{ "id": "cea9344d-d79f-4481-87aa-30450b28c80d", "created_at": "2026-04-06T01:29:16.073994Z", "updated_at": "2026-04-10T03:35:19.864422Z", "deleted_at": null, "sha1_hash": "a14523d9d97a808b11ffdac124006e4c57ee54bc", "title": "Cerberus is Dead, Long Live Cerberus?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 256738, "plain_text": "Cerberus is Dead, Long Live Cerberus?\r\nBy Gil Ben-Horin\r\nPublished: 2020-11-05 · Archived: 2026-04-06 00:29:23 UTC\r\nExecutive Summary\r\nThis blog provides an overview of the situation surrounding the release of the source code, and supplementary\r\n‘injection’ files, for the Android banking trojan ‘Cerberus’. In addition to the source code for two versions of the\r\nmalicious application along with the control panel being freely available on various underground forums, over two\r\nhundred injection files, those being HTML pages that mimic the look of legitimate Android apps, have been\r\ndistributed and could allow the theft of credentials and/or payment card data.\r\nGiven that the current threat from Cerberus was countered by Google Play Protect, Google’s own Android\r\nantimalware solution, other threat actors may act on comments from Cerberus’ creators to restore the threat, or\r\nsimply use the source code to create, or further develop, their own Android threats.\r\nRecent reports indicate that Cerberus is now targeting Android users in Russia as well as countries within the\r\nCommonwealth of Independent States (CIS), suggesting that some ‘less-patriotic’ threat groups have modified the\r\nsource code and removed these previously defined ‘safe countries’. Other than this activity, no other regions have\r\nbeen specifically identified at increased risk.\r\nAs time elapses and threat actors gain a better understanding of the released code, others may seek to utilize it, or\r\nthe injection pages, in their own threats or campaigns. This is especially true given the availability of a Cerberus\r\n‘installation service’, costing just USD 300, that could allow a lower-sophistication threat actor to gain access to a\r\nworking Cerberus control panel with Android application package (APK) builder for a fraction of its former cost.\r\nIntroduction\r\nBelieved to have been in development for some time and used privately for around two years prior to being first\r\nobserved by cybersecurity researchers in June 2019, Cerberus is an Android banking trojan that was available via\r\na malware-as-as-service (Maas) offering as advertised on underground forums (Figure 1).\r\nCerberus_0\r\nFigure 1 – Cerberus advertisement banners (Bottom: Updated for Cerberus V2)\r\nAs is common for threats of this nature, Cerberus supports various capabilities out-of-the-box, such as the ability\r\nto interact with, and steal data from, a compromised device including contacts, SMS interception and call\r\nforwarding, as well as selling addons in the form of ‘injections’ that allow credentials and/or payment card data to\r\nbe stolen from specific legitimate applications.\r\nhttps://cyberint.com/blog/research/cerberus-is-dead-long-live-cerberus/\r\nPage 1 of 14\n\nReportedly earning the creators at least USD 10,000 a month during its peak, not withstanding any ill-gotten gains\r\nmade from stolen data, the MaaS model used to rent access to Cerberus’ infrastructure was, when not discounted\r\n(Figure 2), available in three packages (USD 4,000 for 3 months, USD 7,000 for 6 months and USD 12,000 for\r\none year of access) in addition to injections reportedly selling for USD 4,000 each.\r\nCerberus _1\r\nFigure 2 – Cerberus ‘Winter Sale’\r\nHaving purchased a licence, nefarious users would gain access to the Cerberus control panel which allowed them\r\nto build an Android application package (Figure 3), in the form of an ‘APK’ file ready for distribution to victims,\r\nas well as providing them with the ability to manage their compromised devices and access any stolen data\r\n(Figure 4).\r\nCerberus _2\r\nFigure 3 – Cerberus APK builder (added to the platform in July 2019)\r\nCerberus _3\r\nFigure 4 – Cerberus Control Panel\r\nHaving configured and generated an APK payload file, threat actors would then need to deliver this to victims\r\nlikely through the use of social engineering tactics and campaigns such as ‘fake media player’ messages shown to\r\nAndroid users visiting a compromised or malicious website (Figure 5) as well as fake mobile apps uploaded to\r\nvarious app stores and even the use of COVID-19 themes during the global pandemic.