{
	"id": "03e9e845-dd6f-41aa-ae06-0f700f8b6209",
	"created_at": "2026-04-06T00:22:30.666123Z",
	"updated_at": "2026-04-10T03:20:58.702771Z",
	"deleted_at": null,
	"sha1_hash": "2095e5f83de675bfdd195f30e58d17229bb1902a",
	"title": "ErrorFather's Cerberus: Amplifying Cyber Threats",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2984568,
	"plain_text": "ErrorFather's Cerberus: Amplifying Cyber Threats\r\nPublished: 2024-10-14 · Archived: 2026-04-05 18:02:14 UTC\r\nCyble Uncovers ErrorFather Campaign Utilizing Undetected Cerberus Android Trojan Payload to Target Android Users.\r\nKey Takeaways\r\nCyble Research and Intelligence Labs (CRIL) identified a campaign called “ErrorFather” that utilized an undetected\r\nCerberus Android Banking Trojan payload.\r\nErrorFather employs a sophisticated infection chain involving multiple stages (session-based droppers, native\r\nlibraries, and encrypted payloads), complicating detection and removal efforts.\r\nThe campaign ramped up in activity in September and October 2024, with more samples and ongoing campaigns\r\nsuggesting active targeting and scaling by the Threat Actors (TAs) behind the ErrorFather campaign.\r\nThe final payload employs keylogging, overlay attacks, VNC, and Domain Generation Algorithm (DGA) to perform\r\nmalicious activities.\r\nErrorFather’s incorporation of a Domain Generation Algorithm (DGA) ensures resilience by enabling dynamic C\u0026C\r\nserver updates, keeping the malware operational even if primary servers are taken down.\r\nThe campaign highlights how repurposed malware from leaks can continue to pose significant threats years after its\r\noriginal appearance.\r\nOverview\r\nThe Cerberus Android Banking Trojan initially emerged in 2019 and was available for rent on underground forums. It\r\ngained notoriety for its ability to target financial and social media apps by exploiting the Accessibility service, using overlay\r\nattacks, and incorporating VNC and keylogging features. Its widespread reach made it one of the most well-known banking\r\ntrojans at the time.\r\nWorld's Best AI-Native Threat Intelligence\r\nIn 2020, following the leak of Cerberus’ source code, a new variant called “Alien” appeared, leveraging Cerberus’ codebase.\r\nThen, in 2021, another banking trojan called “ERMAC” surfaced, also building on Cerberus’ code and targeting over 450\r\nfinancial and social media apps.\r\nhttps://cyble.com/blog/hidden-in-plain-sight-errorfathers-deadly-deployment-of-cerberus/\r\nPage 1 of 14\n\nAt the beginning of 2024, a new threat known as the Phoenix Android Banking Trojan was discovered. Claiming to be a\r\nfresh botnet, Phoenix was found being sold on underground forums. However, it was identified as yet another fork of\r\nCerberus, utilizing its exact source code, whereas Alien and ERMAC had introduced some modifications.\r\nCyble Research and Intelligence Labs (CRIL) recently uncovered several malicious samples posing as Chrome and Play\r\nStore apps. These samples use a multi-stage dropper to deploy a banking trojan payload, which was found to be leveraging\r\nthe Cerberus Banking Trojan.\r\nThe identified sample “0c27ec44ad5333b4440fbe235428ee58f623a878baefe08f2dcdad62ad5ffce7” acts as a first-stage\r\ndropper application that drops and installs the final-signed.apk from assets, communicates with a Telegram Bot URL, and\r\nsends the device model, brand, and API version.\r\nFigure 1 – First-stage malware connecting to Telegram Bot URL\r\nThe Telegram Bot ID corresponds to the ErrorFather Bot, as shown in the figure below. Given the bot’s name and the recent\r\nupdates to this variant (covered in the Technical Analysis section), we are referring to this campaign as ErrorFather.\r\nFigure 2 – ErrorFather Telegram bot\r\nhttps://cyble.com/blog/hidden-in-plain-sight-errorfathers-deadly-deployment-of-cerberus/\r\nPage 2 of 14\n\nWe have identified approximately 15 samples related to the ErrorFather campaign, including session-based droppers and\r\ntheir associated payloads. The first sample was detected in mid-September 2024, followed by a noticeable increase in\r\nsamples during the first week of October 2024, with an active Command and Control (C\u0026C) server suggesting ongoing\r\ncampaigns.