{ "id": "18475060-ef97-4e73-acee-850554f2c89d", "created_at": "2026-04-06T00:12:36.101545Z", "updated_at": "2026-04-10T03:35:19.882299Z", "deleted_at": null, "sha1_hash": "a3e0a297da42a415754743b9ae1fed57092d68c1", "title": "Hook: a new Ermac fork with RAT capabilities", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1556574, "plain_text": "Hook: a new Ermac fork with RAT capabilities\r\nPublished: 2024-10-01 · Archived: 2026-04-05 14:35:15 UTC\r\nIntroduction\r\nThe joint police operation that brought down the Cabassous network infrastructure in May 2022, together with the slow but\r\nsteady disappearance of Anatsa from the threat landscape, left an open space in the Android banking malware market. This\r\nspace was filled initially by Hydra, and in minor part by the latest variants of ExobotCompact (also known as Octo). These\r\ntwo malware families stood out from the rest due to their advanced features, specifically the ability to perform Device Take-Over (DTO), by being able to remotely view and interact with the screen of the infected device.\r\nIn terms of volume, ThreatFabric observed only one other family which was comparable to these two: Ermac. Discovered\r\nin September 2021 by our researchers, this malware family is a spawn from the infamous Android Banker Cerberus.\r\nAmong the three, Hydra is by far the most spread, and has been the Android banker of choice for threat actors ever since the\r\ntakedown of Cabassous in May 2022. However, the other two malware families have kept their numbers quite high, with\r\nExobotCompact/Octo being slightly lower due to its distribution mechanism of choice, dropper applications on Google Play\r\nStore, which usually creates less builds, but produce more infections per malicious sample.\r\nErmac has been publicly rented by its actor DukeEugene for roughly one year and a half, with multiple actors being\r\nassociated with the operations we had been observing. In March 2022, the actors behind this malware family tried to sell the\r\nbotnet code on different hacking forums: from this point onwards, we started observing a rise in quantity of samples from\r\nErmac, together with the appearance of different names and actors rebranding the bot and trying to rent it.\r\nIn this sphere of Ermac forks, ThreatFabric identified botnets such as MetaDroid and OWL, created from the Ermac source\r\ncode and presenting minor differences. In the case of MetaDroid for example, the author removed the Locale check which\r\nwas in place to ensure that the bot would not operate on devices from CIS countries.\r\nhttps://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html\r\nPage 1 of 35\n\nIn both cases, we did not observe any major difference in implementation or operations from the original Ermac samples to\r\nwarrant the creation of a new malware variant.\r\nRecently however, we encountered a new fork, which spiked our interest. This new malware variant, clearly based on\r\nErmac, introduced the capability to manipulate files on the devices file system, as well as create a remote session able to\r\ninteract with the System’s UI.\r\nBased on the malware’s panel, we named this malware variant Hook. Initially, while performing our analysis and\r\ninvestigations, this malware looked like another fork of the original Ermac, once again spawned from the sale of the original\r\nsource code.\r\nHowever, on the 12th of January, the original actor of Ermac, DukeEugene, published a post advertising a brand new\r\nbanking malware, called “Hook”.\r\nhttps://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html\r\nPage 2 of 35\n\nFrom this thread, we can confidently say that Hook is the latest development of Ermac, and is developed and managed by its\r\noriginal author, DukeEugene.\r\nA malware created “from scratch”\r\nThe malware is advertised as “written from scratch”. This is debatable, as the majority of the code base remains the one\r\nfrom Ermac, including some commands in Russian expressing an unnecessary angst towards the world, which in our\r\nopinion would have not made the cut if a proper revision of the code had taken place.\r\nIt is true that this malware variant introduces quite a lot of modifications compared to its predecessor, but it is fairly obvious\r\nthat this is just an update and improvement of the previous versions of Ermac. It is likely that the criminals, taking an\r\nhttps://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html\r\nPage 3 of 35\n\napproach which is is very effective in marketing strategies, decided to start a new brand with their latest product, instead of\r\nmaintaining th existing one, which was associated mostly with operations regarding cryptowallets and Personal Identifiable\r\nInformation (PII) exfiltration.\r\nIn the following section we will cover the improvements added in Hook. If you want to find out the main features of Ermac,\r\nplease refer to our previous blog about this family.\r\nWebSocket communication\r\nHook uses the same encryption mechanisms used by Ermac in its communication with the C2 Server. The data is encrypted\r\nusing AES-256-CBC with an hardcoded key, and then encoded in Base64. One modification that was done with this new\r\nmalware variant, was the introduction of WebSocket communication in addition to the HTTP traffic used in the previous\r\nErmac variants. The implementation relies on Socket.IO, which is an implementation over HTTP and WebSocket which\r\nenables real-time, bi-directional communication between web clients and servers.\r\nAfter the malware is installed and successfully setup, the bot tries to contact its C2 server using normal HTTP traffic. The\r\nrequest triggers a response from the C2 in the following form\r\n{\r\n \"sid\": \"\u003calphanumeric_id\u003e\",\r\n \"upgrades\": [\"websocket\"],\r\n \"pingInterval\": 20000,\r\n \"pingTimeout\": 60000\r\n}\r\nThis response triggers an upgrade to WebSocket traffic, which is how the bot communicates with its C2. If the value of\r\n“upgrades” is instead “polling”, the communication will be over HTTP. Over this channel, the bot registers with its server,\r\nsends the list of applications installed on the device and downloads the list of targets.\r\nhttps://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html\r\nPage 4 of 35\n\nThe communication protocol remains the same as it was in previous versions, with periodic requests for commands sent by\r\nthe bot and updates on the latest logs collected from the malware. The server uses this channel to issue commands, still\r\nencrypted and encoded, in the form:\r\n42[\"commands\", \"\u003cencrypted_commands\u003e\"]\r\nWhere 42 is a constant value based on Socket.IO protocol, with 4 being Engine.IO “message” packet type, and 2 being\r\nSocket.IO “message” packet type.