\r\nCerberus _4\r\nFigure 5 – Cerberus distributed via fake Adobe Flash Player (Credit: ESET Research)\r\nReportedly one of the most successful Android banking trojans and MaaS threats of 2019 and into 2020, Cerberus’\r\nreign came to a somewhat abrupt end in August 2020 with the creator citing ‘internal issues’ that prevented\r\nongoing development and undoubtedly contributed to the threat being detected and blocked by Google’s built-in\r\nantimalware protection ‘Google Play Protect’.\r\nAttempted Sale\r\nWhilst still in development as late as 21 July 2020, seemingly the period between 22 and 26 July 2020 saw\r\nCerberus being detected by Google Play Protect and customers taking to the forum to complain about their ‘bots\r\ndropping off’.\r\nIn response to these complaints, ‘Android’, Cerberus’ creator or the group’s spokesperson, suggested on 28 July\r\n2020 that the threat was still operational, albeit requiring the use of a ‘cryptor’ to prevent detection (Figure 6).\r\nCerberus _5\r\nhttps://cyberint.com/blog/research/cerberus-is-dead-long-live-cerberus/\r\nPage 2 of 14\n\nFigure 6 – ‘Android’ responding in English, rather than Russian, to various complaints about Cerberus on 28 July\r\n2020\r\nTools known as ‘cryptors’ are often used by malware authors and utilize various encryption routines to thwart the\r\nanalysis of malicious binaries as well as obfuscating or modifying their code to evade detection signatures. In this\r\ninstance, it appears that the solution to Cerberus’ problems was not as simple as using a ‘cryptor’ and was\r\npromptly followed by the group ceasing development following ‘internal issues’.\r\nIn addition to the threat group reportedly disbanding, with existing Ceberus infections being in-operational due to\r\ntheir detection, the malware-as-a-service (MaaS) offering, including all source code, installation guides, and setup\r\nscripts along with details of current and prospective customers, was reportedly offered for auction at the end of\r\nJuly 2020 with a starting price of USD 50,000 and a ‘buy-it-now’ price of USD 100,000.\r\nAppearing somewhat steeply priced, it is likely that a suitably motivated and skilled threat actor could have\r\nrecouped their outlay within a year, especially given the reported USD 10,000 monthly earnings, although, given\r\nthat the auction failed to find a buyer, the ‘market’ didn’t agree with this valuation or the viability of Cerberus\r\nfollowing its detection by Google Play Protect.\r\nSource Code Release\r\nFollowing the failed auction attempt, and potentially in an attempt to restore confidence in the group, ‘Android’\r\nposted a message to the ‘XSS[.]is’ forum on 5 August 2020 to confirm that they would be fulfilling any financial\r\ncommitments to existing customers, presumably by refunding them any access payments, and that the source code\r\nwould be made available to the forum’s members (Figure 7).\r\nCerberus _12\r\nFigure 7 – Forum post indicating the release of the Cerberus Source Code to members of XSS[.]is\r\nTranslation:\r\nv2 version. Flipper.\r\nSince our team (before that the team) ran this business cleanly, as beautifully as possible, we will finish it\r\nbeautifully.\r\nFor 70% of clients, financial obligations have already been closed. The remaining ones are asked to unsubscribe in\r\na PM or Telegram, do not forget to write your Jabber, the license key and the server IP. This is so that I can be sure\r\nthat you are the owner of the license. It is also advisable to attach the APK file.\r\nSources to be torn apart, especially for xss[.]is\r\nCerberus v1 + Cerberus v2 + install scripts + admin panel + sql db\r\nSeemingly available on various underground forums from around 7 August 2020, a subsequent post by ‘Android’\r\non the XSS[.]is forum on 10 August 2020 included a cleaned-up archive (Figure 8).\r\nCerberus _7\r\nFigure 8 – Cerberus source code release on XSS[.]is\r\nhttps://cyberint.com/blog/research/cerberus-is-dead-long-live-cerberus/\r\nPage 3 of 14\n\nTranslation:\r\nGuys, and wrap-up.\r\nCerberus v1 + Cerberus v2 + install scripts + admin panel + sql db\r\nArchive cleared of garbage.