\r\nFigure 3 – Samples related to the ErrorFather campaign\r\nThe following section provides a technical analysis of the Cerberus malware used by the ErrorFather Campaign.\r\nTechnical Details\r\nMulti-staged dropper\r\nThe primary APK is a session-based dropper that contains a second-stage APK file named “final-signed.apk” within the\r\nAssets folder. It uses the Google Play Store icon and employs a session-based installation technique to install the APK from\r\nthe assets, bypassing restricted settings.\r\nFigure 4 – Session-based dropper\r\nThe second-stage dropper, “final-signed.apk,” has a manifest file that requests dangerous permissions and services, but the\r\ncode implementation is missing, indicating that the malware is packed. It includes a native file, “libmcfae.so,” which is\r\nhttps://cyble.com/blog/hidden-in-plain-sight-errorfathers-deadly-deployment-of-cerberus/\r\nPage 3 of 14\n\nimmediately loaded after installation to decrypt and execute the final payload.\r\nFigure 5 – Second-stage dropper loading native file\r\nThe native file is responsible for handling the final payload. It uses the encrypted file “rbyypivsnw.png,” obtains the AES\r\nkey and initialization vector (IV), performs decryption, and loads the “decrypted.dex” file at the location\r\n/data/data/suds.expend.affiliate.rising/code_cache/, as illustrated in the figure below.\r\nFigure 6 – Third-stage dropper loading final payload\r\nThe decrypted.dex file is the final payload, containing malicious functionalities such as keylogging, overlay attacks, VNC,\r\nPII collection, and the use of a Domain Generation Algorithm (DGA) to create a Command and Control (C\u0026C) server.\r\nNotably, when submitted to VirusTotal, the decrypted.dex file was not flagged by any antivirus engine.\r\nFigure 7 – Zero detection\r\nLeveraging Cerberus code\r\nBased on the detection count, initially, we suspected it to be a fresh banking trojan, but upon deeper analysis of the final\r\npayload, we discovered significant code similarities with Cerberus. The TA behind the ErrorFather campaign had modified\r\nhttps://cyble.com/blog/hidden-in-plain-sight-errorfathers-deadly-deployment-of-cerberus/\r\nPage 4 of 14\n\nvariable names, used more obfuscation, and reorganized the code, effectively evading detection despite Cerberus being\r\nidentified in 2019.\r\nFigure 8 – ErrorFather’s shared preference settings containing common keys and following a similar\r\nstructure as Cerberus\r\nComparing the Cerberus sample and the more recent Phoenix botnet, we noticed changes in this recent variant of Cerberus\r\nused in the ErrorFather campaign, particularly in its C\u0026C structure. These differences suggest that the identified sample is a\r\ndistinct malware variant.\r\nUse of DGA\r\nWe observed the malware retrieving list of C\u0026C servers using two methods. First, after installation and establishing a\r\nconnection with the main C\u0026C server, referred to by the TA as “PoisonConnect,” the malware receives a list of four\r\nadditional C\u0026C servers. It then stores these in the “ConnectGates” shared preferences setting, as shown in the figure below.\r\nhttps://cyble.com/blog/hidden-in-plain-sight-errorfathers-deadly-deployment-of-cerberus/\r\nPage 5 of 14\n\nFigure 9 – Malware receiving C\u0026C server list\r\nFigure 10 – Received list of C\u0026C server saved to Shared Preference\r\nWe observed a slight variation in the C\u0026C communication. Samples from the ErrorFather campaign solely use RC4\r\nencryption to send a full JSON payload, including the action type. In contrast, earlier Cerberus samples utilized Base64\r\nencoding combined with RC4, with the action type sent unencrypted via separate parameters. The figure below illustrates\r\nthe C\u0026C communication for both the ErrorFather campaign and the earlier Cerberus samples.