TL;DR

A threat actor going by isExploit has listed the full source code of BTMOB v4.1 on a popular cybercrime forum, pitching it as "the best RAT of 2026." The listing screenshots show an injection lab pre-loaded with overlays for Portuguese banking apps — BPI Net, BPI Directo, Millennium BCP, Santander — plus a multi-server operator panel, a 7-vector DDoS module, an SSH/Telnet router-pivot capability, and a silent Monero miner tuned to keep CPU/thermal signals low. Public researchers tracked BTMOB up to v4.0 (sold as MaaS by evlf_dev for $5,000 lifetime); v4.1 graduates to source-code sale, which historically accelerates rebrands and forks within 60–90 days. Defenders should expect a wave of BTMOB-derived campaigns against EU banking customers.

What's new in v4.1

The listing — first surfaced by DarkWebInformer — reveals several capabilities not present in earlier public BTMOB writeups:

  • DDoS module with 7 attack types in single- and multi-client modes — turns each compromised handset into a small botnet node.
  • SSH and Telnet remote command execution — letting operators pivot from an infected phone to the home router on the same network, modifying DNS or redirecting traffic at the gateway level.
  • Silent Monero (XMR) miner with a reduced-CPU profile so the device doesn't get hot enough to tip off the user.
  • Persistence via default screensaver assignment — a novel survival vector beyond the usual accessibility-service lockdown.
  • APK dropper in "Plugin Mode" that masquerades as a legitimate Play Store install, plus customizable builder for name, icon, version, and ID.
  • ~6 MB APK footprint (capped at 20 MB) — small enough to slip past size-based heuristics.
  • Optional APK encryption, accessibility-detection bypass tuning, auto-resume of file/camera/screen/mic/keylogger modules on reconnect, and a PIN grabber.

Why it matters

BTMOB has been a MaaS product since early 2025. Cyble first documented v2.5 in January 2025; the family iterated rapidly through v3.0, v3.2, v3.6 (subscription pricing), and v4.0 within a single year. The current operator evlf_dev has historically priced it at $5,000 lifetime + $300/month updates, $7,000 for a custom build, and $10,000 for the full source. Source-code sales by a third actor (isExploit) signal that this $10,000 tier has effectively been onward-sold — and once code is in multiple hands, you get rebrands, forks, and independent campaigns that defenders can't track from a single-actor IOC feed.

The Portuguese banking templates baked into the v4.1 builder also matter: prior BTMOB campaigns targeted Brazil, Turkey, Argentina, and China. v4.1 is the first time we see Western European banking targeting wired into the product.

Technical facts

v4.1 inherits BTMOB's full v4.0 technical baseline (per AWAKE's catalog of D3Lab's leaked-toolkit analysis) and adds the network/persistence features above:

ComponentDetail
C2 protocolWebSocket (real-time bidirectional) + HTTP for bulk exfil
Backend path/yaarsa/ with yarsap_*.php endpoints
Operator panelBTMob.exe (Windows) — multi-server in v4.1
Credential captureWebView injection via brows command — load any URL/HTML, JS extracts form fields live
Screen captureMedia Projection API (live streaming)
OS abuseAccessibility Service auto-grants Android 13/14/15 permissions, blocks Settings access
ModulesCamera (front+rear), mic, GPS, clipboard, SMS/contacts/call-log exfil, keylogger
New in v4.1DDoS (7 vectors), SSH/Telnet pivot, XMR miner, screensaver persistence
APK size~6 MB (max 20 MB), optional encryption

Comparison

The closest peers are Hook (post-leak, larger operator base), Ermac (overlay-only), Octo (VNC-style streaming via accessibility), and BeatBanker (Brazil-focused dual-mode banker+miner that recently swapped in BTMOB as its final payload, per Securelist). v4.1's edge:

  • Dynamic WebView injection — no need for pre-built overlay templates per app; operator just feeds a URL.
  • Router pivot via SSH/Telnet — not present in Hook/Ermac/Octo. Where home routers have default credentials, this turns a single phone compromise into a network-wide DNS hijack.
  • Built-in XMR miner — collapses what BeatBanker needed two malware families to do.

Use cases & targeting

Listing screenshots show an "injection lab" preloaded with templates for pt.bancobpi.mobile, pt.millenniumbcp, plus Santander — pointing to active campaigns against Portuguese-speaking banking customers in Portugal and likely Brazil. Operator panel screenshots show a Clients Manager with broadcast, redirect, updates, bots, DoS, and mining tabs.

Historical operator deployments give a preview of what v4.1 buyers will do: fake Google Play pages dropping the APK as a "StarLink update," a government-services app ("INSS Reembolso"), a streaming app (iNat TV), or a WhatsApp mod. Once installed, the dropper loops accessibility prompts until the victim grants, then auto-grants everything else and starts overlaying banking app foregrounds.

Limitations & pricing

Pricing for the v4.1 source listing isn't disclosed in the snippet, but BTMOB v4.0's full-source tier from evlf_dev was $10,000. The fact that source is being resold suggests further price erosion as buyers redistribute.

Operationally, BTMOB's heavy accessibility-service abuse is itself the loudest IOC — Android 14+ restricted-settings flags and MTD tools can detect the auto-grant looping. The router-pivot module only works against home routers with default or weak credentials. And v4.1 still requires the victim to sideload the APK and grant accessibility, so users who stick to Play Store + Play Protect + locked sideload remain largely safe.

What's next

Source-code sales of this class (Cerberus 2020, Hook 2023) historically trigger 5–10 independent forks within 60–90 days, each with cosmetic rebranding and minor tweaks. Expect:

  • New BTMOB-derived families targeting Portuguese and Spanish banking apps — BPI, Santander, Millennium, BBVA, CaixaBank.
  • Surge in accessibility-service abuse and dynamic WebView injection across mobile banking and crypto wallet apps.
  • Dropper apps disguised as Play Store installs ("Plugin Mode"), often pushed via SMS smishing or sponsored-search results.
  • Router-level compromise where infected phones are on home Wi-Fi with default-credential routers — DNS hijack to phishing infrastructure.
  • Continued absorption into composite campaigns (BTMOB-as-payload), like BeatBanker did.

Defender checklist

  • Disable sideloading on managed devices; enforce Play Protect.
  • Alert on apps requesting Accessibility Service that aren't on a known-good list.
  • Block known BTMOB /yaarsa/ C2 paths and yarsap_*.php endpoints at the egress.
  • Rotate default router credentials on employee home networks (BYOD/WFH posture).
  • Watch for outbound XMRig/StratumV2 traffic from mobile devices — XMR miner is now baked in.

Sources: DarkWebInformer (primary listing), AWAKE, Cyble, Securelist, Kaspersky, ANY.RUN.