\r\nEverything for those who want to start their own business. Full pack.\r\nIn the header, I replaced the link to it.\r\nFor moderators, please re-upload to other [file sharing services] so that the file will live for a long time.\r\nAnalysis of the source code archive indicates that the directories have modification dates of 5 August 2020,\r\nconfirming the archive creation of the file that aligns with the forum posts, whilst the files, excluding any open-source libraries used, have various modification dates between 31 March 2019 and July 21 2020, again consistent\r\nwith what is known about Cerberus’ recent development.\r\nNote: For reference, sample file hashes for the released Cerberus source code are provided in Appendix A.\r\nIncluded within the main archive are four main directories:\r\nmoduleBot2 – Java source code and assets for the Cerberus v2 Android payload including build files for\r\nuse with the ‘Gradle’ build automation tool. Based on application icons found within the directory\r\nstructure, the threat appears to mimic a ‘Santander’ banking app but it is understood that this would be\r\ncustomizable when using the ‘builder’ control panel.\r\npanel_v2 – HTML, JavaScript and PHP source code for the server that provides the Cerberus control\r\npanel, APK payload builder and the command and control (C2) call-home ‘gate.php’ script. Notably, the\r\npayload builder takes parameters from the threat actor and then executes the Gradle build automation tool\r\nbefore allowing the payload to be downloaded. Additionally, ‘cryptor’ code appears within this directory\r\nthat could allow payloads to thwart analysis or detection albeit, based on the Google Play Protect detection,\r\nthis has been countered.\r\nrestapi_v2 – Seemingly allowing interactions between bots and the C2 server/control panel, the REST\r\nAPI directory includes PHP code and provides an insight into the status of a bot including the relatively\r\nshort period of time elapsed for it to be considered ‘dead’ (albeit understandable given that most people\r\nwill keep their mobile phone online at all times):\r\n0 – Online (Bot has been visible within the last 2 minutes);\r\n1 – Offline (Bot has been visible within the 40hrs but not last 2 minutes);\r\n2 – Dead (Bot has not been seen within the last 40hrs);\r\nsource_mmm – Java source code and assets for the Cerberus v1 Android payload, again including build\r\nfiles for use with the ‘Gradle’ build automation tool.\r\nFurthermore, a SQL dump file is included within the archive and provides an insight into the backend\r\ndatabase behind the Cerberus control panel. In addition to this database backup detailing the data stored on\r\nbots and compromised hosts, base64-encoded ‘injects’ are included to mimic and steal credentials or\r\npayment card data by posing as the following Android applications:\r\nConnect for Hotmail \u0026 Outlook ( com.connectivityapps.hotmail )\r\nhttps://cyberint.com/blog/research/cerberus-is-dead-long-live-cerberus/\r\nPage 4 of 14\n\nGmail ( com.google.android.gm )\r\nImo ( com.imo.android.imoim )\r\nInstagram ( com.instagram.android )\r\nmail.com Mail ( com.mail.mobile.android.mail )\r\nMicrosoft Outlook ( com.microsoft.office.outlook )\r\nSnapchat ( com.snapchat.android )\r\nTelegram ( org.telegram.messenger )\r\nTwitter ( com.twitter.android )\r\nUber ( com.ubercab )\r\nViber Messenger ( com.viber.voip )\r\nWeChat ( com.tencent.mm )\r\nWhatsApp Messenger ( com.whatsapp )\r\nYahoo Mail ( com.yahoo.mobile.client.android.mail )\r\nCurrent Capabilities\r\nWhilst the immediate threat from Cerberus has been countered by Google Play Protect, the release of the source\r\ncode provides other threat actors with the ability to analyse and understand how Cerberus’ modular capabilities\r\nwere implemented, potentially allowing others to extend them or reuse the code in other Android threats.\r\nAs is to be expected of a successful Android threat, Cerberus claims to work on devices using Android 5 or later\r\nand, have gained ‘accessibility’ permissions, can automatically permit additional permissions for itself including:\r\nandroid.permission.INTERNET ;\r\nandroid.permission.CALL_PHONE ;\r\nandroid.