravel as its backend\r\nframework. The codebase shares no overlap with the leaked Cerebus source code, with it implementing different\r\nrouting, infrastructure logic, and features.\r\nMethod Route Auth Required\r\nPOST /api/v1/sign-in No\r\nPOST /api/v1/smartInjections/{sessionId} No\r\nPOST /api/v1/smartInjections/session/list No\r\nPUT /api/v1/smartInjections/session/{session} No\r\nhttps://hunt.io/blog/ermac-v3-banking-trojan-source-code-leak\r\nPage 2 of 26\n\nMethod Route Auth Required\r\nGET /api/v1/getUserInfo Yes\r\nPOST /api/v1/injects/getInjectionsList Yes\r\nPOST /api/v1/injects/createInjection Yes\r\nDELETE /api/v1/injects/deleteInjection Yes\r\nPOST /api/v1/injects/{injection}/editInjection Yes\r\nPOST /api/v1/sendBotsCommand Yes\r\nDELETE /api/v1/deleteBot Yes\r\nDELETE /api/v1/deleteAllRemovedApp Yes\r\nPUT /api/v1/{bot}/setBotType Yes\r\nGET /api/v1/{bot}/commands/getCommandsList Yes\r\nPUT /api/v1/{bot}/settings/updateBotSettings Yes\r\nPUT /api/v1/{bot}/injects/updateBotInjections Yes\r\nDELETE /api/v1/deleteLog Yes\r\nPUT /api/v1/editLogComment Yes\r\nPOST /api/v1/accounts/getAccountsList Yes\r\nPOST /api/v1/accounts/createAccount Yes\r\nPUT /api/v1/accounts/{user}/editAccount Yes\r\nDELETE /api/v1/accounts/{user}/deleteAccount Yes\r\nPOST /api/v1/permissions/getPermissionsList Yes\r\nPUT /api/v1/permissions/updatePermission Yes\r\nPOST /api/v1/counts/getCounts Yes\r\nPOST /api/v1/counts/getStats Yes\r\nPOST /api/v1/autoCommands/getAutoCommandsList Yes\r\nPUT /api/v1/autoCommands/updateAutoCommand Yes\r\nPOST /api/v1/search Yes\r\nhttps://hunt.io/blog/ermac-v3-banking-trojan-source-code-leak\r\nPage 3 of 26\n\nReviewing these routes reveals the scope of control ERMAC operators have over infected devices and stolen data.\r\nThe ERMAC backend provides operators the ability to manage victim devices and access compromised data, such\r\nas SMS logs, stolen accounts, and device data.\r\nERMAC primarily leverages form injects for capturing sensitive data, which is done by serving custom form\r\ninjects through the public/injects directory.\r\nFig 02: ERMAC's backend directory containing form injects for popular financial apps.\r\nERMAC targets primarily financial applications with a large focus on mobile banking and cryptocurrency\r\napplications with it, capturing sensitive data such as login credentials or credit card data.\r\nhttps://hunt.io/blog/ermac-v3-banking-trojan-source-code-leak\r\nPage 4 of 26\n\nFig 03: Form Inject mimicking a banking app, and its callback function for exfiltrating form data.\r\nERMAC will fetch and inject its own custom HTML page into 700+ different applications that uses the callback\r\nfunction Android.send_log_injects to exfiltrate form data.\r\nERMAC's backend uses the ermac_session cookie to handle authentication, which allows us to pivot and find\r\nother active backends. Using Hunt's SQL search, we are able to find 4 more unique ERMAC C2 servers in the\r\nwild:\r\nSELECT * FROM httpv2\r\nWHERE http.headers.bytes.content\r\nLIKE '%ermac_session%'\r\n \r\nCopy\r\nOutput:\r\nhttps://hunt.io/blog/ermac-v3-banking-trojan-source-code-leak\r\nPage 5 of 26\n\nFig 04: ERMAC C2 Servers observed having the ermac_session cookie.\r\nUpon further analysis, ERMAC has three vulnerabilities: a hardcoded JWT token \"\r\nh3299xK7gdARLk85rsMyawT7K4yGbxYbkKoJo8gO3lMdl9XwJCKh2tMkdCmeeSeK \", the hardcoded credentials for root\r\nwith the password changemeplease, and the ability to register an account directly through the API, allowing for\r\nfull access to the ERMAC admin panel.