\r\nAddition of RAT capabilties\r\nThe most important addition in terms of capabilities comes in the form of what criminals call VNC. Virtual Network\r\nComputing (VNC) is a specific implementation of a screen sharing application that provides remote control over the device.\r\nHowever, threat actors have started using this term to indicate any sort of Remote Access Tool (RAT) feature. In the case of\r\nHook, this is implemented using the Accessibility Services to interact with the different UI elements required to perform a\r\nwide array of operations.\r\nhttps://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html\r\nPage 5 of 35\n\nWith this feature, Hook joins the ranks of malware families that are able to perform full DTO, and complete a full fraud\r\nchain, from PII exfiltration to transaction, with all the intermediate steps, without the need of additional channels. This kind\r\nof operation is much harder to detect by fraud scoring engines, and is the main selling point for Android bankers.\r\nThe malware is capable of performing a wide array of operations on the device, from simulating clicks, to filling text boxes,\r\nand performing gestures. Here is reported the list of new commands related to the RAT features (in the Appendix you can\r\nfind the full list, including the commands inherited from the previous versions of Ermac):\r\nCommand Description\r\nstart_vnc/stop_vnc start/stop RAT\r\nswipeup/swipedown/swipeleft/swiperight/swipe perform a specific swipe gesture\r\ntakescreenshot takes a screenshot\r\nclickatcontaintext simulates click at specific text item\r\nonkeyevent\r\nsimulates a key press\r\n(HOME/BACK/RECENTS/LOCK/POWERDIALOG)\r\nunlock unlocks device\r\nscrollup/scrolldown scrolls up/down\r\nlongpress simulates a long press event\r\nclickat simulates click at a specific coordinate\r\ncuttext set clipboard value to a a UI element with specific coordinates value\r\nclickattext simulates click at a UI element with specific text value\r\nsettext sets a UI element value to a specific text\r\nhttps://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html\r\nPage 6 of 35\n\nFile manager\r\nWhen the Server issues the “fmmanager” command, together with a specific parameter, the bot turns into a file manager for\r\nthe actor, similarly in behavior to what we have previously observed in spyware.\r\nBased on the parameter received, the malware either sends back to the server the full list of the files available on the device,\r\nor downloads a specific file from the file system:\r\nParameter Description\r\nls Obtains the list of files on the device\r\ndl Downloads a specific file\r\nTo do so, the malware does not need to perform any specific shell command, but simply uses the available APIs from the\r\nAndroid Operating system, thanks to the permissions that the malware is able to grant itself on startup via Accessibility\r\nServices.\r\nAnother similar command is “getimages”, which allows the bot to view all the images on the device. With this command,\r\nthe actor can identify if an image is of interest, and then use the “downloadimage” command to download it from the Bot\r\nPanel.\r\nOther modifications and improvements\r\nFinally, the authors added some additional commands to expand or improve the functionalities already existing in the\r\nprevious versions of Ermac. It is worth noting that the second variant of Ermac, which surfaced in 2021, added the\r\ncapability to extract seed phrases from wallets for cryptocurrencies using attacks similar to ATS (Automated Transfer\r\nSystem). These attacks interact with the UI, navigating the different application screens and logging the seed phrases, which\r\nare secret series of words used to retrieve the account’s credentials in case they are lost or forgotten.\r\nIn this new variant, the author added one more wallet to the list (in bold the latest additions):\r\nCommand Package Name - App Name\r\nbitcoincom com.bitcoin.mwallet - Bitcoin Wallet\r\ntrust com.wallet.crypto.trustapp - Trust: Crypto \u0026 Bitcoin Wallet\r\nmycelium com.mycelium.wallet - Mycelium Bitcoin Wallet\r\npiuk piuk.blockchain.android - Blockchain Wallet. Bitcoin, Bitcoin Cash, Ethereum\r\nsamourai com.samourai.wallet - Samourai Wallet\r\ntoshi org.toshi - Coinbase Wallet: Crypto Wallet \u0026 DApp Browser\r\nmetamask io.metamask - MetaMask: Buy, Send and Swap Crypto\r\nsafepal io.safepal.wallet - SafePal: Crypto wallet BTC NFTs\r\nBlurring the line\r\nIn our previous article we discussed SpyNote and its latest developments, bringing it closer to banking malware. On the\r\nopposite side of the spectrum lies Hook, which now is crossing the line that separates spyware and banking malware in the\r\nother direction.\r\nhttps://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html\r\nPage 7 of 35\n\nOne last interesting addition is the “openwhatsapp” command, used to open the social messaging application WhatsApp,\r\nand allows the malware to log and even send messages via this application. Utilizing the same Accessibility Services\r\ntechniques used to interact with cryptocurrency wallets, Hook, upon receiving the “openwhatsapp” command, starts the\r\nsocial messaging application WhatsApp. From here the malware can proceed to extract via logging all the messages present,\r\nbut also send a brand new message. This technique could be used by actors to spread the malware to other victims, via a\r\nchannel that is regarded as less threatening by users.\r\nIn addition to this capability, this new Ermac variant also adds geolocation tracking, allowing criminals to receive the\r\ncoordinates of the victim whenever needed.\r\nif (Utils.checkPermission(this.ctx, \"android.permission.ACCESS_FINE_LOCATION\") != 0 \u0026\u0026 Utils.checkPermission(this.ctx, \"a\r\n this.b();\r\n return;\r\n}\r\nObject object0 = this.ctx.getSystemService(\"location\");\r\nif (object0 != null) {\r\n LocationManager locationManager0 = (LocationManager) object0;\r\n String s = locationManager0.getBestProvider(new Criteria(), false);\r\n NonNullUtils.c(s);\r\n Location location0 = locationManager0.getLastKnownLocation(\"passive\");\r\n this.sendLocation(location0);...\r\n}\r\nThese new features move this malware family in a sphere where the difference between spyware and banking malware is\r\nalways more blurred and less evident.\r\nTargets\r\nAs for previous versions of Ermac, the target list is very extensive, and includes institutions from all over the world.