\r\nFigure 11 – C\u0026C communication of ErrorFather (left) and earlier Cerberus samples (Right)\r\nSecond, the malware incorporates a DGA (Domain Generation Algorithm) that utilizes the Istanbul timezone to obtain the\r\ncurrent date and time. It then generates MD5 and passes the digest to SHA-1 hash, appending one of four extensions:\r\n“.click”, “.com”, “.homes”, and “.net”. These generated domains are stored in the same “ConnectGates” setting. The figure\r\nbelow demonstrates the DGA used in the ErrorFather campaign.\r\nhttps://cyble.com/blog/hidden-in-plain-sight-errorfathers-deadly-deployment-of-cerberus/\r\nPage 6 of 14\n\nFigure 12 – DGA used in the ErrorFather campaign\r\nFigure 13 – DGA code\r\nThe figure below illustrates the malware connecting to domains generated by a DGA when the primary C\u0026C server is\r\nunavailable.\r\nFigure 14 – Malware connecting to the domains generated by DGA\r\nIn 2022, Alien was observed similarly implementing a DGA process. However, unlike the ErrorFather campaign, it did not\r\nmaintain a list of domains, used only the “.xyz” extension, and did not rely on a specific timezone.\r\nActions used by malware\r\nhttps://cyble.com/blog/hidden-in-plain-sight-errorfathers-deadly-deployment-of-cerberus/\r\nPage 7 of 14\n\nThe TA has renamed the “Actions” to “Types,” as shown in Figure 11. These renamed types indicate the actions performed\r\nby the malware and the expected commands from the C\u0026C server. Upon analysis, we observed that the actions carried out\r\nby this malware closely resemble those seen in earlier Cerberus variants, with the primary difference being the renaming of\r\naction identifiers. Below is a comprehensive list of actions performed by the malware.\r\nType of\r\naction\r\nDescription\r\ncheckAppList Send the list of installed application package names\r\ngetFile Sends the target application package name to receive the HTML injection file\r\ngetResponse\r\nRetrieve the server’s response, and if it is “ok”, store the application log in the shared\r\npreferences file.\r\nPrimeService This action is used to send key logs of targeted application.\r\ngetBox This action is used to send SMSs from the infected device.\r\nfa2prime Not Implemented\r\nprContact Used to send contacts to the server\r\nlistAppX\r\nThis action is similar to the “checkAppList” function, where the malware stores the list\r\nof installed application package names based on a command from the server; otherwise,\r\nthe list remains empty. It will then send the list of installed application package names\r\nusing this action name.\r\nslService Sends Accessibility logs\r\nErrorWatch Sends error logs using this action type\r\ndevice_status Sends device status related to WebSocket connection\r\nimage Sends captured images as a part of the VNC function\r\ntraverse Sends accessibility node information\r\nCheckDomain This action is sent by DGA generated domain to validate domain\r\nRegisterUser Registers device and receives registration ID, it is similar to bot ID\r\nCheckUser Sends setting information and checks whether the user is registered or not\r\nVNC implementation using MediaProjection\r\nDuring our malware analysis, we identified two keywords related to VNC: “StatusVNC” and “StatusHVNC.” While HVNC\r\nimplementation is absent in this campaign, it was previously present in the Phoenix botnet, a fork of Cerberus. VNC\r\nfunctionality is implemented using MediaProjection, along with a WebSocket connection to continuously transmit screen\r\nimages and receive VNC actions from the Websocket response to interact with the device.\r\nhttps://cyble.com/blog/hidden-in-plain-sight-errorfathers-deadly-deployment-of-cerberus/\r\nPage 8 of 14\n\nFigure 15 – The VNC WebSocket connection is used to receive commands that trigger actions on the infected\r\ndevice\r\nOverlay Attack\r\nThe overlay technique remains unchanged from the earlier Cerberus variant. The malware first sends the installed\r\napplication package names list to identify potential targets. Once a target is identified, the server responds with the package\r\nnames of the target applications. The malware then uses the “getFile” action to retrieve the HTML web injection page, as\r\nshown in the figure below.