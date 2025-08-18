Advanced banking trojan ERMAC V3.0 had its entire source code exposed following a breach that involved the exploitation of the malware-as-a-service operation's weak credentials, GBHackers News reports.
Despite having multiple tools, such as a PHP and Laravel-based backend and a Golang exfiltration server, to facilitate the compromise of over 700 banking, cryptocurrency, and shopping apps, ERMAC V3.0 also had various critical vulnerabilities that could be harnessed to enable its disruption, according to a report from Hunt.io. Aside from the weak "changemeplease" password, ERMAC V3.0 also had a static admin bearer token and a hardcoded JWT secret token, as well as API-based open account registration, which could allow unauthorized admin panel access. Further analysis of the leaked source code revealed a quartet of command-and-control servers, as well as another quartet of exfiltration servers used by the mobile trojan, which also tapped geographic restrictions and AES-CBC encrypted communications. While ERMAC V3.0 has exhibited the growing complexity of banking trojans, it has also revealed the security pitfalls of such operations, researchers added.