\r\nThe actor promises more than hundreds of targets to his buyers, which are made up for the large majority by the targets also\r\npresent in previous versions of Ermac. However, this new version also adds dozens of new targets, including both financial\r\napplications as well as social apps. New targets also include bans from south America, Asia, Africa, and the Middle East.\r\nHere you can see a recap of the areas mostly targeted by Hook:\r\nhttps://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html\r\nPage 8 of 35\n\nHere we reported the top 10 countries ranked by number of targeted institutions. However, it is worth noting that the list is\r\nvery extensive, and multiple other countries have just slightly lower numbers, as it can be seen in the full target list in the\r\nAppendix of this article.\r\nConclusions\r\nThe new developments around Hook, the latest variant of the Ermac family, point towards a clear direction. Hook now joins\r\nthe very dangerous ranks of malware which is able to perform a full attack chain from infection to fraudulent\r\ntransaction. In addition, it includes new capabilities typical of spyware, which allow criminals to track and spy on the\r\ndevice, gaining full visibility not only on the banking details of the victim, but also messaging, geolocation, and control over\r\nfiles present on the phone. As discussed, Ermac has been one of the most distributed malware families of 2022, and with the\r\nintroduction of its latest development, Hook, ThreatFabric expects it to make the final quality leap, joining Hydra and\r\nExobotCompact/Octo in the podium of Android Bankers available for rent.\r\nFinancial organizations are welcome to contact us: if you suspect some app be involved in malicious activity, feel free to\r\nreach our Mobile Threat Intelligence team which will provide additional details and help with reporting the malicious app if\r\nidentified: mti@threatfabric.com.\r\nFraud Risk Suite\r\nThreatFabric’s Fraud Risk Suite enables safe \u0026 frictionless online customer journeys by integrating industry-leading mobile\r\nthreat intel, behavioral analytics, advanced device fingerprinting and over 10.000 adaptive fraud indicators. This will give\r\nyou and your customers peace of mind in an age of ever-changing fraud.\r\nAppendix\r\nHook Samples\r\nhttps://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html\r\nPage 9 of 35\n\nApp name Package name SHA-256\r\nGoogle\r\nChrome\r\ncom.lojibiwawajinu.guna c5996e7a701f1154b48f962d01d457f9b7e95d9c3dd9bbd6a8e083865d563622\r\nGoogle\r\nChrome\r\ncom.damariwonomiwi.docebi 55533397f32e960bdc78d74f76c3b62b57f881c4554dff01e7f9e077653f47b2\r\nGoogle\r\nChrome\r\ncom.damariwonomiwi.docebi 768b561d0a9fa3c6078b3199b1ef42272cac6a47ba01999c1f67c9b548a0bc15\r\nGoogleChrome com.yecomevusaso.pisifo 8d1aabfb6329bf6c03c97f86c690e95723748be9d03ec2ed117376dd9e13faf0\r\nHook Full command list\r\nCommand (in bold if introduced in Hook) Description\r\npush\r\nShows a push notification (clicking on the notification will result\r\nin launching specified app)\r\nstartAuthenticator2 Launches the Google Authenticator application\r\nstartAdmin Triggers request for admin privileges\r\nstartApp Starts the specified application\r\ngetInstallApps Gets the list of applications installed on the device\r\ngetContacts\r\nGets the contact names and phone numbers from the address book\r\nof the infected device\r\ndeleteApplication Triggers the removal of the specified application\r\nforwardCall Enables call forwarding to the specified number\r\nsendSms\r\nSends a text message with specified text from the infected device\r\nto the specified phone number\r\nSendSMSALL\r\nSends text messages with specified text from the infected device to\r\nall contacts of the infected device\r\nstartInject Triggers the overlay attack against the specified application\r\nstartUssd Executes the specified USSD code\r\nopenUrl Opens the specified URL in the WebView\r\ngetSMS Gets all text messages from the infected device\r\nkillMe Triggers the kill switch for the bot\r\nupdateModule Updates the payload module\r\nupdateInjectAndListApps Triggers update of the target list\r\nclearCash/clearCashe Triggers opening specified application details\r\nhttps://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html\r\nPage 10 of 35\n\nCommand (in bold if introduced in Hook) Description\r\ngetAccounts/logAccounts Triggers stealing a list of the accounts on the device\r\nbitcoincom com.bitcoin.mwallet - Bitcoin Wallet\r\ntrust com.wallet.crypto.trustapp - Trust: Crypto \u0026 Bitcoin Wallet\r\nmycelium com.mycelium.wallet - Mycelium Bitcoin Wallet\r\npiuk\r\npiuk.blockchain.android - Blockchain Wallet. Bitcoin, Bitcoin\r\nCash, Ethereum\r\nsamourai com.samourai.wallet - Samourai Wallet\r\ntoshi org.toshi - Coinbase Wallet: Crypto Wallet \u0026 DApp Browser\r\nmetamask io.metamask - MetaMask: Buy, Send and Swap Crypto\r\nstart_vnc/stop_vnc Start/stop RAT\r\ngetlocation Obtains geolocation\r\naddwaitview/removewaitview Adds/removes a view used to cover malicious operations\r\naddview/removeview Adds/removes a view\r\ngetimages Obtains list of all images\r\ndownloadimage Downloads an image\r\nmakecall Makes a call\r\ncalling Makes a call\r\naddcontact Adds a contact\r\nfmmanager Operates as file manager\r\nswipeup/swipedown/swipeleft/swiperight/swipe Perform a specific swipe gesture\r\ntakescreenshot Takes a screenshot\r\nclickatcontaintext Simulates click at specific text item\r\nonkeyevent\r\nSimulates a key press\r\n(HOME/BACK/RECENTS/LOCK/POWERDIALOG)\r\nunlock Unlocks device\r\nscrollup/scrolldown Scrolls up/down\r\nlongpress Simulates a long press event\r\nclickat Simulates click at a specific coordinate\r\ncuttext\r\nSet clipboard value to a a UI element with specific coordinates\r\nvalue\r\nhttps://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html\r\nPage 11 of 35\n\nCommand (in bold if introduced in Hook) Description\r\nclickattext Simulates click at a UI element with specific text value\r\nsettext Sets a UI element value to a specific text\r\nsafepal io.safepal.wallet - SafePal: Crypto wallet BTC NFTs\r\nHook C2s\r\nHost\r\n5.42.199[.]22\r\n193.233.196[.]2\r\nHook Crypto-Wallet targets\r\nPackage Name App Name\r\ncom.bitcoin.mwallet Bitcoin Wallet\r\ncom.wallet.crypto.trustapp Trust: Crypto \u0026 Bitcoin Wallet\r\ncom.mycelium.wallet Mycelium Bitcoin Wallet\r\npiuk.blockchain.android Blockchain Wallet. Bitcoin, Bitcoin Cash, Ethereum\r\ncom.samourai.wallet Samourai Wallet\r\norg.toshi Coinbase Wallet — Crypto