{ "id": "cb381993-b922-4908-8549-24bd671c9a9b", "created_at": "2026-04-06T01:30:24.627886Z", "updated_at": "2026-04-10T03:32:09.257538Z", "deleted_at": null, "sha1_hash": "ec40370ec6c2fd73ab678be6e65d1bc1f85739b2", "title": "Cerberus (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 64245, "plain_text": "Cerberus (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-06 00:56:54 UTC\r\nAccording to PCrisk, Cerberus is an Android banking Trojan which can be rented on hacker forums. It was been\r\ncreated in 2019 and is used to steal sensitive, confidential information. Cerberus can also be used to send\r\ncommands to users' devices and perform dangerous actions.\r\n2022-11-25 ⋅ Resecurity ⋅ Resecurity\r\n\"In The Box\" - Mobile Malware Webinjects Marketplace\r\nAlien Cerberus Coper ERMAC Hydra 2022-04-12 ⋅ Kaspersky ⋅ Kaspersky\r\nThe State of Stalkerware in 2021\r\nCerberus 2022-04-01 ⋅ Kaspersky ⋅ Kaspersky\r\nThe State of Stalkerware in 2021\r\nCerberus 2021-09-22 ⋅ ThreatFabric ⋅ ThreatFabric\r\nERMAC - another Cerberus reborn\r\nAmpleBot Cerberus ERMAC 2021-06-16 ⋅ nur.pub ⋅ Twitter (@1umos_)\r\nCerberus Analysis - Android Banking Trojan\r\nCerberus 2021-02-24 ⋅ RiskIQ ⋅ Jordan Herman\r\nTurkey Dog: Cerberus and Anubis Banking Trojans Target Turkish Speakers\r\nAnubis Cerberus 2020-11-05 ⋅ CyberInt ⋅ CyberInt\r\nCerberus is Dead, Long Live Cerberus?\r\nCerberus 2020-10-16 ⋅ Recorded Future ⋅ Insikt Group®\r\nBanking Web Injects Are Top Cyber Threat For Financial Sector\r\nCerberus 2020-09-29 ⋅ The Missing Report ⋅ Norman Gutiérrez\r\nCerberus and Alien: the malware that has put Android in a tight spot\r\nAlien Cerberus 2020-09-24 ⋅ ThreatFabric ⋅ ThreatFabric\r\nAlien - the story of Cerberus' demise\r\nAlien Cerberus 2020-09-24 ⋅ Bitdefender ⋅ Alexandra Bocereg, Bogdan Botezatu, Ioan-Septimiu Dinulica, Oana Asoltanei\r\nApps on Google Play Tainted with Cerberus Banker Malware\r\nCerberus 2020-08-31 ⋅ Github (ics-iot-bootcamp) ⋅ Ali Rıza Şahinkaya, Can Atakan Işık, Rıdvan Ethem Canavar\r\nCerberus Banking Trojan Research\r\nCerberus 2020-08-28 ⋅ CYBERWISE ⋅ Ali Rıza Şahinkaya, Can Atakan Işık, Rıdvan Ethem Canavar\r\nCerberus Banking Trojan Analysis\r\nCerberus 2020-05-09 ⋅ BushidoToken ⋅ BushidoToken\r\nTurkey targeted by Cerberus and Anubis Android banking Trojan campaigns\r\nAnubis Cerberus 2020-03-28 ⋅ Avira ⋅ Avira Protection Labs\r\nIn-depth analysis of a Cerberus trojan variant\r\nCerberus 2020-02-01 ⋅ ThreatFabric ⋅ ThreatFabric\r\n2020 - Year of the RAT\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/apk.cerberus\r\nPage 1 of 2\n\nAnubis Cerberus Ginp Gustuff Hydra 2019-12-12 ⋅ FireEye ⋅ Chi-en Shen, Oleg Bondarenko\r\nCyber Threat Landscape in Japan – Revealing Threat in the Shadow\r\nCerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer\r\n(PWS) PandaBanker PLEAD POISONPLUG TrickBot BlackTech 2019-08-16 ⋅ Forbes ⋅ Zak Doffman\r\nWarning As Devious New Android Malware Hides In Fake Adobe Flash Player Installations (Updated)\r\nCerberus 2019-08-01 ⋅ ThreatFabric ⋅ ThreatFabric\r\nCerberus - A new banking Trojan from the underworld\r\nCerberus 2019-06-01 ⋅ Twitter (@AndroidCerberus) ⋅ Android Cerberus\r\nTwitter Account of Android Cerberus\r\nCerberus\r\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/apk.cerberus\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/apk.cerberus\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.cerberus" ], "report_names": [ "apk.cerberus" ], "threat_actors": [ { "id": "1aead86d-0c57-4e3b-b464-a69f6de20cde", "created_at": "2023-01-06T13:46:38.318176Z", "updated_at": "2026-04-10T02:00:02.925424Z", "deleted_at": null, "main_name": "DAGGER PANDA", "aliases": [ "UAT-7290", "Red Foxtrot", "IceFog", "RedFoxtrot", "Red Wendigo", "PLA Unit 69010" ], "source_name": "MISPGALAXY:DAGGER PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "efa7c047-b61c-4598-96d5-e00d01dec96b", "created_at": "2022-10-25T16:07:23.404442Z", "updated_at": "2026-04-10T02:00:04.584239Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Canary Typhoon", "Circuit Panda", "Earth Hundun", "G0098", "Manga Taurus", "Operation PLEAD", "Operation Shrouded Crossbow", "Operation Waterbear", "Palmerworm", "Radio Panda", "Red Djinn", "T-APT-03", "TEMP.Overboard" ], "source_name": "ETDA:BlackTech", "tools": [ "BIFROST", "BUSYICE", "BendyBear", "Bluether", "CAPGELD", "DRIGO", "Deuterbear", "Flagpro", "GOODTIMES", "Gh0stTimes", "IconDown", "KIVARS", "LOLBAS", "LOLBins", "Linopid", "Living off the Land", "TSCookie", "Waterbear", "XBOW", "elf.bifrose" ], "source_id": "ETDA", "reports": null }, { "id": "2646f776-792a-4498-967b-ec0d3498fdf1", "created_at": "2022-10-25T15:50:23.475784Z", "updated_at": "2026-04-10T02:00:05.269591Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Palmerworm" ], "source_name": "MITRE:BlackTech", "tools": [ "Kivars", "PsExec", "TSCookie", "Flagpro", "Waterbear" ], "source_id": "MITRE", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "5d9dfc61-6138-497a-b9da-33885539f19c", "created_at": "2022-10-25T16:07:23.720008Z", "updated_at": "2026-04-10T02:00:04.726002Z", "deleted_at": null, "main_name": "Icefog", "aliases": [ "ATK 23", "Dagger Panda", "Icefog", "Red Wendigo" ], "source_name": "ETDA:Icefog", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Dagger Three", "Fucobha", "Icefog", "Javafog", "POISONPLUG.SHADOW", "RoyalRoad", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "75024aad-424b-449a-b286-352fe9226bcb", "created_at": "2023-01-06T13:46:38.962724Z", "updated_at": "2026-04-10T02:00:03.164536Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "CIRCUIT PANDA", "Temp.Overboard", "Palmerworm", "G0098", "T-APT-03", "Manga Taurus", "Earth Hundun", "Mobwork", "HUAPI", "Red Djinn", "Canary Typhoon" ], "source_name": "MISPGALAXY:BlackTech", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3b93ef3c-2baf-429e-9ccc-fb80d0046c3b", "created_at": "2025-08-07T02:03:24.569066Z", "updated_at": "2026-04-10T02:00:03.730864Z", "deleted_at": null, "main_name": "BRONZE CANAL", "aliases": [ "BlackTech", "CTG-6177 ", "Circuit Panda ", "Earth Hundun", "Palmerworm ", "Red Djinn", "Shrouded Crossbow " ], "source_name": "Secureworks:BRONZE CANAL", "tools": [ "Bifrose", "DRIGO", "Deuterbear", "Flagpro", "Gh0stTimes", "KIVARS", "PLEAD", "Spiderpig", "Waterbear", "XBOW" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775439024, "ts_updated_at": 1775791929, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ec40370ec6c2fd73ab678be6e65d1bc1f85739b2.pdf", "text": "https://archive.orkl.eu/ec40370ec6c2fd73ab678be6e65d1bc1f85739b2.txt", "img": "https://archive.orkl.eu/ec40370ec6c2fd73ab678be6e65d1bc1f85739b2.jpg" } }