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS ;\r\nandroid.permission.RECEIVE_BOOT_COMPLETED ;\r\nandroid.permission.READ_PHONE_STATE ;\r\nandroid.permission.REQUEST_DELETE_PACKAGES ;\r\nandroid.permission.RECEIVE_SMS ;\r\nandroid.permission.READ_SMS ;\r\nandroid.permission.SEND_SMS ;\r\nandroid.permission.READ_CONTACTS ;\r\nandroid.permission.WAKE_LOCK ;\r\nGiven these permissions, many capabilities can be identified, such as those that are consistent with a remote\r\naccess trojan gaining access to, and control over, the device:\r\nScreenshot and audio recording;\r\nKeylogging from within applications;\r\nAccess and exfiltrate contacts;\r\nDevice location tracking;\r\nApplication download, execution and removal;\r\nDevice lock;\r\nhttps://cyberint.com/blog/research/cerberus-is-dead-long-live-cerberus/\r\nPage 5 of 14\n\nMute all device sound and disable vibrate alerts;\r\nAdditionally, specific banking trojan capabilities provide the means to gather credentials and payment card data as\r\nwell as thwarting additional security measures such as one-time passwords, multi-factor authentication and voice\r\ncalls:\r\nAccess, send, receive and delete SMS (ideal for capturing one-time passwords);\r\nCall forwarding (potentially allowing the interception of voice calls);\r\nCredential and payment card data theft through application injections;\r\nLocal installation and automatic (timed) enable of injections to allow operation with limited network\r\ncoverage;\r\nTheft of multi-factor authentication codes from Google Authenticator;\r\nIn an attempt to evade security controls and thwart analysis, Cerberus implemented anti-emulator code to ensure\r\nthat it was only executed on a valid physical device, attempted to disable Google Play Protect, albeit until its\r\ndetection, and provided a self-destruct mechanism to remove traces of the bot to prevent post-incident analysis.\r\nFinally, command and control (C2) traffic is RC4 encrypted and base64-encoded using a random key.\r\nSubsequently, ‘call home’ communications include useful data about the device which is viewable within the\r\ncontrol panel:\r\nAndroid operating system version;\r\nBattery status;\r\nDevice manufacturer/model;\r\nIP address;\r\nNetwork operator;\r\nTelephone number;\r\nSystem locale (Country and language);\r\nScreen status (Locked or Unlocked);\r\nGoogle Play Protect status;\r\nSMS intercept status;\r\nAvailability of bank, card and email credentials/data;\r\nInfection date and bot up-time;\r\nTelephone activity, used to determine if it is an emulator;\r\nFeatures: hide SMS, lock device, mute sound, keylogger, injection\r\nInjections\r\nCerberus makes use of ‘injections’ to target legitimate applications, including those related to banking, email,\r\nmessaging, retail and social media, with pages that mimic the targeted application interface and prompt for\r\ncredentials and/or payment card details from the victim (Figure 9). Cerberus _8\r\nFigure 9 – Example ‘injects’ mimicking legitimate application interfaces\r\nhttps://cyberint.com/blog/research/cerberus-is-dead-long-live-cerberus/\r\nPage 6 of 14\n\nThese HTML-based injects are provided as a single file asset, allowing them to be easily stored within the\r\ncommand and control (C2) database and distributed to victim devices, integrating cascading style sheets (CSS) to\r\nensure the layout is consistent with the targeted application as well as embedding base64-encoded images (Figure\r\n10).\r\nCerberus _9\r\nFigure 10 – Example embedded base64-encoded PNG image within the inject HTML file\r\nOnce deployed, a victim would be presented with the inject when attempting to access a targeted application and,\r\nassuming they fall for the ruse, the data entered is inserted into a JSON data structure ready for exfiltration by\r\nCerberus to the C2 infrastructure.\r\nSeemingly a ‘starter kit’ was offered by Cerberus with a handful of injections to target Italy, France, Turkey and\r\nthe United States, whilst additional injections could be purchased (Figure 11).\r\nCerberus _10\r\nFigure 11 – Cerberus ‘Tweet’ indicating the sale of injects\r\nNotably, in addition to base64-encoded injects embedded within the SQL dump file distributed with the Cerberus\r\ncontrol panel source code, archives of this recent release distributed on underground forums include over 200\r\nadditional inject files potentially including some that would have previously been charged for.