Wallet \u0026 DApp Browser\r\nio.safepal.wallet SafePal - Crypto wallet BTC NFTs\r\nio.metamask MetaMask - Buy, Send and Swap Crypto\r\nHook Banking Targets\r\nPackage Name App Name\r\ncom.connectivityapps.hotmail\r\nConnect for Hotmail \u0026 Outlook: Mail and\r\nCalendar\r\ncom.Plus500\r\nPlus500: CFD Online Trading on Forex and\r\nStocks\r\ncom.eofinance\r\nEO.Finance: Buy and Sell Bitcoin. Crypto\r\nWallet\r\nar.com.santander.rio.mbanking Santander Argentina\r\nar.com.redlink.custom Banca Móvil Ciudad\r\norg.microemu.android.model.common.VTUserApplicationLINKMB Link Celular\r\nhttps://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html\r\nPage 12 of 35\n\nPackage Name App Name\r\nar.bapro BIP Mobile\r\ncoop.bancocredicoop.bancamobile Credicoop Móvil\r\nar.macro Macro\r\ncom.mercadopago.wallet Mercado Pago\r\ncom.tarjetanaranja.emisor.serviciosClientes.appTitulares Naranja\r\nau.com.ingdirect.android ING Australia Banking\r\nau.com.macquarie.authenticator Macquarie Authenticator\r\nau.com.macquarie.banking Macquarie Mobile Banking\r\nau.com.mebank.banking ME Bank\r\nau.com.nab.mobile NAB Mobile Banking\r\nau.com.newcastlepermanent NPBS Mobile Banking\r\nau.com.pnbank.android P\u0026N BANKING APP\r\nau.com.rams.RAMS myRAMS\r\nau.com.suncorp.marketplace Suncorp App\r\nau.com.suncorp.rsa.suncorpsecured Suncorp Secured\r\nau.com.suncorp.SuncorpBank Suncorp Bank\r\nau.com.ubank.internetbanking UBank Mobile Banking\r\ncom.bendigobank.mobile Bendigo Bank\r\ncom.fusion.ATMLocator People’s Choice Credit Union\r\ncom.fusion.banking Bank Australia app\r\ncom.fusion.beyondbank Beyond Bank Australia\r\ncom.bankofqueensland.boq BOQ Mobile\r\norg.bom.bank Bank of Melbourne Mobile Banking\r\norg.stgeorge.bank St.George Mobile Banking\r\norg.westpac.bank Westpac Mobile Banking\r\norg.westpac.col Westpac Corporate Mobile\r\ncom.BOQSecure BOQ Secure\r\ncom.commbank.netbank CommBank\r\nau.com.amp.myportfolio.android My AMP\r\nhttps://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html\r\nPage 13 of 35\n\nPackage Name App Name\r\nau.com.bankwest.mobile Bankwest\r\nau.com.commbank.commbiz.prod CommBiz\r\nau.com.cua.mb CUA Mobile Banking\r\nau.com.hsbc.hsbcaustralia HSBC Australia\r\ncom.greater.Greater Greater Bank\r\ncom.appfactory.tmb Teachers Mutual Bank\r\ncom.anz.android.gomoney ANZ Australia\r\norg.banking.bom.businessconnect Bank of Melbourne Business App\r\norg.banking.bsa.businessconnect BankSA Business App\r\norg.banking.stg.businessconnect St.George Business App\r\norg.banksa.bank BankSA Mobile Banking\r\ncom.google.android.apps.walletnfcrel Google Pay: Pay with your phone and send cash\r\ncom.easybank.easybank easybank App\r\ncom.bawagpsk.bawagpsk BAWAG PSK klar – Mobile Banking App\r\nat.rsg.pfp Mein ELBA-App\r\nat.ing.diba.client.onlinebanking ING Banking Austria\r\nat.volksbank.volksbankmobile Volksbank hausbanking\r\nat.erstebank.george George Österreich\r\ncom.bankaustria.android.olb Bank Austria MobileBanking\r\ncom.isis_papyrus.raiffeisen_pay_eyewdg Raiffeisen ELBA\r\ncom.isis_papyrus.hypo_pay_eyewdg HYPO Mein ELBA-App\r\ncom.electroneum.mobile Electroneum\r\ncom.scotiabank.banking Scotiabank Mobile Banking\r\nbe.argenta.bankieren Argenta Banking\r\ncom.bnpp.easybanking Easy Banking App\r\nbe.axa.mobilebanking Mobile Banking Service\r\nbe.belfius.directmobile.android Belfius Mobile\r\ncom.kbc.mobile.android.phone.kbc KBC Mobile\r\ncom.imo.android.imoimbeta imo beta free calls and text\r\nhttps://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html\r\nPage 14 of 35\n\nPackage Name App Name\r\ncom.fortuneo.android\r\nFortuneo, mes comptes banque \u0026 bourse en\r\nligne\r\ncom.wrx.wazirx\r\nWazirX - Buy Sell Bitcoin \u0026 Other\r\nCryptocurrencies\r\ncom.airbnb.android Airbnb\r\ncom.whatsapp WhatsApp Messenger\r\ncom.bradesco Bradesco\r\ncom.itau Banco Itaú: Gerencie sua conta pelo celular\r\ncom.itau.empresas\r\nItaú Empresas: Controle e Gestão do seu\r\nNegócio\r\nbr.com.intermedium Inter: conta digital completa\r\nbr.com.original.bank Banco Original\r\nbr.com.uol.ps.myaccount\r\nPagBank: Banco, Conta digital, Cartão, Pix,\r\nCDB\r\nexodusmovement.exodus Exodus: Crypto Bitcoin Wallet\r\ncom.enjin.mobile.wallet\r\nEnjin: Bitcoin, Ethereum, Blockchain Crypto\r\nWallet\r\nio.metamask MetaMask - Buy, Send and Swap Crypto\r\nid.co.bitcoin Indodax\r\ncom.snapchat.android Snapchat\r\ncom.anabatic.canadia Canadia Mobile Banking\r\ncom.desjardins.mobile Desjardins mobile services\r\ncom.pcfinancial.mobile Simplii Financial\r\ncom.vancity.mobileapp Vancity\r\ncom.meridian.android Meridian Mobile Banking\r\ncom.rbc.mobile.android RBC Mobile\r\nca.tangerine.clients.banking.app Tangerine Mobile Banking\r\nca.servus.mbanking Servus Mobile Banking\r\nca.pcfinancial.bank PC Financial Mobile\r\nca.motusbank.mapp motusbank mobile banking\r\ncom.td TD Canada\r\nhttps://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html\r\nPage 15 of 35\n\nPackage Name App Name\r\ncom.atb.ATBMobile ATB Personal - Mobile Banking\r\ncom.atb.businessmobile ATB Business - Mobile Banking\r\nca.manulife.MobileGBRS Manulife Mobile\r\nca.hsbc.hsbccanada HSBC Canada\r\nca.bnc.android National Bank of Canada\r\nca.affinitycu.mobile Affinity Mobile\r\ncom.cibc.android.mobi CIBC Mobile Banking®\r\ncom.bmo.mobile BMO Mobile Banking\r\ncom.shaketh Shakepay: Buy Bitcoin Canada\r\ncom.coastcapitalsavings.dcu Coast Capital Savings\r\ncom.squareup.cash Cash App\r\ncom.bmoharris.digital BMO Digital Banking\r\npro.huobi Huobi Global\r\ncom.google.android.gm Gmail\r\ncl.bancochile.mbanking Mi Banco de Chile\r\ncl.android Banco Falabella - CMR\r\ncom.tencent.mm WeChat\r\ncom.okinc.okcoin.intl\r\nOkcoin - Buy \u0026 Trade Bitcoin, Ethereum, \u0026\r\nCrypto\r\ncom.moneybookers.skrillpayments.neteller\r\nNETELLER - fast, secure and global money\r\ntransfers\r\ncom.mtel.androidbea BEA 東亞銀行\r\ncom.ocbc.mobile OCBC SG Mobile Banking\r\ncom.polehin.android Bitcoin Wallet - Buy BTC\r\ncc.bitbank.bitbank bitbank - Bitcoin \u0026 Ripple Wallet\r\ncom.grupoavalav1.bancamovil AV Villas App\r\ncom.grupoavaloc1.bancamovil Banco de Occidente Móvil\r\ncom.todo1.davivienda.mobileapp Davivienda Móvil\r\nco.com.bbva.mb BBVA Colombia\r\ncom.bancodebogota.bancamovil Banco de Bogotá\r\nhttps://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html\r\nPage 16 of 35\n\nPackage Name App Name\r\neu.netinfo.colpatria.system Scotiabank Colpatria\r\ncom.todo1.mobile Bancolombia App Personas\r\ncom.tinder Tinder\r\ncom.aadhk.woinvoice Invoice Maker: Estimate \u0026 Invoice App\r\norg.telegram.messenger Telegram\r\ngr.winbank.mobile.cyprus AstroBank Mobile