\r\nhttps://hunt.io/blog/ermac-v3-banking-trojan-source-code-leak\r\nPage 6 of 26\n\nFig 05: Hardcoded default credentials for ERMAC\r\nFrontend Panel\r\nTo complement the Backend C2, ERMAC provides a panel for interacting with the backend. ERMAC is observed\r\nto have three public versions, with the latest known version being 3.0\r\nhttps://hunt.io/blog/ermac-v3-banking-trojan-source-code-leak\r\nPage 7 of 26\n\nFig 06: ERMAC V3.0 Panel Login\r\nAll ERMAC panels notably have the page title \"ERMAC 3.0 PANEL\" allowing us to find 43[.]160[.]253[.]145\r\nand 91[.]92[.]46[.]12. Upon simplifying this query, we can find an additional IP belonging to an older ERMAC\r\npanel: 206[.]123[.]128[.]81\r\nSELECT * from httpv2\r\nWHERE html.head.title = 'ERMAC 3.0 PANEL'\r\n \r\nCopy\r\nOutput:\r\nhttps://hunt.io/blog/ermac-v3-banking-trojan-source-code-leak\r\nPage 8 of 26\n\nFig 07: Results from searching for hosts with the ermac_session cookie, observed via HuntSQL by Hunt.io\r\nFrom within the panel, operators are able to interact with connected devices by issuing commands or accessing\r\nstolen data.\r\nhttps://hunt.io/blog/ermac-v3-banking-trojan-source-code-leak\r\nPage 9 of 26\n\nFig 08: ERMAC Panel UI\r\nThis is accompanied by the ability to manage form injects directly through the panel, with the ability to enable or\r\ndisable targeting of specific applications.\r\nhttps://hunt.io/blog/ermac-v3-banking-trojan-source-code-leak\r\nPage 10 of 26\n\nFig 09: Form inject management system with adversaries able to upload and modify targeted applications.\r\nExfiltration Server\r\nERMAC is observed using a second server for exfiltrating stolen data. The exfiltration server is developed in\r\nGolang and provides an encrypted HTTP API for receiving exfiltrated data and managing information related to\r\ncompromised devices.\r\nhttps://hunt.io/blog/ermac-v3-banking-trojan-source-code-leak\r\nPage 11 of 26\n\nFig 10: server_go exfiltration binary with the functions and libraries used.\r\nThe usage of a separate server is likely to hide the main C2 panel, with operators able to use isolated servers for\r\nexfiltration.\r\nERMAC exfiltration servers are commonly seen using HTTP basic authentication with the following header Www-Authenticate: Basic realm=\"LOGIN | ERMAC\" . By querying Hunt's SQL httpv2 dataset, we were able to identify\r\nfour more unique exfiltration servers used by ERMAC.\r\nSELECT * FROM httpv2\r\nWHERE http.headers.bytes.content like '%LOGIN | ERMAC%'\r\n \r\nCopy\r\nOutput:\r\nhttps://hunt.io/blog/ermac-v3-banking-trojan-source-code-leak\r\nPage 12 of 26\n\nFig 11: Public ERMAC Exfiltration Servers found with HuntSQL™\r\nERMAC Backdoor\r\nERMAC leverages an Android backdoor developed in Kotlin, which provides control of the compromised device.\r\nThe Android application supports 71 different languages, with it providing operators the ability to configure\r\nencryption keys, C2 servers, and the application settings.\r\nhttps://hunt.io/blog/ermac-v3-banking-trojan-source-code-leak\r\nPage 13 of 26\n\nFig 12: Sample of ERMAC's main configuration file.\r\nERMAC encrypts all traffic using AES-CBC PKCS5 padding with the hardcoded nonce \"0123456789abcdef\". All\r\ntraffic from the C2 server is decrypted using the same server key and nonce.\r\nBefore executing ERMAC checks the phone carrier to ensure that it's not executing in a country within the\r\nCommonwealth of Independent States (CIS), a common method by malware developers within that region to\r\navoid persecution. This is further followed by a check to determine if ERMAC is being run in an Emulator. If\r\nERMAC detects either of these to be true, it will uninstall itself and quit.\r\nhttps://hunt.io/blog/ermac-v3-banking-trojan-source-code-leak\r\nPage 14 of 26\n\nFig 13: ERMAC Initialization\r\nIf the environment is safe, ERMAC will request elevated permissions so that it can run in the background, access\r\nSMS logs, and terminate programs. After ERMAC has installed itself properly, it will send all device information\r\nto the exfiltration server and listen for incoming commands.