\r\nNote: For reference, a full list of the injects distributed with the Cerberus source code are provided in Appendix B.\r\nGiven that these inject files mimic many current mobile applications, the release of this large set could allow other\r\nmalware authors to incorporate them into their own mobile threats as well as being of use to any threat actor that\r\ncan make use of, or further develop, the Cerberus source code.\r\nPotential Future Developments\r\nIncreased Targeting\r\nAs is common with cybercrime threats originating from Russia or countries within the Commonwealth of\r\nIndependent States (CIS), threat actors will only target victims in other countries as confirmed by a string variable\r\nwithin Cerberus’ source code containing a safe list of country codes:\r\npublic String strCIS = \"[ua][ru][by][tj][uz][tm][az][am][kz][kg][md]\";\r\nSince the public release of Cerberus’ source code, other seemingly less-patriotic threat actors have removed or\r\nmodified this restriction and there is now reportedly an increase in victims within Russia and CIS countries.\r\nAside than this shift in targeting, no other region has been identified as suffering from increased attacks although,\r\nwith time, other threat actors may seek to leverage their access to the source code and potentially launch attacks in\r\nregions where Android devices are prevalent whilst less likely to be protected by current versions of Google Play\r\nProtect.\r\nhttps://cyberint.com/blog/research/cerberus-is-dead-long-live-cerberus/\r\nPage 7 of 14\n\nVariants\r\nIn addition to threat actors taking the Cerberus source code ‘as-is’ and attempting to launch their own campaigns,\r\nespecially given that an ‘enterprising’ user on the XSS[.]is forum is offering an installation service for just USD\r\n300 (Figure 12), others may seek to build upon the existing code or create their own variants to resolve the issues\r\nthat caused Google Play Protect to detect the threat.\r\nCerberus -11\r\nFigure 12 – XSS[.]is forum member offering proof of their Cerberus install service\r\nOne such example that has been reported as a variant of Cerberus is a threat dubbed ‘Alien’ although, both the\r\ncreators of Alien and Cerberus have denied any link between the two.\r\nProviding any would-be successor with the necessary information to resolve Cerberus’ issues, two suggestions are\r\ngiven to counter Google Play Protect’s ability to scan application resources (Figure 13).\r\nCerberus _12 Figure 13 – Denial of link to ‘Alien’ and Cerberus ‘solution’ proposals\r\nTranslation:\r\nAlien is based entirely on Anubis.\r\nOur bot died due to one problem, the play-protection started scanning the resources of the APK file.\r\nInitially, Cerberus was developed as a modular bot, loading malicious code into resources, and at that time Play\r\nProtect was unable to scan application resources.\r\nAt the moment, our module has signatures, and bots “die” when it is loaded. The solution is to remove the module\r\nfrom the code and encrypt the entire APK, but then the size of the APK will be very large.\r\nSolution number two: encrypt the module.\r\nWhy didn’t we do it?\r\nWe had one module for all clients, and since the team was crumbling, it was not possible to find new programmers\r\nwho would make their own module for each client individually.\r\nAs a result, our clients could not encrypt the module for themselves. We encrypted the module 5 times, and each\r\ncrypt fell the next day according to the signatures, and in the end our hands dropped, since this is not a solution to\r\nthe problem.\r\nWhilst it is likely only a matter of time before a suitably skilled nefarious developer resolves the issues with\r\nCerberus, the release of the source code will undoubtedly assist the Google Play Protect team in creating\r\ncountermeasures. That being said, organizations should still encourage users to, and individuals should, be\r\ncautious whenever prompted to install Android packages (APK) from unverified sources, be that a browser pop-up, an email or from a third-party app marketplace.