Banking\r\neu.inmite.prj.kb.mobilbank Mobilni Banka\r\ncz.csob.smartbanking ČSOB Smartbanking\r\ndk.nordea.mobilebank Nordea Mobile - Denmark\r\ncom.danskebank.mobilebank3.dk NY mobilbank DK - Danske Bank\r\ncom.imo.android.imoimhd imo HD-Free Video Calls and Chats\r\ncom.azimo.sendmoney Azimo Money Transfer\r\ncom.baninter Banca Móvil\r\ncom.twitter.android.lite Twitter Lite\r\nfr.oney.mobile.mescomptes Oney France\r\nnet.bnpparibas.mescomptes Mes Comptes BNP Paribas\r\ncom.arkea.android.application.cmb Crédit Mutuel de Bretagne\r\ncom.arkea.android.application.cmso2 CMSO ma banque : solde, virement \u0026 épargne\r\ncom.axabanque.fr AXA Banque France\r\nmobi.societegenerale.mobile.lappli L’Appli Société Générale\r\ncom.beobank_prod.bad Beobank Mobile\r\ncom.boursorama.android.clients Boursorama Banque\r\ncom.caisseepargne.android.mobilebanking Banque\r\ncom.caisse.epargne.android.tablette Banque pour tablettes Android\r\ncom.cic_prod.bad CIC\r\ncom.cm_prod.bad Crédit Mutuel\r\ncom.fullsix.android.labanquepostale.accountaccess La Banque Postale\r\ncom.gemini.android.app Gemini: Buy Bitcoin Instantly\r\nfr.lcl.android.entreprise Pro \u0026 Entreprises LCL\r\nhttps://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html\r\nPage 17 of 35\n\nPackage Name App Name\r\nfr.lcl.android.customerarea Mes Comptes - LCL\r\nfr.laposte.lapostemobile La Poste - Services Postaux\r\nfr.hsbc.hsbcfrance HSBC France\r\nfr.creditagricole.androidapp Ma Banque\r\nfr.bred.fr BRED\r\nfr.bnpp.digitalbanking Hello bank! par BNP Paribas\r\nfr.banquepopulaire.cyberplus Banque Populaire\r\ncom.IngDirectAndroid ING France\r\ncom.mootwin.natixis My Savings\r\ncom.ocito.cdn.activity.banquelaydernier Banque Laydernier - Mobile\r\ncom.ocito.cdn.activity.creditdunord Crédit du Nord pour Mobile\r\nge.mobility.basisbank BasisBank\r\ncom.vtb.mobilebank VTB Mobile Georgia\r\nge.bog.mobilebank BOG mBank - Mobile Banking\r\nge.lb.mobilebank Liberty\r\ncom.icomvision.bsc.tbc TBC Bank\r\ncom.targo_prod.bad TARGOBANK Mobile Banking\r\nde.sdvrz.ihb.mobile.secureapp.sparda.produktion SpardaSecureApp\r\nde.traktorpool tractorpool\r\nde.comdirect.android comdirect mobile App\r\nde.fiducia.smartphone.android.banking.vr VR Banking Classic\r\ncom.starfinanz.smob.android.sfinanzstatus Sparkasse Ihre mobile Filiale\r\nde.dkb.portalapp DKB-Banking\r\nde.postbank.finanzassistent Postbank Finanzassistent\r\nde.santander.presentation Santander Banking\r\nde.consorsbank Consorsbank\r\nde.number26.android N26 — The Mobile Bank\r\nde.mobile.android.app mobile.de – Germany‘s largest car market\r\nde.commerzbanking.mobil Commerzbank Banking - The app at your side\r\nhttps://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html\r\nPage 18 of 35\n\nPackage Name App Name\r\ncom.db.mm.norisbank norisbank App\r\nde.ingdiba.bankingapp ING Banking to go\r\neu.unicreditgroup.hvbapptan HVB Mobile Banking\r\nde.comdirect.app comdirect\r\nde.sdvrz.ihb.mobile.app SpardaApp\r\ncom.db.pwcc.dbmobile Deutsche Bank Mobile\r\nde.adesso_mobile.secureapp.netbank SecureApp netbank\r\ncom.mobileloft.alpha.droid myAlpha Mobile\r\neu.afse.omnia.attica Attica Mobile\r\nmbanking.NBG NBG Mobile Banking\r\ngr.winbank.mobilenext Winbank Mobile\r\ncom.paypal.android.p2pmobile\r\nPayPal Mobile Cash: Send and Request Money\r\nFast\r\ngt.com.bi.bienlinea Bi en Línea\r\nglobal.bithumb.android BitGlobal (formerly Bithumb Global)\r\ncom.tronlinkpro.wallet TronLink Pro - The Best TRON Wallet\r\ncom.bochk.com BOCHK\r\nhu.otpbank.mobile OTP Bank HU\r\npegasus.project.ebh.mobile.android.bundle.mobilebank George Magyarország\r\nhu.khb K\u0026H mobilbank\r\nhu.cardinal.erste.mobilapp Erste Business MobilBank\r\nhu.cardinal.cib.mobilapp CIB Business Online\r\nhu.bb.mobilapp Budapest Bank Mobil App\r\nhr.asseco.android.jimba.mUCI.hu UniCredit Mobile Application\r\nhr.asseco.android.intesa.isbd.cib CIB Bank\r\ncom.aff.otpdirekt OTP SmartBank\r\nhu.mkb.mobilapp MKB Mobilalkalmazás\r\ncom.tideplatform.banking Tide - Smart Mobile Banking\r\nlt.spectrofinance.spectrocoin.android.wallet Bitcoin Wallet by SpectroCoin\r\nhttps://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html\r\nPage 19 of 35\n\nPackage Name App Name\r\ncom.sbi.lotusintouch\r\nYONO SBI: The Mobile Banking and Lifestyle\r\nApp!\r\ncom.fss.indus IndusMobile\r\ncom.Version1 PNB ONE\r\ncom.atomyes YES BANK\r\ncom.axis.mobile\r\nAxis Mobile- Fund Transfer,UPI,Recharge \u0026\r\nPayment\r\ncom.msf.kbank.mobile Kotak - 811 \u0026 Mobile Banking\r\ncom.sbi.SBIFreedomPlus Yono Lite SBI - Mobile Banking\r\ncom.oxigen.oxigenwallet Bill Payment \u0026 Recharge,Wallet\r\ncom.dhanlaxmi.dhansmart.mtc Dhanlaxmi Bank Mobile Banking\r\ncom.mobikwik_new\r\nBHIM UPI, Money Transfer, Recharge \u0026 Bill\r\nPayment\r\ncom.dbs.in.digitalbank digibank by DBS India\r\ncom.infrasofttech.CentralBank Cent Mobile\r\ncom.unocoin.unocoinwallet Unocoin Wallet\r\ncom.snapwork.hdfc HDFC Bank MobileBanking\r\ncom.snapwork.IDBI IDBI Bank GO Mobile+\r\ncom.infrasoft.uboi U-Mobile - Union Bank of India\r\ncom.infrasofttech.MahaBank Maha Mobile\r\ncom.sbi.SBAnywhereCorporate SBI Anywhere Corporate\r\nsrc.com.bni BNI Mobile Banking\r\ncom.bca BCA mobile\r\novo.id OVO\r\nid.dana DANA Indonesia Digital Wallet\r\npiuk.blockchain.android\r\nBlockchain Wallet. Bitcoin, Bitcoin Cash,\r\nEthereum\r\ncom.payeer PAYEER\r\ncom.nearform.ptsb permanent tsb\r\ncom.bitcoin.mwallet Bitcoin Wallet\r\ncom.coinbase.android Coinbase – Buy \u0026 Sell Bitcoin. Crypto Wallet\r\nhttps://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html\r\nPage 20 of 35\n\nPackage Name App Name\r\ncom.plunien.poloniex Poloniex Crypto Exchange\r\nמזרחי טפחות - ניהול חשבון nh.MizrahiTefahot.com\r\nבנק הפועלים - ניהול החשבון hapoalim.ideomobile.com\r\nil.co.yellow.app\r\nמבצעים והטבות עם הארנק הדיגיטלי של – yellow\r\n!פז\r\ncom.leumi.leumiwallet לאומי\r\nבנק יהב - ניהול חשבון mobbanking.yahav.co.il\r\ncom.bnhp.payments.paymentsapp bit ביט\r\ncom.ideomobile.discount Discount Bank\r\ncom.sella.BancaSella Banca Sella\r\ncom.unicredit Mobile Banking UniCredit\r\ncom.CredemMobile Credem\r\ncom.db.pbc.miabanca La Mia Banca\r\nit.ingdirect.app ING Italia\r\nit.nogood.container UBI Banca\r\nit.phoenixspa.inbank Inbank\r\nit.popso.SCRIGNOapp SCRIGNOapp\r\nposteitaliane.posteapp.appbpol BancoPosta\r\nit.relaxbanking RelaxBanking Mobile\r\nposteitaliane.posteapp.apppostepay Postepay\r\ncom.latuabancaperandroid Intesa Sanpaolo Mobile\r\ncom.lynxspa.bancopopolare YouApp\r\ncom.mediolanum.android.fullbanca Mediolanum\r\ncom.vipera.chebanca CheBanca!