Ermac¶
Ermac is the Cerberus fork that proved a leaked source code could be refined into a competitive commercial product. Operated by the threat actor "DukeEugene" and sold as MaaS starting in late 2021, Ermac took the leaked Cerberus codebase, rewrote the encryption layer, updated the obfuscation, and expanded target coverage to over 460 banking and cryptocurrency applications. It served as DukeEugene's primary revenue stream until Hook replaced it in early 2023.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | August 2021 |
| Last Seen | Late 2022 (superseded by Hook) |
| Status | Succeeded by Hook; Ermac 3.0 source leaked August 2025 |
| Type | Banking trojan (MaaS) |
| Attribution | "DukeEugene" (previously linked to BlackRock) |
| Aliases | Ermac 1.0, Ermac 2.0, HookBot (sometimes conflated) |
| Source | Built on leaked Cerberus source; Ermac 3.0 source leaked in 2025 |
| Rental Price | $3,000/month (v1.0), $5,000/month (v2.0) |
Origin and Lineage¶
ThreatFabric identified Ermac in September 2021, calling it "another Cerberus reborn." Code analysis confirmed that Ermac is a direct descendant of the leaked Cerberus source: it uses nearly identical data structures for C2 communication and retains the same overall architecture. The modifications focus on encryption, obfuscation, and expanded targeting rather than fundamental redesign.
DukeEugene was already known as the operator behind BlackRock, another Android banking trojan discovered in 2020. ThreatFabric noted the cessation of fresh BlackRock samples coinciding with Ermac's emergence, indicating DukeEugene transitioned wholesale from BlackRock to Ermac. The actor advertised Ermac on the same underground forums where Cerberus had previously been sold, positioning it as a superior replacement.
Ermac sits in the middle of the Cerberus lineage: downstream of the original source leak, upstream of Hook. When DukeEugene launched Hook in January 2023, NCC Group confirmed that Hook was built directly on Ermac's codebase, with all 30 Ermac bot commands present in Hook alongside 38 new additions.
Distribution¶
Ermac operators used multiple delivery channels, with a strong preference for phishing sites impersonating legitimate applications.
| Vector | Details |
|---|---|
| Fake app websites | Typosquatted domains mimicking legitimate services. Cyble documented a campaign using a fake Bolt Food delivery site targeting Polish users. |
| Phishing pages | Browser-based landing pages distributed via malvertising and social media posts |
| Smishing | SMS messages containing links to the fake app download pages |
| Third-party stores | APKs uploaded to unofficial Android app repositories |
| Malvertising | Paid ads redirecting to phishing domains |
Ermac 2.0 distribution was particularly active against Polish users, with campaigns impersonating Bolt Food, banking apps, and browser updates. The fake sites were often near-identical to the originals, differing by only a single character in the domain name.
Capabilities¶
Ermac 1.0 (August 2021)¶
Ermac 1.0 targeted 378 applications and rented for $3,000/month.
| Capability | Implementation |
|---|---|
| Overlay attacks | WebView-based injects triggered by accessibility service foreground detection |
| SMS interception | Read and redirect incoming SMS for OTP capture |
| Contact harvesting | Exfiltrate device contacts to C2 |
| App listing | Enumerate installed packages to determine overlay targets |
| Account theft | Steal accounts stored on the device via AccountManager |
| Push notifications | Display notifications to lure user into opening target apps |
| App cache clearing | Clear app data to force re-authentication, then capture fresh credentials via overlay |
| Open URL | Launch arbitrary URLs in the device browser |
Ermac 2.0 (May 2022)¶
Ermac 2.0 expanded to 467 target applications and increased the rental price to $5,000/month. Cyble's analysis and Intel 471's deep dive documented the upgraded version.
| Capability | Implementation |
|---|---|
| Expanded overlays | 467 banking and cryptocurrency app targets (up from 378) |
| Cryptocurrency wallet targeting | Injects for major wallets including MetaMask, Trust Wallet, Coinbase |
| 43 permissions | Self-grants extensive permissions via accessibility on installation |
| Improved obfuscation | Updated string encryption and code obfuscation |
| Broader geo-targeting | Expanded from Eastern European focus to global coverage |
Ermac 2.0 was the third most active Android banking trojan during Q2 2022.