\r\nAppendix A – Samples\r\nThe following SHA-256 file hashes relate to the leaked files, as observed on multiple underground forums, and\r\nmay prove beneficial to security professionals wishing to perform their own analysis of the threat:\r\nInitial source code release cerberus_full_package.7z\r\nhttps://cyberint.com/blog/research/cerberus-is-dead-long-live-cerberus/\r\nPage 8 of 14\n\n2ba17fabce13866b6f161250f00d85e14fefc6334dc1bdd881bb71ba41a69d80\r\n‘Cleaned-up’ source code release CERBERUS_V2.zip\r\n733fc478acd6ef668f88131f505921fddc88e9a207e5ee304b37babf0b8a553d\r\nInjections collection injects.zip\r\n856ea6fd89f431274335614e91fdd83a99aaa3243395a28d7e55307a04090923\r\nBundle containing the above, released on ‘Alphazine[.]ru’ cerberus.zip\r\nbeabdc7eedea45771c11e2319f810035fdbf67e725b593a80ef54438ee3731f5\r\nGiven the current status of Cerberus, indicators of compromise (IOC) related to past Cerberus threats are\r\nsomewhat redundant although the command and control (C2) Tor hidden service still appears to be accessible via\r\ncerberesfgqzqou7.onion (Figure 14).\r\nCerberus _12 (2)\r\nFigure 14 – Cerberus control panel Tor hidden service\r\nAdditionally, the following HTTP command and control (C2) communication strings were observed within the\r\nsource code and may appear in derivative works:\r\naction=getinj\u0026data= ;\r\naction=injcheck\u0026data= ;\r\naction=botcheck\u0026data= ;\r\n||no|| ;\r\naction=registration\u0026data= ;\r\naction=sendInjectLogs\u0026data= ;\r\naction=sendSmsLogs\u0026data= ;\r\naction=timeInject\u0026data= ;public String str_http_19 = “action=sendKeylogger\u0026data=”; public String\r\nstr_http_20 = “action=getModule\u0026data=”; public String str_http_21 = “action=checkAP\u0026data=”;\r\naction=sendKeylogger\u0026data= ;\r\naction=getModule\u0026data= ;\r\naction=checkAP\u0026data= ;\r\nAppendix B – Injections\r\nInjection files have been provided alongside the Cerberus source code and target the following legitimate Android\r\napplications:\r\nABANCA Empresas com.abanca.bancaempresas\r\nABANCA Banca Móvil es.caixagalicia.activamovil\r\nABN AMRO Mobiel Bankieren com.abnamro.nl.mobile.payments\r\nAkbank com.akbank.android.apps.akbank_direkt\r\nAllegro pl.allegro\r\nAmazon Shopping com.amazon.mShop.android.shopping\r\nASB Mobile Banking nz.co.asb.asbmobile\r\nBanca Digital Liberbank es.liberbank.cajasturapp\r\nhttps://cyberint.com/blog/research/cerberus-is-dead-long-live-cerberus/\r\nPage 9 of 14\n\nBanca Móvil Laboral Kutxa com.tecnocom.cajalaboral\r\nBanca MPS copergmps.rt.pf.android.sp.bmps\r\nBanca Transilvania ro.btrl.mobile\r\nBanco Caixa Geral España es.caixageral.caixageralapp\r\nBanco Itaú Empresas com.itau.empresas\r\nBanco Sabadell net.inverline.bancosabadell.officelocator.android\r\nBank Austria MobileBanking com.bankaustria.android.olb\r\nBank Hapoalim (הפועלים בנק (com.ideomobile.hapoalim\r\nBank Millennium wit.android.bcpBankingApp.millenniumPL\r\nBank Millennium for Companies pl.millennium.corpApp\r\nBank of America Mobile Banking com.infonow.bofa\r\nBank of Melbourne Mobile Banking org.bom.bank\r\nBankia es.cm.android\r\nBankinter Móvil com.bankinter.launcher\r\nBankSA Mobile Banking org.banksa.bank\r\nBanque com.caisseepargne.android.mobilebanking\r\nBanque Populaire fr.banquepopulaire.cyberplus\r\nBanque pour tablettes Android com.caisse.epargne.android.tablette\r\nBarclays com.barclays.android.barclaysmobilebanking\r\nBarclays Kenya com.barclays.ke.mobile.android.ui\r\nBBVA Net Cash com.bbva.netcash\r\nBBVA Spain com.bbva.bbvacontigo\r\nBEA (東東亞亞銀銀行行) com.mtel.androidbea\r\nBendigo Bank com.bendigobank.mobile\r\nBHIM UPI, Money Transfer, Recharge \u0026 Bill Payment com.mobikwik_new\r\nBi en Línea gt.com.bi.bienlinea\r\nBill Payment \u0026 Recharge,Wallet com.oxigen.oxigenwallet\r\nBinance com.binance.dev\r\nbitbank cc.bitbank.bitbank\r\nBitcoin Wallet Coincheck jp.coincheck.android\r\nBlockchain Wallet piuk.blockchain.android\r\nBMO Mobile Banking com.bmo.mobile\r\nBNL it.bnl.apps.banking\r\nBNP Paribas GOMobile com.finanteq.finance.bgz\r\nBOCHK com.bochk.com\r\nBOQ Mobile com.bankofqueensland.boq\r\nBoursorama Banque com.boursorama.android.clients\r\nBPI APP pt.bancobpi.mobile.fiabilizacao\r\nBPS Mobilnie pl.bps.bankowoscmobilna\r\nBusinessPro Lite pl.bph\r\nCA24 Mobile com.finanteq.finance.ca\r\nCaixaBank es.lacaixa.mobile.android.newwapicon\r\nhttps://cyberint.com/blog/research/cerberus-is-dead-long-live-cerberus/\r\nPage 10 of 14\n\nCaixadirecta cgd.pt.caixadirectaparticulares\r\nCajalnet es.ceca.cajalnet\r\nCajasur com.cajasur.android\r\nCapital One® Mobile