{
	"id": "4135d979-778e-4fbd-8b8a-b29c1cc378b5",
	"created_at": "2026-04-06T00:13:45.237436Z",
	"updated_at": "2026-04-10T03:30:33.408253Z",
	"deleted_at": null,
	"sha1_hash": "67cbb29acab5a70f665da37b27593a32dabbe551",
	"title": "Attacks Using Cerberus Banking Trojan Surge",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 78729,
	"plain_text": "Attacks Using Cerberus Banking Trojan Surge\r\nBy Chinmay Rautmare\r\nArchived: 2026-04-05 13:27:51 UTC\r\nAccount Takeover Fraud , Cybercrime , Fraud Management \u0026 Cybercrime\r\nRelease of Code on Russian Darknet Forums Leads to Broader Use, Enhancements (@crautmare) • September 18,\r\n2020    \r\nThe code for the Cerberus banking Trojan, named after the mythical three-headed beast, was posted\r\non darknet forums.\r\nThe posting on Russian underground forums of source code for the Android mobile banking Trojan Cerberus has\r\nled to an increase in attacks as well as updates to the malware, the security firm Kaspersky reports.\r\nSee Also: OnDemand | Transform API Security with Unmatched Discovery and Defense\r\n\"We're already seeing an increase in attacks on users since the source code was published,” Kaspesky states. “It’s\r\nnot the first time we’ve seen something like this happen, but this boom of activity since the developers abandoned\r\nthe project is the biggest developing story we’ve tracked for a while.”\r\nThe researchers note that Cerberus' source code was made available for free to premium members of certain\r\nRussian darknet forums. Previously, the Trojan was available as a malware-as-a-service tool.\r\nIn July the malware's development team had a falling out and opted to auction off the source code, Kaspersky\r\nnotes. \"Due to an unclear culmination of factors, the author later decided to publish the project source code for\r\nhttps://www.bankinfosecurity.com/attacks-using-cerberus-banking-trojan-surge-a-15025\r\nPage 1 of 2\n\npremium users on a popular Russian-speaking underground forum,\" the report says.\r\nKaspersky dubbed the free version Cerberus v2.\r\nCode Analysis\r\nThe posting of the source code has led to a surge in attempts steal money from Russian and European consumers\r\nas additional threat actors have taken advantage of the free malware, Kaspersky says. Another result has been the\r\nenhancement of the Trojan's capabilities.\r\nThe malware has been upgraded to stealthily send and steal SMS codes as well as use a bank's website as an\r\noverlay to hide malicious domains and steal credentials. Kaspersky found the malware can read text messages that\r\nuse one-time passwords and steal two-factor authentication passcodes - even those using Google Authenticator.\r\n\"Additional capabilities include accessing customer credit card and contact details, the ability to redirect calls or\r\ntamper with mobile functionality via its [remote access Trojan] features and to automatically grant required\r\npermissions as part of its authentication attributes,\" the report says.\r\nIn June, the FBI warned that fraudsters are increasingly using Trojans to target banking customers and disguising\r\nthe malware as legitimate apps, games or other tools (see: FBI Warns Of Increasing Use of Trojans in Banking\r\nApps).\r\nThe bank website overlay is activated when a mobile banking customer launches their banking app. This triggers\r\nthe Trojan and prompts a fake login page that overlays the legitimate app to entice the user to provide their login\r\ninformation, according to the FBI.\r\nHistory of Cerberus\r\nResearchers discovered Cerberus in the summer of 2019. In July, Avast uncovered a fake currency converter app\r\nin the official Google Play store that hid the Trojan (see: Cerberus Banking Trojan Targeted Spanish Android\r\nUsers).\r\nThe fake app, “Calculadora de Moneda,\" appears to have only targeted Android users in Spain, Avast says.\r\nResearchers determined this app managed to bypass security features embedded in the Google Play store that are\r\ndesigned to keep out malware.\r\nGoogle Play has security features designed to scan and block apps that contain malware such as Cerberus, but\r\nresearchers have noted that fraudsters have upped their game when it comes to creating malicious apps that avoid\r\ncan detection (see: Spyware Campaign Leverages Apps in Google Play Store).\r\nSource: https://www.bankinfosecurity.com/attacks-using-cerberus-banking-trojan-surge-a-15025\r\nhttps://www.bankinfosecurity.com/attacks-using-cerberus-banking-trojan-surge-a-15025\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bankinfosecurity.com/attacks-using-cerberus-banking-trojan-surge-a-15025"
	],
	"report_names": [
		"attacks-using-cerberus-banking-trojan-surge-a-15025"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434425,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/67cbb29acab5a70f665da37b27593a32dabbe551.pdf",
		"text": "https://archive.orkl.eu/67cbb29acab5a70f665da37b27593a32dabbe551.txt",
		"img": "https://archive.orkl.eu/67cbb29acab5a70f665da37b27593a32dabbe551.jpg"
	}
}