\r\nhttps://hunt.io/blog/ermac-v3-banking-trojan-source-code-leak\r\nPage 15 of 26\n\nhttps://hunt.io/blog/ermac-v3-banking-trojan-source-code-leak\r\nPage 16 of 26\n\nFig 14: ERMAC Device Provisioning Flow\r\nERMAC supports the following commands:\r\nCommand Description\r\nsendsms Sends an SMS message to a specified phone number. Can specify the SIM card.\r\nstartussd Executes a USSD request (e.g., *100#). Can specify the SIM card.\r\nforwardcall Sets up call forwarding to a specified number. Can specify the SIM card.\r\npush Displays a custom push notification with a specified title, text, and icon.\r\ngetcontacts Steals the user's contact list and sends it to the C2 server.\r\ngetaccounts /\r\nlogaccounts\r\nSteals a list of registered accounts (e.g., Google) and sends it to the C2.\r\ngetinstallapps Gets a list of all installed applications and sends it to the C2.\r\ngetsms Steals all SMS messages from the device and sends them to the C2.\r\nhttps://hunt.io/blog/ermac-v3-banking-trojan-source-code-leak\r\nPage 17 of 26\n\nCommand Description\r\nstartinject Launches a fake overlay (injection) for a target application to steal credentials.\r\nopenurl Opens a specified URL in the device's default web browser.\r\nsendsmsall Sends a specified SMS message to every contact in the user's address book.\r\nstartapp Launches a specified application.\r\nclearcache / clearcash Attempts to clear the cache of a specified application.\r\ncalling Initiates a phone call to a specified number.\r\ndeleteapplication Uninstalls a specified application from the device.\r\nstartadmin Prompts the user to grant Device Administrator privileges to the malware.\r\nkillme Removes the malware itself from the device.\r\nupdateinjectandlistapps Forces an update of the injection list and the list of installed applications.\r\ngmailtitles Retrieves the subjects of emails from the Gmail app.\r\ngetgmailmessage Retrieves the content of a specific email from the Gmail app.\r\nfmmanager\r\nWith extra: \"ls\": Lists files/directories. With extra: \"dl\": Downloads a file to the\r\nC2.\r\ntakephoto Takes a picture using the front camera and sends it to the C2 server.\r\nERMAC Builder\r\nThe final component of the ERMAC banking trojan is its web builder, which provides adversaries the ability to\r\nconfigure and create builds for its malware campaigns. The Web Panel allows adversaries to configure the\r\napplication name, server URL, and a number of other configuration settings for the Android backdoor.\r\nhttps://hunt.io/blog/ermac-v3-banking-trojan-source-code-leak\r\nPage 18 of 26\n\nFig 15: ERMAC Builder Panel UI\r\nOn each build, ERMAC uses obfuscapk to obfuscate the Android application, giving it a unique hash and\r\nobfuscating class names, strings, manifest properties, and more.\r\nInfrastructure Linkages\r\nWith each component mapped, we pivoted to identifying how these pieces connect in live environments using\r\nHuntSQL™ queries\r\nERMAC uses a number of identifiable signals for its infrastructure. This equips threat hunters with the ability to\r\nquickly find core infrastructure belonging to ERMAC with Hunt's SQL search functionality.\r\nERMAC Panel\r\nHuntSQL™ query for finding ERMAC 3.0 C2 Panels based on the HTML header title.\r\nSELECT * from httpv2\r\nWHERE html.head.title = 'ERMAC 3.0 PANEL'\r\n \r\nCopy\r\nWhy it matters: Panels are the operator's main interface for issuing commands and managing stolen data.\r\nIdentifying them helps track live infrastructure and block access.