\r\nit.hype.app Hype\r\nit.creval.bancaperta Bancaperta\r\nit.copergmps.rt.pf.android.sp.bmps Banca MPS\r\nit.carige Carige Mobile\r\nit.caitalia.apphub Crédit Agricole Italia\r\nhttps://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html\r\nPage 21 of 35\n\nPackage Name App Name\r\nit.bnl.apps.banking BNL\r\nit.bcc.iccrea.mycartabcc myCartaBCC\r\nit.icbpi.mobile Nexi Pay\r\nco.edgesecure.app\r\nEdge - Bitcoin, Ethereum, Monero, Ripple\r\nWallet\r\njp.coincheck.android Bitcoin Wallet Coincheck\r\njp.co.smbc.direct 三井住友銀行アプリ\r\njp.co.rakuten_bank.rakutenbank 楽天銀行 -個人のお客様向けアプリ\r\ncom.gmowallet.mobilewallet\r\nビットコイン・暗号資産(仮想通貨)ウォ\r\nレットアプリ GMOコイン|チャート・購\r\n入・レバレッジ取引\r\njp.co.netbk 住信SBIネット銀行\r\njp.co.aeonbank.android.passbook\r\nイオン銀行通帳アプリ かんたんログイン&\r\n残高・明細の確認\r\ncom.quoine.quoinex.light\r\nLiquid by Quoineライト版(リキッドバイコ\r\nイン) -ビットコインなどの仮想通貨取引\r\n所\r\ncom.barclays.ke.mobile.android.ui Barclays Kenya\r\neu.eleader.mobilebanking.nbk NBK Mobile Banking\r\ncom.cbk.mobilebanking CBK Mobile\r\neu.eleader.mobilebanking.abk ABK Mobile Banking\r\ncom.a2a.android.burgan Burgan Bank\r\neu.eleader.mobilebanking.kib KIB Mobile\r\ncom.netflix.mediaclient Netflix\r\npt.bigonline.BiGMobile Banco BiG Portugal\r\ncom.twitter.android Twitter\r\nio.ethos.universalwallet Ethos Universal Wallet\r\ncom.konylabs.HongLeongConnect Hong Leong Connect Mobile Banking\r\ncom.ambank.ambankonline AmOnline\r\ncom.cimbmalaysia CIMB Clicks Malaysia\r\ncom.iexceed.CBS GO by Bank Islam\r\nhttps://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html\r\nPage 22 of 35\n\nPackage Name App Name\r\nair.app.scb.breeze.android.main.my.prod Standard Chartered Mobile (MY)\r\nmy.com.maybank2u.m2umobile Maybank2u MY\r\nmy.com.hsbc.hsbcmalaysia HSBC Malaysia\r\nmy.com.hongleongconnect.mobileconnect HLB Connect Mobile Banking App\r\ncom.alliance.AOPMobileApp allianceonline Mobile\r\ncom.bsnebiz.cdb BSNeBiz Mobile- Corporate User\r\ncom.citibank.CitibankMY Citibank MY\r\ncom.ocbc.mobilemy OCBC Malaysia Mobile Banking\r\ncom.engage.pbb.pbengage2my.release PB engage MY\r\ncom.paxful.wallet Paxful Bitcoin Wallet\r\ncom.bbva.GEMA BBVA Empresas México\r\ncom.citibanamex.banamexmobile Citibanamex Móvil\r\nnet.garagecoders.e_llavescotiainfo ScotiaMóvil\r\ncom.bancomer.mbanking BBVA México (Bancomer Móvil)\r\nmx.bancosantander.supermovil Santander móvil\r\nmx.hsbc.hsbcmexico HSBC México\r\ncom.mercadolibre Mercado Libre: compra fácil y rápido\r\ncom.bitfinex.mobileapp Bitfinex\r\ncom.ebay.mobile\r\neBay: Buy, sell, and save money on home\r\nessentials\r\ncom.moneybookers.skrillpayments Skrill - Fast, secure online payments\r\nbr.com.bradesco.next Banco next: conta e cartão de crédito grátis\r\nma.gbp.pocketbank Pocket Bank\r\ncom.bitpay.wallet BitPay – Secure Bitcoin Wallet\r\ncom.ing.mobile ING Bankieren\r\ncom.ics.nl.icscards ICS Creditcard\r\ncom.abnamro.nl.mobile.payments ABN AMRO Mobiel Bankieren\r\nnz.co.westpac Westpac One (NZ) Mobile Banking\r\nnz.co.anz.android.mobilebanking ANZ goMoney New Zealand\r\nhttps://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html\r\nPage 23 of 35\n\nPackage Name App Name\r\nnz.co.asb.asbmobile ASB Mobile Banking\r\ntsb.mobilebanking TSB Bank Mobile Banking\r\nnz.co.kiwibank.mobile Kiwibank Mobile Banking\r\nenterprise.com.anz.shield ANZ Shield\r\nco.zip Zip - Shop Now, Pay Later\r\ncom.whatsapp.w4b WhatsApp Business\r\ncom.interswitchng.www Fidelity Online Banking\r\ncom.vanso.gtbankapp GTBank\r\ncom.payoneer.android\r\nPayoneer – Global Payments Platform for\r\nBusinesses\r\ncom.google.android.youtube YouTube\r\ncom.instagram.android Instagram\r\ncom.binance.dev Binance - Buy \u0026 Sell Bitcoin Securely\r\ncom.base.bankalfalah αlfα\r\ncom.wavesplatform.wallet Waves.Exchange\r\ndoge.org.freewallet.app\r\nDogecoin Wallet. Store \u0026 Exchange DOGE\r\ncoin\r\ncom.lumiwallet.android Lumi Crypto and Bitcoin Wallet\r\ncom.samourai.wallet Samourai Wallet\r\nnet.bitbay.bitcoin Bitcoin \u0026 Crypto Exchange - BitBay\r\ncom.changelly.app\r\nChangelly: Buy Bitcoin BTC \u0026 Fast Crypto\r\nExchange\r\ncom.bbva.nxt_peru BBVA Perú\r\npe.pichincha.bm APP Banco Pichincha Perú\r\npe.com.interbank.mobilebanking Interbank APP\r\npe.com.scotiabank.blpm.android.client Scotiabank Perú\r\ncom.bcp.bank.bcp Banca Móvil BCP\r\ncom.zoluxiones.officebanking Banco Santander Perú S.A.\r\ncom.CIMB.OctoPH CIMB Bank PH\r\nnet.bitstamp.app\r\nBitstamp – Buy \u0026 Sell Bitcoin at Crypto\r\nExchange\r\nhttps://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html\r\nPage 24 of 35\n\nPackage Name App Name\r\neu.eleader.mobilebanking.pekao.firm PekaoBiznes24\r\nalior.bankingapp.android Usługi Bankowe\r\ncom.bitmarket.trader Aplikacja Bitmarket\r\ncom.comarch.mobile.banking.bgzbnpparibas.biznes Mobile BiznesPl@net\r\ncom.comarch.security.mobilebanking ING Business\r\ncom.empik.empikapp Empik\r\ncom.empik.empikfoto Empik Foto\r\ncom.getingroup.mobilebanking Getin Mobile\r\ncom.konylabs.cbplpat Citi Handlowy\r\neu.eleader.mobilebanking.invest plusbank24\r\neu.eleader.mobilebanking.pekao Pekao24Makler\r\nhr.asseco.android.mtoken.bos iBOSStoken\r\npl.aliorbank.aib Alior Mobile\r\npl.allegro\r\nAllegro - convenient and secure online\r\nshopping\r\npl.bph BusinessPro Lite\r\npl.bps.bankowoscmobilna BPS Mobilnie\r\npl.bzwbk.bzwbk24 Santander mobile\r\npl.bzwbk.ibiznes24 iBiznes24 mobile\r\npl.ceneo Ceneo - zakupy i promocje\r\npl.com.rossmann.centauros Rossmann PL\r\npl.envelobank.aplikacja Pocztowy\r\npl.eurobank2 eurobank mobile 2.0\r\npl.fakturownia Fakturownia.pl\r\npl.ideabank.mobilebanking Idea Bank PL\r\npl.ifirma.ifirmafaktury IFIRMA - Darmowy Program do Faktur\r\npl.ing.mojeing Moje ING mobile\r\npl.mbank mBank PL\r\npl.millennium.corpApp Bank Millennium for Companies\r\nhttps://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html\r\nPage 25 of 35\n\nPackage Name App Name\r\npl.nestbank.nestbank Nest Bank nowy\r\npl.noblebank.mobile Noble Mobile\r\npl.orange.mojeorange Mój Orange\r\npl.pkobp.iko IKO\r\npl.pkobp.ipkobiznes iPKO biznes\r\npl.raiffeisen.nfc Mobilny Portfel\r\nsoftax.pekao.powerpay PeoPay\r\nwit.android.bcpBankingApp.millenniumPL Bank Millennium\r\npt.bancobpi.mobile.fiabilizacao BPI APP\r\npt.bctt.appbctt Banco CTT\r\napp.wizink.pt Wizink, o teu banco fácil\r\ncom.bbva.mobile.pt BBVA Portugal\r\npt.santander.oneappparticulares Santander Portugal\r\npt.oney.oneyapp Oney Portugal\r\neu.atlantico.bancoatlanticoapp MY ATLANTICO\r\npt.novobanco.nbsmarter NB smarter\r\ncom.abanca.bm.pt ABANCA - Portugal\r\npt.santandertotta.mobileempresas Santander Empresas\r\npt.novobanco.nbapp NB smart app\r\npt.eurobic.apps.mobilebanking EuroBic Mobile App\r\npt.santandertotta.mobileparticulares