com.konylabs.capitalone\r\nCarige Mobile it.carige\r\nCarrefour Finance be.fimaser.smartphone\r\nCeneo pl.ceneo\r\nCEPTETEB com.teb\r\nChase Mobile com.chase.sig.android\r\nCIBC Mobile Banking com.cibc.android.mobi\r\nCIC com.cic_prod.bad\r\nCiti Handlowy com.konylabs.cbplpat\r\nCMSO my bank com.arkea.android.application.cmso2\r\nCoinbase Wallet — Crypto Wallet \u0026 DApp Browser org.toshi\r\ncomdirect mobile App de.comdirect.android\r\nCommBank com.commbank.netbank\r\nCommerzbank Banking de.commerzbanking.mobil\r\nConnect for Hotmail \u0026 Outlook com.connectivityapps.hotmail\r\nConsorsbank de.consorsbank\r\nCredem com.CredemMobile\r\nCrédit du Nord pour Mobile com.ocito.cdn.activity.creditdunord\r\nCrédit Mutuel com.cm_prod.bad\r\nCrédit Mutuel de Bretagne com.arkea.android.application.cmb\r\nČSOB Smartbanking cz.csob.smartbanking\r\nCUA Mobile Banking au.com.cua.mb\r\nDB Pay com.db.pbc.DBPay\r\nDeutsche Bank Mobile com.db.pwcc.dbmobile\r\nDiscount Bank com.ideomobile.discount\r\nDiscover Mobile com.discoverfinancial.mobile\r\nDKB-Banking de.dkb.portalapp\r\nEmpik com.empik.empikapp\r\nEmpik Foto com.empik.empikfoto\r\nEnpara.com Cep Şubesi finansbank.enpara\r\neurobank mobile 2.0 pl.eurobank2\r\nEVO Banco móvil es.evobanco.bancamovil\r\nFifth Third Mobile Banking com.clairmail.fth\r\nFortuneo, mes comptes banque \u0026 bourse en ligne com.fortuneo.android\r\nGaranti BBVA Mobile com.garanti.cepsubesi\r\nGetin Mobile com.getingroup.mobilebanking\r\nGmail com.google.android.gm\r\nGMO Wallet com.gmowallet.mobilewallet\r\nGrupo Cajamar com.grupocajamar.wefferent\r\nhttps://cyberint.com/blog/research/cerberus-is-dead-long-live-cerberus/\r\nPage 11 of 14\n\nHalifax Mobile Banking com.grppl.android.shell.halifax\r\nHalkbank Mobil com.tmobtech.halkbank\r\nHSBC Mobile Banking com.htsu.hsbcpersonalbanking\r\nHVB Mobile Banking eu.unicreditgroup.hvbapptan\r\nIbercaja es.ibercaja.ibercajaapp\r\niBiznes24 mobile pl.bzwbk.ibiznes24\r\niBOSStoken hr.asseco.android.mtoken.bos\r\nIDBI Bank GO Mobile+ com.snapwork.IDBI\r\nIdea Bank PL pl.ideabank.mobilebanking\r\nIKO pl.pkobp.iko\r\nImagin com.imaginbank.app\r\nimo free video calls and chat com.imo.android.imoim\r\niMobile by ICICI Bank com.csam.icici.bank.imobile\r\nING Banking to go de.ingdiba.bankingapp\r\nING Business com.comarch.security.mobilebanking\r\nING España www.ingdirect.nativeframe\r\nING Italia it.ingdirect.app\r\nInstagram com.instagram.android\r\nIntesa Sanpaolo Mobile com.latuabancaperandroid_2\r\nIntesa Sanpaolo Mobile com.latuabancaperandroid\r\niPKO biznes pl.pkobp.ipkobiznes\r\nİşCep com.pozitron.iscep\r\nKraken Pro com.kraken.trade\r\nKutxabank com.kutxabank.android\r\nKuveyt Türk com.kuveytturk.mobil\r\nL’Appli Société Générale mobi.societegenerale.mobile.lappli\r\nLa Mia Banca com.db.pbc.miabanca\r\nLa Poste fr.laposte.lapostemobile\r\nLeumi (לאומי (com.leumi.leumiwallet\r\nLiquid by Quoine com.quoine.quoinex.light\r\nLloyds Bank Mobile Banking com.grppl.android.shell.CMBlloydsTSB73\r\nMa Banque fr.creditagricole.androidapp\r\nmail.com mail com.mail.mobile.android.mail\r\nmBank PL pl.mbank\r\nMes Comptes fr.lcl.android.customerarea\r\nMes Comptes BNP Paribas net.bnpparibas.mescomptes\r\nMi Banco db com.db.pbc.mibanco\r\nMi Banco Mobile com.popular.android.mibanco\r\nMicrosoft Outlook com.microsoft.office.outlook\r\nMizrahi Bank (טפחות מזרחי (com.MizrahiTefahot.nh\r\nMobile Banking UniCredit com.unicredit\r\nMobile BiznesPl@net com.comarch.mobile.banking.bgzbnpparibas.biznes\r\nhttps://cyberint.com/blog/research/cerberus-is-dead-long-live-cerberus/\r\nPage 12 of 14\n\nMobilni Banka eu.inmite.prj.kb.mobilbank\r\nMobilny Portfel pl.raiffeisen.nfc\r\nMój Orange pl.orange.mojeorange\r\nMoje ING mobile pl.ing.mojeing\r\nmyAT\u0026T com.att.myWireless\r\nN26 Mobile Banking de.number26.android\r\nNAB Mobile Banking au.com.nab.mobile\r\nNBapp Spain com.indra.itecban.mobile.novobanco\r\nNest Bank nowy pl.nestbank.nestbank\r\nNETELLER com.moneybookers.skrillpayments.neteller\r\nnorisbank App com.db.mm.norisbank\r\nOney France fr.oney.mobile.mescomptes\r\nOpenbank es.openbank.mobile\r\nPapara com.mobillium.papara\r\nPayPal Mobile Cash com.paypal.android.p2pmobile\r\nPekao24Makler eu.eleader.mobilebanking.pekao\r\nPekaoBiznes24 eu.eleader.mobilebanking.pekao.firm\r\nPeoPay softax.pekao.powerpay\r\nPeople’s Choice Credit