\r\nERMAC C2 API\r\nhttps://hunt.io/blog/ermac-v3-banking-trojan-source-code-leak\r\nPage 19 of 26\n\nHuntSQL™ query for finding ERMAC 3.0 C2 APIs based on the ermac_session cookie, which is set by default.\r\nSELECT *\r\nFROM httpv2\r\nWHERE http.headers.bytes.content LIKE '%ermac_session%'\r\n \r\nCopy\r\nWhy it matters: Hosts setting ermac_session are ERMAC backend APIs that handle bot control and data\r\nretrieval. Correlating these with panels helps map and confirm active malicious infrastructure.\r\nERMAC Exfiltration Server\r\nHuntSQL™ query for finding ERMAC exfiltration servers behind basic authentication\r\nSELECT * FROM httpv2\r\nWHERE http.headers.bytes.content LIKE '%LOGIN | ERMAC%'\r\n \r\nCopy\r\nWhy it matters: These servers receive and store stolen data from infected devices. Blocking egress to them can\r\nprevent data exfiltration during an active compromise.\r\nERMAC Builder\r\nHuntSQL™ query for finding ERMAC 3.0 Builder panels based on the HTML header title.\r\nSELECT * from httpv2\r\nWHERE html.head.title = 'ERMAC 3.0 BUILDER'\r\n \r\nCopy\r\nhttps://hunt.io/blog/ermac-v3-banking-trojan-source-code-leak\r\nPage 20 of 26\n\nWhy it matters: Builder panels are used to create and configure new ERMAC APKs. Discovering them provides\r\nearly warning of upcoming campaigns and distribution activity.\r\nThe queries above allow defenders to locate and monitor live ERMAC infrastructure. The next step is applying\r\nthis intelligence to defense and disruption efforts\r\nMitigation Strategies\r\nERMAC targets users of banking, shopping, and other financial applications primarily through web injects. It\r\nrelies on Android's WebView API to place an overlay on top of legitimate apps, capturing credentials and payment\r\ninformation. Implementing secure Android permissions such as FLAG_SECURE and using code to detect or\r\nblock overlays can reduce exposure to this technique.\r\nDefenders can also focus on identifying and disrupting ERMAC infrastructure. Regularly scan for active C2 and\r\nexfiltration servers, and block Android applications that reference known ERMAC IPs or domains.\r\nAdditional measures include:\r\nMonitoring for unique ERMAC traits such as HTTP headers, hardcoded nonces, and panel titles\r\nStrengthening mobile apps against overlay attacks through runtime detection and code obfuscation\r\nRunning proactive threat hunts with Hunt.io's queries to uncover related infrastructure before it is used in\r\ncampaigns\r\nWhere possible, share indicators with trusted threat intel networks and coordinate with hosting providers to take\r\ndown exposed panels and exfiltration servers.\r\nERMAC Android Binary Yara Rule\r\nAs part of these mitigation efforts, the following YARA rule can be deployed to detect ERMAC Android binaries.\r\nERMAC consistently uses the package com.amazon.zzz for its builds. The following YARA rule detects Android\r\nAPKs containing this string, which serves as a unique identifier for ERMAC. It can be used in malware\r\nrepositories, sandbox systems, and endpoint scanning solutions to flag potential ERMAC infections.\r\nrule Ermac_v3 {\r\n meta:\r\n author = \"@huntio\"\r\n date = \"2025-08-09\"\r\n description = \"ERMAC Android Backdoor\"\r\n version = \"1.0\"\r\nhttps://hunt.io/blog/ermac-v3-banking-trojan-source-code-leak\r\nPage 21 of 26\n\nstrings:\r\n $str0 = \"com.amazon.zzz\" fullword\r\n condition:\r\n uint32be(0) == 0x504B0304\r\n and filesize \u003c 1MB\r\n and $str0\r\n}\r\n \r\nCopy\r\nConclusion\r\nHunt.io discovered and obtained the full ERMAC 3.0 source code, giving our team a rare opportunity to examine\r\nan active and evolving banking trojan from the inside. The combination of a Laravel-based C2 backend, React\r\ncontrol panel, Golang exfiltration service, and obfuscated Android backdoor shows the level of sophistication\r\nbehind its development. Through this direct access, we identified its expanded targeting across more than 700\r\nfinancial and cryptocurrency apps, new form injection capabilities, and encryption methods that strengthen its\r\nstealth.