Limitations Compared to Successors¶
Ermac notably lacked several features that would later appear in Hook:
| Missing Feature | Added In |
|---|---|
| VNC/screen streaming | Hook |
| RAT with UI interaction | Hook |
| File manager | Hook |
| ATS (Automated Transfer System) | Hook |
| WhatsApp message extraction | Hook |
| WebSocket communication | Hook |
Technical Details¶
Encryption¶
The most significant technical departure from Cerberus is the encryption scheme. Where Cerberus used a straightforward encryption approach for C2 communication, ThreatFabric noted that Ermac introduced:
- String encryption: Uses the Blowfish algorithm to encrypt hardcoded strings, resolved at runtime
- C2 communication: Data encrypted with AES-128-CBC, prepended with a double word containing the length of the encoded data (different from Cerberus's original scheme)
C2 Protocol¶
Ermac communicates with its C2 server over HTTP. The protocol follows Cerberus's general pattern but with the updated encryption layer:
- Bot registers with C2, sending encrypted device fingerprint (IMEI, model, installed apps, SIM info)
- C2 responds with configuration: target app list, inject URLs, command queue
- Bot polls C2 at regular intervals for new commands
- Credential data from overlays is encrypted and POSTed back to C2
Key bot commands:
| Command | Action |
|---|---|
getSMS |
Retrieve SMS messages from device |
sentSMS |
Send SMS from victim device |
startApp |
Launch specified application (triggers overlay) |
getAccounts |
Steal device accounts |
getContacts |
Exfiltrate contact list |
getInstalledApps |
Enumerate installed packages |
push |
Display push notification |
clearCache |
Clear target app data to force re-login |
openURL |
Open URL in browser |
Obfuscation¶
Ermac applies multiple obfuscation layers on top of the Cerberus base:
| Technique | Details |
|---|---|
| Blowfish string encryption | All sensitive strings encrypted, decrypted at runtime |
| Class/method renaming | Standard ProGuard-style obfuscation |
| Packed payloads | Some samples use additional packing layers |
| Dynamic C2 resolution | C2 addresses encrypted and resolved at runtime |
Accessibility Service¶
Like its Cerberus ancestor, Ermac's entire operation hinges on the Android Accessibility Service. The malware uses a persistent screen urging the user to enable accessibility until they comply. Once enabled, the service:
- Monitors foreground application changes via
TYPE_WINDOW_STATE_CHANGED - Auto-grants runtime permissions without user interaction
- Captures keystrokes across all applications
- Triggers overlays when target apps are detected
- Prevents uninstallation by intercepting settings navigation
Target Regions and Financial Institutions¶
Ermac's target list grew substantially between versions, with heavy concentration in European and North American banking:
| Region | Notable Targets |
|---|---|
| Poland | Primary initial target; campaigns impersonating Bolt Food, PKO Bank |
| United States | Major banks and financial apps |
| Western Europe | Spain, France, Italy, Germany, UK |
| Eastern Europe | Turkey, Czech Republic |
| Australia | Major banking institutions |
| Cryptocurrency (global) | MetaMask, Trust Wallet, Coinbase, Crypto.com, Binance |
Cryptocurrency wallets became a significant focus in Ermac 2.0. The inject kits included dedicated phishing screens for seed phrase capture across major wallet applications, reflecting the broader trend of Android banking trojans expanding into crypto theft.
Notable Campaigns¶
August 2021: First Ermac campaigns identified by ThreatFabric targeting Poland with 378 banking app overlays. DukeEugene advertised rentals at $3,000/month.
May 2022: Ermac 2.0 launched. Cyble documented campaigns using fake Bolt Food sites to deliver the updated trojan to Polish users. Target list expanded to 467 applications. Bleeping Computer reported the expanded targeting and $5,000/month rental price.
Q2-Q3 2022: Intel 471 reported Ermac as the third most active Android banking trojan, with campaigns spanning multiple continents. Cyble tracked increasingly active distribution across Europe.
January 2023: DukeEugene announced Hook, built on Ermac's codebase. Active Ermac campaigns began declining as operators migrated to the more capable successor.
2024: Silent Push uncovered 24 active DukeEugene control panels administering services for Ermac, Hook, and related variants, demonstrating that Ermac infrastructure remained partially operational even after Hook's introduction.
August 2025: The Ermac 3.0 source code leaked, exposing the full malware infrastructure including C2 panel code and builder tools, mirroring the original Cerberus leak that started the lineage.