Santander Particulares\r\ncom.bankinter.portugal.bmb Bankinter Portugal\r\npt.cgd.caixadirectaempresas Caixadirecta Empresas\r\nwit.android.bcpBankingApp.activoBank ActivoBank\r\npt.sibs.android.mbway MB WAY\r\nwit.android.bcpBankingApp.millennium Millenniumbcp\r\ncgd.pt.caixadirectaparticulares Caixadirecta\r\nca.mobile.explorer CA Mobile\r\npt.cgd.caderneta Caderneta\r\nhttps://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html\r\nPage 26 of 35\n\nPackage Name App Name\r\npt.bancobest.android.mobilebanking Best Bank\r\ncom.QIIB QIIB Mobile\r\ncom.pozitron.qib QIB Mobile\r\ncom.db.mobilebanking Doha Bank Mobile Banking\r\ncom.cbq.CBMobile CBQ Mobile\r\ncom.advantage.RaiffeisenBank Raiffeisen Smart Mobile\r\nro.btrl.mobile Banca Transilvania\r\nat.spardat.bcrmobile Touch 24 Banking BCR\r\ncom.tabtrader.android\r\nTabTrader Buy Bitcoin and Ethereum on\r\nexchanges\r\ncom.microsoft.office.outlook\r\nMicrosoft Outlook: Organize Your Email \u0026\r\nCalendar\r\nclientapp.swiftcom.org ePayments: wallet \u0026 bank card\r\ncom.alinma.retail.mobile Alinma Bank\r\ncom.acceltree.mtc.screens Alawwal Mobile\r\ncom.urpay.consumer urpay\r\nsa.com.stcpay stc pay\r\ncom.alrajhiretailapp Al Rajhi Mobile\r\ncom.riyadbank.strategic RiyadBank Mobile\r\ncom.mbc.anb.keystore ANB Mobile~ Arab National Bank\r\nsa.alrajhibank.tahweelapp Tahweel Al Rajhi KSA\r\ncom.samba.mb SambaMobile\r\ncom.saib.banking.mobile.android SAIB\r\ncom.sa.gazt.ZakatCalculator Zakaty - زكاتي\r\ncom.kubi.kucoin KuCoin: Bitcoin Exchange \u0026 Crypto Wallet\r\ncom.dbs.sg.dbsmbanking DBS digibank SG\r\ncom.dbs.sg.posbmbanking POSB digibank\r\ncom.citibank.mobile.sg Citibank SG\r\nco.bitx.android.wallet\r\nLuno: Buy Bitcoin, Ethereum and\r\nCryptocurrency\r\nhttps://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html\r\nPage 27 of 35\n\nPackage Name App Name\r\ncom.uob.mighty.app UOB Mighty Singapore\r\ncom.booking\r\nBooking.com: Hotels, Apartments \u0026\r\nAccommodation\r\nsk.vub.mobile VÚB Mobile Banking\r\ncom.anz.transactive.global ANZ Transactive - Global\r\ncom.vipera.ts.starter.QNB QNB Mobile\r\nes.cm.android Bankia\r\nwww.ingdirect.nativeframe ING España. Banca Móvil\r\napp.wizink.es WiZink, tu banco senZillo\r\ncom.rsi ruralvía\r\ncom.targoes_prod.bad TARGOBANK - Banca a distancia\r\ncom.santander.bpi Santander Private Banking\r\ncom.tecnocom.cajalaboral Banca Móvil Laboral Kutxa\r\ncom.rsi.Colonya Colonya Caixa Pollença\r\ncom.kutxabank.android Kutxabank\r\nes.bancosantander.apps Santander\r\nes.bancosantander.empresas Santander Empresas\r\nes.bancosantander.wallet Santander Wallet\r\nes.caixagalicia.activamovil ABANCA- Banca Móvil\r\nes.caixageral.caixageralapp Banco Caixa Geral España\r\nes.caixaontinyent.caixaontinyentapp Caixa Ontinyent\r\nes.cecabank.ealia2103appstore UniPay Unicaja\r\nes.ceca.cajalnet Cajalnet\r\nes.evobanco.bancamovil EVO Banco móvil\r\nes.ibercaja.ibercajaapp Ibercaja\r\nes.lacaixa.mobile.android.newwapicon CaixaBank\r\nes.liberbank.cajasturapp Banca Digital Liberbank\r\nes.openbank.mobile Openbank – banca móvil\r\nes.orangebank.app Orange Bank - Banco Móvil\r\nhttps://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html\r\nPage 28 of 35\n\nPackage Name App Name\r\nes.pibank.customers Pibank\r\nes.santander.Criptocalculadora Criptocalculadora\r\nes.santander.money Santander Money Plan\r\nes.unicajabanco.app Unicaja Banco\r\nes.univia.unicajamovil UnicajaMovil\r\ncom.indra.itecban.triodosbank.mobile.banking Triodos Bank. Banca Móvil\r\ncom.indra.itecban.mobile.novobanco NBapp Spain\r\ncom.imaginbank.app imaginBank - Your mobile bank\r\ncom.westernunion.moneytransferr3app.es\r\nWestern Union ES - Send Money Transfers\r\nQuickly\r\ncom.grupocajamar.wefferent Grupo Cajamar\r\ncom.db.pbc.mibanco Mi Banco db\r\ncom.db.pbc.DBPay DB Pay\r\ncom.v2msoft.contasimple\r\nContasimple - Invoices, estimates \u0026 delivery\r\nnotes\r\ncom.cajasur.android Cajasur\r\ncom.cajasiete.android.cajasietereport Report\r\ncom.cajaingenieros.android.bancamovil Caja de Ingenieros Banca MÓVIL\r\ncom.bbva.bbvacontigo BBVA Spain\r\ncom.bankinter.launcher Bankinter Móvil\r\ncom.bankinter.empresas Bankinter Empresas\r\ncom.bankinter.bkwallet Bankinter Wallet\r\ncom.bankia.wallet Bankia Wallet\r\ncom.bancsabadell.wallet Sabadell Wallet\r\ncom.bancocajasocial.geolocation Banco Caja Social Móvil\r\nnet.inverline.bancosabadell.officelocator.android Banco Sabadell App. Your mobile bank\r\ncom.mediolanum Banco Mediolanum España\r\ncom.abanca.bancaempresas ABANCA Empresas\r\ncom.bbva.netcash BBVA Net Cash - ES \u0026 PT\r\nhttps://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html\r\nPage 29 of 35\n\nPackage Name App Name\r\ncom.ubs.swidKXJ.android\r\nUBS Mobile Banking: E-Banking and mobile\r\npay\r\nch.autoscout24.autoscout24 AutoScout24 Switzerland – Find your new car\r\ncom.spotify.music\r\nSpotify: Listen to new music, podcasts, and\r\nsongs\r\ncom.krungsri.kma KMA\r\nktbcs.netbank Krungthai NEXT\r\ncom.scb.phone SCB EASY\r\ncom.kasikorn.retail.mbanking.wap K PLUS\r\ncom.pozitron.iscep İşCep - Mobile Banking\r\ncom.anadolubank.android Anadolubank Mobil\r\ncom.mobillium.papara Papara\r\ncom.vakifbank.mobile VakıfBank Mobil Bankacılık\r\ntrendyol.com Trendyol - Hızlı ve Güvenli Alışverişin Yolu\r\ncom.ykb.android Yapı Kredi Mobile\r\ntr.com.hsbc.hsbcturkey HSBC Turkey\r\nfinansbank.enpara.sirketim Enpara.com Şirketim Cep Şubesi\r\ncom.teb CEPTETEB\r\nfinansbank.enpara Enpara.com Cep Şubesi\r\ncom.aktifbank.nkolay N Kolay\r\ncom.kuveytturk.mobil Kuveyt Türk\r\ncom.btcturk.pro BtcTurk - PRO - Bitcoin Al-Sat\r\ncom.btcturk BtcTurk Bitcoin Borsası\r\ncom.ziraatkatilim.mobilebanking Katılım Mobil\r\ncom.denizbank.mobildeniz MobilDeniz\r\ncom.tfkb Türkiye Finans Mobile Branch\r\ncom.paribu.app Paribu\r\ncom.garanti.cepsubesi Garanti BBVA Mobile\r\ntr.com.sekerbilisim.mbank ŞEKER MOBİL ŞUBE\r\ncom.albarakaapp Albaraka Mobile Banking\r\nhttps://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html\r\nPage 30 of 35\n\nPackage Name App Name\r\ntr.gov.turkiye.edevlet.kapisi e-Devlet Kapısı\r\ncom.mobillium.btcturk BtcTurk - Bitcoin Al/Sat\r\ncom.tmobtech.halkbank Halkbank Mobil\r\ncom.akbank.android.apps.akbank_direkt Akbank\r\ncom.pttfinans PTTBank\r\ncom.magiclick.odeabank Odeabank\r\npaladyum.peppara PeP: Para Transferi Sanal Kart\r\ncom.ziraat.ziraatmobil Ziraat Mobile\r\ncom.ingbanktr.ingmobil ING Mobil\r\ncom.amazon.sellermobile.android Amazon Seller\r\ncom.airbitz Bitcoin Wallet - Airbitz\r\ncom.liv.android Liv. - Digital Lifestyle Bank\r\ncom.emiratesnbd.android ENBD X\r\ncom.NBQBank NBQBANK\r\ncom.dib.app DIB