\r\nOur research also revealed critical weaknesses, including hardcoded credentials, default JWT tokens, and open\r\npanel registration. By correlating these flaws with live ERMAC infrastructure, we provide defenders with concrete\r\nways to track, detect, and disrupt active operations. This analysis not only strengthens threat hunting and\r\nattribution but also exposes the operational risks of the Malware-as-a-Service model.\r\nMITRE Att\u0026ck Tactics\r\nThe following MITRE ATT\u0026CK mapping outlines the techniques ERMAC employs across its lifecycle\r\nTactic Technique\r\nSub-Technique\r\nDescription\r\nExecution User Execution N/A ERMAC is executed through user interaction\r\nExecution Command and\r\nScripting Interpreter\r\nN/A TERMAC uses WebView components to\r\nexecute remote JavaScript from its C2 server,\r\nhttps://hunt.io/blog/ermac-v3-banking-trojan-source-code-leak\r\nPage 22 of 26\n\nTactic Technique\r\nSub-Technique\r\nDescription\r\nfor data collection.\r\nPersistence Scheduled Task/Job N/A\r\nUses StartReceiver to schedule callbacks to\r\nmaintain persistence.\r\nPersistence Service N/A\r\nERMAC uses ActivityManager to ensure\r\nservice stays online.\r\nMobile SMS Control N/A\r\nUses Android intents to intercept and control\r\nSMS messages.\r\nPrivilege\r\nEscalation\r\nElevated Execution\r\nwith Prompt\r\nN/A\r\nRequests Device Administrator privileges to\r\nlock the screen and prevent uninstallation.\r\nDefense\r\nEvasion\r\nEncrypted Channel N/A\r\nAll communication with the C2 server is\r\nencrypted using AES, which prevents network-level detection of commands and exfiltrated\r\ndata.\r\nDefense\r\nEvasion\r\nMasquerading N/A\r\nERMAC deletes its launcher icon after the first\r\nrun to hide its presence on the device.\r\nDefense\r\nEvasion\r\nObfuscated Files or\r\nInformation\r\nN/A\r\nStrings and variable names are obfuscated with\r\nRussian text and Base64 encoding to hinder\r\nstatic analysis.\r\nDefense\r\nEvasion\r\nEmulator/Sandbox\r\nEvasion\r\nN/A Checks for emulation to prevent analysis.\r\nDefense\r\nEvasion\r\nGeofencing N/A\r\nBlocks [ua][ru][by][tj][uz][tm][az][am][kz][kg]\r\n[md] from running the malware.\r\nDefense\r\nEvasion\r\nDisable or Modify\r\nSystem Firewall\r\nN/A\r\nUsing Accessibility Services, ERMAC disables\r\nGoogle Play Protect to reduce the likelihood of\r\nbeing detected and removed.\r\nCredential\r\nAccess\r\nInput Capture Keylogging\r\nIncludes a keylogger functionality to capture\r\nuser input across all applications.\r\nCredential\r\nAccess\r\nInput Capture\r\nGUI Input\r\nCapture\r\nUtilizes form injection to capture form data\r\nfrom Android applications.\r\nCredential\r\nAccess\r\nAccess Notifications N/A\r\nIntercepts incoming SMS messages to steal\r\nsensitive information like two-factor\r\nauthentication (2FA) codes.\r\nhttps://hunt.io/blog/ermac-v3-banking-trojan-source-code-leak\r\nPage 23 of 26\n\nTactic Technique\r\nSub-Technique\r\nDescription\r\nDiscovery Account Discovery N/A Gathers a list of all user accounts on the device.\r\nDiscovery Application Discovery N/A Exfiltrates a list of all installed apps.\r\nDiscovery\r\nSystem Information\r\nDiscovery\r\nN/A\r\nCollects detailed device information such as OS\r\nversion, device model, phone number, and SIM\r\ndetails.\r\nCollection Protected User Data Contacts List The malware steals the user's entire contact list.