Union com.fusion.ATMLocator\r\nPibank es.pibank.customers\r\nplusbank24 eu.eleader.mobilebanking.invest\r\nPocket Bank ma.gbp.pocketbank\r\nPostbank Finanzassistent de.postbank.finanzassistent\r\nPostepay posteitaliane.posteapp.apppostepay\r\nQNB Finansbank Mobile Banking com.finansbank.mobile.cepsube\r\nRaiffeisen ELBA com.isis_papyrus.raiffeisen_pay_eyewdg\r\nRaiffeisen Smart Mobile com.advantage.RaiffeisenBank\r\nRakuten Bank (楽楽天天銀銀行行) jp.co.rakuten_bank.rakutenbank\r\nRBC Mobile com.rbc.mobile.android\r\nReport com.cajasiete.android.cajasietereport\r\nRossmann PL pl.com.rossmann.centauros\r\nruralvía com.rsi\r\nSantander es.bancosantander.apps\r\nSantander Banking de.santander.presentation\r\nSantander Empresas es.bancosantander.empresas\r\nSantander mobile pl.bzwbk.bzwbk24\r\nScotiaMóvil net.garagecoders.e_llavescotiainfo\r\nSCRIGNOapp it.popso.SCRIGNOapp\r\nSecureApp netbank de.adesso_mobile.secureapp.netbank\r\nŞEKER MOBİL ŞUBE tr.com.sekerbilisim.mbank\r\nSkrill com.moneybookers.skrillpayments\r\nSmart Mobile Banking it.gruppobper.ams.android.bper\r\nhttps://cyberint.com/blog/research/cerberus-is-dead-long-live-cerberus/\r\nPage 13 of 14\n\nSnapchat com.snapchat.android\r\nSparkasse Ihre mobile Filiale com.starfinanz.smob.android.sfinanzstatus\r\nSt.George Mobile Banking org.stgeorge.bank\r\nSumishin SBI Net Bank (住住信信SBIネネッットト銀銀行行) jp.co.netbk\r\nSuncorp Bank au.com.suncorp.SuncorpBank\r\nSunTrust Mobile App com.suntrust.mobilebanking\r\nTARGOBANK Mobile Banking com.targo_prod.bad\r\nTelegram org.telegram.messenger\r\nThe International Bank (הבינלאומי הבנק ( com.fibi.nativeapp\r\nTouch 24 Banking BCR at.spardat.bcrmobile\r\nTriodos Bank com.indra.itecban.triodosbank.mobile.banking\r\nTwitter com.twitter.android\r\nU.S. Bank com.usbank.mobilebanking\r\nUber com.ubercab\r\nUBI Banca it.nogood.container\r\nUnicajaMovil es.univia.unicajamovil\r\nUnion Bank (אגוד בנק (com.unionBank.app\r\nUnion Bank Mobile Banking com.unionbank.ecommerce.mobile.android\r\nUSAA Mobile com.usaa.mobile.android.usaa\r\nUsługi Bankowe alior.bankingapp.android\r\nVakıfBank Mobil Bankacılık com.vakifbank.mobile\r\nViber Messenger com.viber.voip\r\nVolksbank house banking at.volksbank.volksbankmobile\r\nVR Banking Classic de.fiducia.smartphone.android.banking.vr\r\nWeChat com.tencent.mm\r\nWells Fargo Mobile com.wf.wellsfargomobile\r\nWestern Union ES com.westernunion.moneytransferr3app.es\r\nWhatsApp Messenger com.whatsapp\r\nYahav Bank (יהב בנק (il.co.yahav.mobbanking\r\nYahoo Mail com.yahoo.mobile.client.android.mail\r\nYapı Kredi Mobile com.ykb.android\r\nYono Lite SBI com.sbi.SBIFreedomPlus\r\nYouApp com.lynxspa.bancopopolare\r\nZiraat Mobile com.ziraat.ziraatmobil\r\nSource: https://cyberint.com/blog/research/cerberus-is-dead-long-live-cerberus/\r\nhttps://cyberint.com/blog/research/cerberus-is-dead-long-live-cerberus/\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://cyberint.com/blog/research/cerberus-is-dead-long-live-cerberus/" ], "report_names": [ "cerberus-is-dead-long-live-cerberus" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "8309f9cf-9abb-4ce3-aa1e-cda7d7f5c1b3", "created_at": "2022-10-25T16:07:23.729215Z", "updated_at": "2026-04-10T02:00:04.729076Z", "deleted_at": null, "main_name": "Indra", "aliases": [], "source_name": "ETDA:Indra", "tools": [ "Stardust" ], "source_id": "ETDA", "reports": null }, { "id": "8d28f58b-5ea2-4450-a74a-4a1e39caba6e", "created_at": "2026-03-16T02:02:50.582318Z", "updated_at": "2026-04-10T02:00:03.777263Z", "deleted_at": null, "main_name": "COASTLIGHT", "aliases": [ "Gonjeshke Darande", "Indra", "Predatory Sparrow" ], "source_name": "Secureworks:COASTLIGHT", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "219ddb41-2ea8-4121-8b63-8c762f7e15df", "created_at": "2023-01-06T13:46:39.384442Z", "updated_at": "2026-04-10T02:00:03.309654Z", "deleted_at": null, "main_name": "Predatory Sparrow", "aliases": [ "Indra", "Gonjeshke Darande" ], "source_name": "MISPGALAXY:Predatory Sparrow", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775438956, "ts_updated_at": 1775792119, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a14523d9d97a808b11ffdac124006e4c57ee54bc.pdf", "text": "https://archive.orkl.eu/a14523d9d97a808b11ffdac124006e4c57ee54bc.txt", "img": "https://archive.orkl.eu/a14523d9d97a808b11ffdac124006e4c57ee54bc.jpg" } }