MOBILE\r\ncom.vipera.ts.starter.MashreqAE Mashreq UAE\r\ncom.adib.mobile ADIB Mobile Banking App\r\ncom.mashreq.NeoApp Mashreq Neo - Bank easy\r\ncom.mbanking.ajmanbank Ajman Bank\r\ncom.uab.personal United Arab Bank Mobile\r\ncom.s4m EI Bank\r\ncom.cbd.mobile CBD\r\ncom.vipera.nbf NBF Direct App\r\ncom.scb.ae.bmw SC Mobile Banking (UAE)\r\ncom.myc3card.app C3Pay\r\ncom.aaib AAIB Mobile\r\nae.almasraf.mobileapp Al Masraf\r\ncom.bankfab.pbg.ae.dubaifirst Dubai First\r\ncom.sib.retail SIB Digital\r\nhttps://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html\r\nPage 31 of 35\n\nPackage Name App Name\r\nenbd.mobilebanking Emirates NBD\r\ncom.infosys.alh Al Hilal Mobile Banking App\r\nae.ahb.digital Al Hilal Digital\r\ncom.rak RAKBANK Digital Banking\r\nuk.co.hsbc.hsbcukmobilebanking HSBC UK Mobile Banking\r\ncom.virginmoney.cards Virgin Money Credit Card\r\ncom.barclays.android.barclaysmobilebanking Barclays\r\nuk.co.santander.santanderUK Santander Mobile Banking\r\ncom.grppl.android.shell.halifax Halifax: the banking app that gives you extra\r\ncom.rbs.mobile.android.rbs Royal Bank of Scotland Mobile Banking\r\nuk.co.mbna.cardservices.android MBNA - Card Services App\r\ncom.grppl.android.shell.CMBlloydsTSB73 Lloyds Bank Mobile Banking: by your side\r\nuk.co.tescomobile.android Tesco Mobile\r\ncom.grppl.android.shell.BOS\r\nBank of Scotland Mobile Banking: secure on\r\nthe go\r\ncom.rbs.mobile.android.natwest NatWest Mobile Banking\r\nuk.co.metrobankonline.mobile.android.production Metro Bank\r\ncom.transferwise.android TransferWise Money Transfer\r\ncom.revolut.revolut Revolut - Get more from your money\r\nuk.co.tsb.newmobilebank TSB Mobile Banking\r\ncom.ie.capitalone.uk Capital One UK\r\ncom.cooperativebank.bank The Co-operative Bank\r\ncom.csam.icici.bank.imobile iMobile by ICICI Bank\r\nco.uk.Nationwide.Mobile Nationwide Banking App\r\ncom.zenithBank.eazymoney Zenith Bank Mobile App\r\nme.cryptopay.android C.PAY\r\ncom.att.myWireless myAT\u0026T\r\ncom.ubercab.eats Uber Eats: Food Delivery\r\ncom.unionbank.ecommerce.mobile.android Union Bank Mobile Banking\r\nhttps://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html\r\nPage 32 of 35\n\nPackage Name App Name\r\ncom.usaa.mobile.android.usaa USAA Mobile\r\ncom.usbank.mobilebanking U.S. Bank - Inspired by customers\r\ncom.viber.voip\r\nViber Messenger - Messages, Group Chats \u0026\r\nCalls\r\ncom.pnc.ecommerce.mobile PNC Mobile\r\ncom.wallet.crypto.trustapp Trust: Crypto \u0026 Bitcoin Wallet\r\ncom.wf.wellsfargomobile Wells Fargo Mobile\r\nco.mona.android Crypto.com - Buy Bitcoin Now\r\ncom.woodforest Woodforest Mobile Banking\r\ncom.navyfederal.android Navy Federal Credit Union\r\ncom.yahoo.mobile.client.android.mail Yahoo Mail – Organized Email\r\ncom.zellepay.zelle Zelle\r\ncom.mtb.mbanking.sc.retail.prod M\u0026T Mobile Banking\r\ncom.morganstanley.clientmobile.prod Morgan Stanley Wealth Mgmt\r\ncom.mfoundry.mb.android.mb_136 People’s United Bank Mobile\r\ncom.mcom.firstcitizens First Citizens Mobile Banking\r\ncom.mbankuae.amcb MBank UAE\r\ncom.mail.mobile.android.mail mail.com mail\r\ncom.konylabs.capitalone Capital One® Mobile\r\ncom.key.android KeyBank Mobile\r\ncom.infonow.bofa Bank of America Mobile Banking\r\ncom.imo.android.imoim imo free video calls and chat\r\ncom.icsfs.jkb JKB-Mobile\r\ncom.huobionchainwallet.gp HuobiWallet\r\ncom.google.android.apps.nbu.paisa.user Google Pay\r\ncom.ebos.bos eBOS Mobile\r\ncom.discoverfinancial.mobile Discover Mobile\r\ncom.compasssavingsbank.mobile Compass Savings Bank\r\ncom.clairmail.fth Fifth Third Mobile Banking\r\nhttps://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html\r\nPage 33 of 35\n\nPackage Name App Name\r\ncom.citizensbank.androidapp Citizens Bank Mobile Banking\r\ncom.citi.mobile.ccc CitiManager – Corporate Cards\r\ncom.citi.citimobile Citi Mobile®\r\ncom.chase.sig.android Chase Mobile\r\ncom.botw.mobilebanking Bank of the West Mobile\r\ncom.bbt.myfi U by BB\u0026T\r\ncom.barclaycardus Barclays US\r\ncom.BanqueMisr.MobileBanking BM Online\r\ncom.arabbank.arabimobilev2 Arabi-Mobile\r\ncom.aol.mobile.aolapp AOL - News, Mail \u0026 Video\r\ncom.americanexpress.android.acctsvcs.us Amex\r\ncom.ally.MobileBanking Ally Mobile\r\ncom.alahli.quickpay SNB QuickPay\r\ncom.alahli.mobile.android SNB AlAhli Mobile\r\ncom.adcb.cbgdigi\r\nADCB Hayyak: Start your banking relationship\r\nnow!\r\ncom.schwab.mobile Schwab Mobile\r\ncom.suntrust.mobilebanking SunTrust Mobile App\r\ncom.tdbank TD Bank (US)\r\ncom.robinhood.android\r\nRobinhood - Investment \u0026 Trading,\r\nCommission-free\r\ncom.uba.vericash UBA Mobile Banking\r\ncom.ubercab Uber - Request a ride\r\ncom.amazon.mShop.android.shopping\r\nAmazon Shopping - Search, Find, Ship, and\r\nSave\r\ncom.uy.itau.appitauuypf Itaú Uruguay\r\nuy.com.brou.token BROU Llave Digital\r\nuy.brou App Móvil del Banco República\r\ncom.accessbank.accessbankapp Access Bank plc\r\ncom.bitpanda.bitpanda Bitpanda - Buy Bitcoin in minutes\r\nhttps://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html\r\nPage 34 of 35\n\nSource: https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html\r\nhttps://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html\r\nPage 35 of 35", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html" ], "report_names": [ "hook-a-new-ermac-fork-with-rat-capabilities.html" ], "threat_actors": [ { "id": "8309f9cf-9abb-4ce3-aa1e-cda7d7f5c1b3", "created_at": "2022-10-25T16:07:23.729215Z", "updated_at": "2026-04-10T02:00:04.729076Z", "deleted_at": null, "main_name": "Indra", "aliases": [], "source_name": "ETDA:Indra", "tools": [ "Stardust" ], "source_id": "ETDA", "reports": null }, { "id": "8d28f58b-5ea2-4450-a74a-4a1e39caba6e", "created_at": "2026-03-16T02:02:50.582318Z", "updated_at": "2026-04-10T02:00:03.777263Z", "deleted_at": null, "main_name": "COASTLIGHT", "aliases": [ "Gonjeshke Darande", "Indra", "Predatory Sparrow" ], "source_name": "Secureworks:COASTLIGHT", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "219ddb41-2ea8-4121-8b63-8c762f7e15df", "created_at": "2023-01-06T13:46:39.384442Z", "updated_at": "2026-04-10T02:00:03.309654Z", "deleted_at": null, "main_name": "Predatory Sparrow", "aliases": [ "Indra", "Gonjeshke Darande" ], "source_name": "MISPGALAXY:Predatory Sparrow", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434356, "ts_updated_at": 1775792119, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a3e0a297da42a415754743b9ae1fed57092d68c1.pdf", "text": "https://archive.orkl.eu/a3e0a297da42a415754743b9ae1fed57092d68c1.txt", "img": "https://archive.orkl.eu/a3e0a297da42a415754743b9ae1fed57092d68c1.jpg" } }