\r\nFigure 16 – Malware sends installed application package names and receives target application\r\nhttps://cyble.com/blog/hidden-in-plain-sight-errorfathers-deadly-deployment-of-cerberus/\r\nPage 9 of 14\n\nFigure 17 – Receives HTML injection file\r\nWhen the victim interacts with the target application, the malware loads a fake phishing page over the legitimate app. This\r\ntricks the victim into entering their login credentials and credit card details on the fraudulent banking overlay page.\r\nhttps://cyble.com/blog/hidden-in-plain-sight-errorfathers-deadly-deployment-of-cerberus/\r\nPage 10 of 14\n\nFigure 18 – HTML injection page for BBVA bank\r\nThe Cerberus malware used in the ErrorFather campaign can carry out financial fraud through VNC, keylogging, and\r\noverlay attacks.\r\nConclusion\r\nhttps://cyble.com/blog/hidden-in-plain-sight-errorfathers-deadly-deployment-of-cerberus/\r\nPage 11 of 14\n\nThe Cerberus Android Banking Trojan, first identified in 2019, became a prominent tool for financial fraud using VNC,\r\nkeylogging, and overlay attacks. Following the leak of its source code, various threat actors repurposed the Cerberus code to\r\ndevelop new banking trojans, including Alien, ERMAC, and Phoenix. The ErrorFather campaign is another example of this\r\npattern. While the TA behind ErrorFather has slightly modified the malware, it remains primarily based on the original\r\nCerberus code, making it inappropriate to classify it as entirely new malware.\r\nIn the ErrorFather campaign, the malware uses a multi-stage dropper to deploy its payload and leverages techniques such as\r\nVNC, keylogging, and HTML injection for fraudulent purposes. Notably, the campaign utilizes a Telegram bot named\r\n“ErrorFather” to communicate with the malware. Despite being an older malware strain, the modified Cerberus used in this\r\ncampaign has successfully evaded detection by antivirus engines, further highlighting the ongoing risks posed by retooled\r\nmalware from previous leaks.\r\nThe ErrorFather campaign exemplifies how cybercriminals continue to repurpose and exploit leaked malware source code,\r\nunderscoring the persistent threat of Cerberus-based attacks even years after the original malware’s discovery.\r\nOur Recommendations\r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the best practices given below:\r\nDownload and install software only from official app stores like Google Play Store or the iOS App Store.\r\nUse a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and\r\nmobile devices.\r\nUse strong passwords and enforce multi-factor authentication wherever possible.\r\nEnable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where\r\npossible.\r\nBe wary of opening any links received via SMS or emails delivered to your phone.\r\nEnsure that Google Play Protect is enabled on Android devices.\r\nBe careful while enabling any permissions.\r\nKeep your devices, operating systems, and applications updated.\r\nMITRE ATT\u0026CK® Techniques\r\nTactic Technique ID Procedure\r\nInitial Access\r\n(TA0027)\r\nPhishing (T1660) Malware distributing via phishing site\r\nExecution\r\n(TA0041)\r\nNative API (T1575)\r\nMalware using native code to drop final\r\npayload\r\nDefense Evasion\r\n(TA0030)\r\nMasquerading: Match Legitimate\r\nName or Location (T1655.001)\r\nMalware pretending to be the Google\r\nPlay Update and Chrome application\r\nDefense Evasion\r\n(TA0030)\r\nApplication Discovery (T1418)\r\nCollects installed application package\r\nname list to identify target\r\nDefense Evasion\r\n(TA0030)\r\nIndicator Removal on Host: Uninstall\r\nMalicious Application (T1630.001)  \r\nMalware can uninstall itself\r\nhttps://cyble.com/blog/hidden-in-plain-sight-errorfathers-deadly-deployment-of-cerberus/\r\nPage 12 of 14\n\nDefense Evasion\r\n(TA0030)\r\nInput Injection (T1516)\r\nMalware can mimic user interaction,\r\nperform clicks and various gestures,\r\nand input data\r\nCollection\r\n(TA0035)\r\nInput Capture: Keylogging\r\n(T1417.001)\r\nMalware can capture keystrokes\r\nDiscovery\r\n(TA0032)\r\nSoftware Discovery (T1418)\r\nMalware collects installed application\r\npackage list\r\nDiscovery\r\n(TA0032)\r\nSystem Information Discovery\r\n(T1426)\r\nThe malware collects basic device\r\ninformation.