{ "id": "03ec0037-329f-4e34-92e7-60b406e6f842", "created_at": "2026-04-06T00:21:59.265239Z", "updated_at": "2026-04-10T13:12:52.602932Z", "deleted_at": null, "sha1_hash": "6477d96baa2dfe8c9160f6df1d0e86b058ccef75", "title": "Cerberus banking Trojan source code released for free to cyberattackers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 42946, "plain_text": "Cerberus banking Trojan source code released for free to\r\ncyberattackers\r\nBy Written by\r\nArchived: 2026-04-05 17:04:06 UTC\r\nThe source code of the Cerberus banking Trojan has been released as free malware on underground hacking\r\nforums following a failed auction. \r\nSecurity\r\nSpeaking at Kaspersky NEXT 2020 on Wednesday, Kaspersky cybersecurity researcher Dmitry Galov said that\r\nthe leaked code, distributed under the name Cerberus v2, presents an increased threat for smartphone users and the\r\nbanking sector at large.  \r\nCerberus is a mobile banking Trojan designed for the Google Android operating system. In circulation since at\r\nleast July 2019, the Remote Access Trojan (RAT) is able to conduct covert surveillance, intercept communication,\r\ntamper with device functionality, and steal data including banking credentials by creating overlays on existing\r\nbanking, retail, and social networking apps. \r\nThe malware is able to read text messages that may contain one-time passcodes (OTP) and two-factor\r\nauthentication (2FA) codes, thereby bypassing typical 2FA account protections. OTPs generated through Google\r\nAuthenticator may also be stolen. \r\nCNET: Razer leak exposes thousands of customers' private data\r\nIn early July, Avast researchers discovered Cerberus in Google Play, wrapped up and disguised as a legitimate\r\ncurrency converter. It is thought that when the application was submitted to Google for approval, the functions\r\nwere innocent and legitimate -- but once a large user base was established, an update package deployed the Trojan\r\non victim devices. \r\nLater in the same month, Hudson Rock spotted Cerberus going to auction. An advert was posted by the maintainer\r\nof the malware, revealing that the development team was breaking up, and so a new owner was being sought. \r\nThe operator set a starting price of $50,000 -- with the aim of generating up to $100,000 -- for the malware's .APK\r\nsource code, client list, servers, and code for administrator panels. The auctioneer claimed that Cerberus generated\r\n$10,000 in revenue per month. \r\nhttps://www.zdnet.com/article/cerberus-banking-trojan-source-code-released-for-free-to-cyberattackers/\r\nPage 1 of 2\n\nHowever, it seems there were no takers. \r\nTechRepublic: Cyberattacks against schools are on the rise\r\n\"Despite Cerberus' Russian speaking developers earmarking a new vision for the project in April this year,\r\nauctions for the source code began in late July due to the breakup of the development team,\" Kaspersky says.\r\n\"Due to an unclear culmination of factors, the author later decided to publish the project source code for premium\r\nusers on a popular Russian-speaking underground forum.\"\r\nThe cybersecurity firm says that following the free release of Cerberus source code in the underground, there was\r\nan \"immediate rise\" in mobile app infections across Europe and Russia. Of particular note, Galov says, is that\r\nprevious clients were not encouraged to strike Russian mobile device users -- but the moment the code was\r\nreleased, the attack landscape changed.\r\nWhen Cerberus was offered as Malware-as-a-Service (MaaS), the scope of the threat was contained to attack\r\ngroups able to pay for the code, on subscription from $4,000 for one month to $12,000 for a year. Now the\r\ndeveloper has washed their hands of the project and released the source code for free, we may not only see rising\r\nadoption of Cerberus, but also potentially new variants based on the leaked code in the future. \r\nSee also: Your email threads are now being hijacked by the QBot Trojan\r\n\"We continue to investigate all found artifacts associated with the code, and will track related activity,\" Galov\r\ncommented. \"But, in the meantime, the best form of defense that users can adopt involves aspects of security\r\nhygiene that they should be practicing already across their mobile devices and banking security.\"\r\nThe worst IoT, smart home hacks of 2020 (so far)\r\nPrevious and related coverage\r\nCerberus banking Trojan infiltrates Google Play\r\nCerberus banking Trojan team breaks up, source code goes to auction\r\nAndroid malware can steal Google Authenticator 2FA codes\r\nHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0\r\nSource: https://www.zdnet.com/article/cerberus-banking-trojan-source-code-released-for-free-to-cyberattackers/\r\nhttps://www.zdnet.com/article/cerberus-banking-trojan-source-code-released-for-free-to-cyberattackers/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.zdnet.com/article/cerberus-banking-trojan-source-code-released-for-free-to-cyberattackers/" ], "report_names": [ "cerberus-banking-trojan-source-code-released-for-free-to-cyberattackers" ], "threat_actors": [ { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434919, "ts_updated_at": 1775826772, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6477d96baa2dfe8c9160f6df1d0e86b058ccef75.pdf", "text": "https://archive.orkl.eu/6477d96baa2dfe8c9160f6df1d0e86b058ccef75.txt", "img": "https://archive.orkl.eu/6477d96baa2dfe8c9160f6df1d0e86b058ccef75.jpg" } }