\r\nCollection Protected User Data\r\nSMS\r\nMessages\r\nIt reads and exfiltrates the user's existing SMS\r\ninbox.\r\nCollection\r\nData from Local\r\nSystem\r\nN/A\r\nA built-in file manager module allows the\r\nattacker to browse the device's file system and\r\ndownload files.\r\nCollection Video Capture N/A\r\nIt can remotely take photos using the front\r\ncamera without the user's knowledge.\r\nCommand\r\nand Control\r\nApplication Layer\r\nProtocol\r\nN/A Communicates with its C2 server over HTTP/S.\r\nCommand\r\nand Control\r\nNon-Standard Port N/A\r\nC2 communication may be obscured by using\r\nnon-standard ports for exfiltration.\r\nCommand\r\nand Control\r\nFallback Channels N/A\r\nThe malware is configured with a list of backup\r\nC2 domains to ensure communication\r\npersistence if the primary server fails.\r\nExfiltration\r\nExfiltration Over C2\r\nChannel\r\nN/A\r\nAll collected data, including credentials,\r\ncontacts, and files, is sent to the attacker using\r\nthe primary C2 channel.\r\nERMAC 3.0 Indicators of Compromise\r\nNetwork Observables\r\nIP Address ASN Behavior\r\nLast\r\nSeen\r\n43[.]160[.]253[.]145:80 AS132203 ERMAC 3.0 Panel\r\n2025-08-\r\n08\r\nhttps://hunt.io/blog/ermac-v3-banking-trojan-source-code-leak\r\nPage 24 of 26\n\nIP Address ASN Behavior\r\nLast\r\nSeen\r\n91[.]92[.]46[.]12:80 AS214196 ERMAC 3.0 Panel\r\n2025-07-\r\n17\r\n206[.]123[.]128[.]81:80 AS207184 ERMAC 1.0-2.0 Panel N/A\r\n43[.]160[.]253[.]145:8080 AS132203 ERMAC Exfiltration Server\r\n2025-08-\r\n08\r\n121[.]127[.]231[.]163:8082 AS152194 ERMAC Exfiltration Server\r\n2025-07-\r\n11\r\n121[.]127[.]231[.]198:8082 AS152194 ERMAC Exfiltration Server\r\n2025-07-\r\n12\r\n121[.]127[.]231[.]161:8082 AS152194 ERMAC Exfiltration Server\r\n2025-07-\r\n12\r\n43[.]160[.]253[.]145:8089 AS132203 ERMAC C2 Server\r\n2025-08-\r\n08\r\n172[.]191[.]69[.]182:8089 AS8075 ERMAC C2 Server\r\n2025-07-\r\n13\r\n98[.]71[.]173[.]119:8089 AS8075 ERMAC C2 Server\r\n2025-07-\r\n25\r\n20[.]162[.]226[.]228:8089 AS8075 ERMAC C2 Server\r\n2025-07-\r\n25\r\n141[.]164[.]62[.]236:80 AS20473 Open directory with the ERMAC source code.\r\n2024-03-\r\n06\r\n5[.]188[.]33[.]192:443 AS202422\r\nMentioned in the source code, potentially an\r\noutdated panel or C2 server.\r\nN/A\r\nHost-Based Observables\r\nFilename SHA-256 Hash Behavior\r\nErmac\r\n3.0.zip\r\n175d4adc5fc0b0d8eb4b7d93b6f9694e4a3089e4ed4c59a2828d0667a9992aaa\r\nERMAC\r\nSource Code\r\nserver_go 8c81cebbaff9c9cdad69257f50af0f5208a0d5923659b4e0c3319333f9e8d545 ERMAC\r\ncompiled\r\nhttps://hunt.io/blog/ermac-v3-banking-trojan-source-code-leak\r\nPage 25 of 26\n\nFilename SHA-256 Hash Behavior\r\nexfiltration\r\nserver\r\nThe full list of ERMAC Form Injects is available in CSV format.\r\nSource: https://hunt.io/blog/ermac-v3-banking-trojan-source-code-leak\r\nhttps://hunt.io/blog/ermac-v3-banking-trojan-source-code-leak\r\nPage 26 of 26\n\n  https://hunt.io/blog/ermac-v3-banking-trojan-source-code-leak    \nFig 07: Results from searching for hosts with the ermac_session cookie, observed via HuntSQL by Hunt.io\nFrom within the panel, operators are able to interact with connected devices by issuing commands or accessing\nstolen data.      \n   Page 9 of 26",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://hunt.io/blog/ermac-v3-banking-trojan-source-code-leak"
	],
	"report_names": [
		"ermac-v3-banking-trojan-source-code-leak"
	],
	"threat_actors": [],
	"ts_created_at": 1775439136,
	"ts_updated_at": 1775791275,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/09ccd0af4b62e4ed4aa667cb22ecf1c901d62d07.pdf",
		"text": "https://archive.orkl.eu/09ccd0af4b62e4ed4aa667cb22ecf1c901d62d07.txt",
		"img": "https://archive.orkl.eu/09ccd0af4b62e4ed4aa667cb22ecf1c901d62d07.jpg"
	}
}