\r\nCollection\r\n(TA0035)\r\nScreen Capture (T1513) Malware can record screen content\r\nCollection\r\n(TA0035)\r\nAudio Capture (T1429) Malware captures Audio recordings\r\nCollection\r\n(TA0035)\r\nCall Control (T1616) Malware can make calls\r\nCollection\r\n(TA0035)\r\nProtected User Data: Contact List\r\n(T1636.003)\r\nMalware steals contacts\r\nCollection\r\n(TA0035)\r\nProtected User Data: SMS Messages\r\n(T1636.004)\r\nSteals SMSs from the infected device\r\nCommand and\r\nControl (TA0037)\r\nDynamic Resolution: Domain\r\nGeneration Algorithms (T1637.001)\r\nMalware has implemented DGA\r\nCommand and\r\nControl (TA0037)\r\nEncrypted Channel: Symmetric\r\nCryptography (T1521.001)\r\nMalware uses RC4 for encrypting C\u0026C\r\ncommunication\r\nExfiltration\r\n(TA0036)\r\nExfiltration Over C2 Channel (T1646)\r\nSending exfiltrated data over C\u0026C\r\nserver\r\nIndicators of Compromise (IOCs)\r\nIndicators\r\nIndicator\r\nType\r\nDescription\r\n0c27ec44ad5333b4440fbe235428ee58f623a878baefe08f2dcdad62ad5ffce7\r\n9373860987c13cff160251366d2c6eb5cbb3867e 0544cc3bcd124e6e3f5200416d073b77\r\nSHA256\r\nSHA1\r\nMD5\r\nSession-based\r\ndropper\r\n880c9f65c5e2007bfed3a2179e64e36854266023a00e1a7066cbcf8ee6c93cbc\r\ncb6f9bcd4b491858583ee9f10b72c0582bf94ab1 d9763c68ebbfaeef4334cfefc54b322f\r\nSHA256\r\nSHA1\r\nMD5\r\nSecond-stage\r\ndropper\r\n6c045a521d4d19bd52165ea992e91d338473a70962bcfded9213e592cea27359\r\nc7ebf2adfd6482e1eb2c3b05f79cdff5c733c47b f9d5b402acee67675f87d33d7d52b364\r\nSHA256\r\nSHA1\r\nFinal\r\nundetected\r\nhttps://cyble.com/blog/hidden-in-plain-sight-errorfathers-deadly-deployment-of-cerberus/\r\nPage 13 of 14\n\nMD5 Cerberus\r\npayload\r\nhxxp://cmsspain[.homes hxxp://consulting-service-andro[.ru\r\nhxxp://cmscrocospain[.shop hxxp://cmsspain[.lol hxxp://cmsspain[.shop\r\nURL C\u0026C server\r\nhxxp://elstersecure-plus[.online hxxps://secure-plus[.online/ElsterSecure[.apk URL\r\nDistribution\r\nand phishing\r\nURL\r\nhxxps://api[.telegram[.org/bot7779906180:AAE3uTyuoDX0YpV1DBJyz5zgwvvVg-up4xo/sendMessage?chat_id=5915822121\u0026text=\r\nURL\r\nTelegram bot\r\nURL\r\n4c7f90d103b54ba78b85f92d967ef4cdcc0102d3756e1400383e774d2f27bb2e\r\n8f3e3a2a63110674ea63fb6abe4a1889fc516dd6851e8c47298c7987e67ff9b6\r\nc570e075f9676e79a1c43e9879945f4fe0f54ef5c78a5289fe72ce3ef6232a14\r\na2c701fcea4ed167fdb3131d292124eb55389bc746fcef8ca2c8642ba925895c\r\n8faa93be87bb327e760420b2faa33f0f972899a47c80dc2bc07b260c18dfcb14\r\nee87b4c50e5573cba366efaa01b8719902b8bed8277f1903e764f9b4334778d0\r\n136d00629e8cd59a6be639b0eaef925fd8cd68cbcbdb71a3a407836c560b8579\r\n6c045a521d4d19bd52165ea992e91d338473a70962bcfded9213e592cea27359\r\n516282073b7d81c630d4c5955d396e1e47a2f476f03dea7308461fa62f465c11\r\n5bd21d0007d34f67faeb71081309e25903f15f237c1f7b094634584ca9dd873e\r\n880c9f65c5e2007bfed3a2179e64e36854266023a00e1a7066cbcf8ee6c93cbc\r\n0c27ec44ad5333b4440fbe235428ee58f623a878baefe08f2dcdad62ad5ffce7\r\n6b8911dfdf1961de9dd2c3f9b141a6c5b1029311c66e9ded9bca4d21635c0c49\r\nbefe69191247abf80c5a725e1f1024f7195fa85a7af759db2546941711f6e6ae\r\n9d966baefa96213861756fde502569d7bba9c755d13e586e7aaca3d0949cbdc3\r\nSHA256\r\nMalicious First\r\nand second-stage files\r\nfrom\r\nthe ErrorFather\r\ncampaign\r\nSource: https://cyble.com/blog/hidden-in-plain-sight-errorfathers-deadly-deployment-of-cerberus/\r\nhttps://cyble.com/blog/hidden-in-plain-sight-errorfathers-deadly-deployment-of-cerberus/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://cyble.com/blog/hidden-in-plain-sight-errorfathers-deadly-deployment-of-cerberus/"
	],
	"report_names": [
		"hidden-in-plain-sight-errorfathers-deadly-deployment-of-cerberus"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434950,
	"ts_updated_at": 1775791258,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2095e5f83de675bfdd195f30e58d17229bb1902a.pdf",
		"text": "https://archive.orkl.eu/2095e5f83de675bfdd195f30e58d17229bb1902a.txt",
		"img": "https://archive.orkl.eu/2095e5f83de675bfdd195f30e58d17229bb1902a.jpg"
	}
}