{
	"id": "04dd473c-d30c-4fd6-b476-fb110d6e0f1f",
	"created_at": "2026-04-06T00:09:47.317477Z",
	"updated_at": "2026-04-10T03:21:34.151018Z",
	"deleted_at": null,
	"sha1_hash": "2988471a13a1a733407e050a4953ad85f937eb62",
	"title": "Ursnif Trojan has targeted over 100 Italian banks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 38732,
	"plain_text": "Ursnif Trojan has targeted over 100 Italian banks\r\nBy Written by\r\nArchived: 2026-04-05 15:01:24 UTC\r\nThe Ursnif Trojan has been traced back to attacks against at least 100 banks in Italy. \r\nSecurity\r\nAccording to Avast, the malware's operators have a keen interest in Italian targets and attacks against these\r\nbanking institutions have led to the loss of credentials and financial data.\r\nThe cybersecurity firm said on Tuesday that at least 100 banks have been targeted, based on information gathered\r\nby the researchers. \r\nIn one case alone, an unnamed payment processor had over 1,700 sets of credentials stolen. \r\nAvast found usernames, passwords, credit card, banking, and payment information that appears to have been\r\nharvested by the malware. \r\nFirst discovered in 2007, Ursnif began its journey as a simple banking Trojan. The information stealer's code was\r\nleaked on GitHub and has since evolved and has become more sophisticated, with its code being developed\r\nindependently and also appearing as part of the Gozi banking malware. \r\nUrsnif is usually spread via phishing emails -- such as invoice requests -- and attempts to steal financial data and\r\naccount credentials. \r\nDatktrace researchers documented a 2020 campaign in which the malware was used in an attack against a US\r\nbank. A phishing email was sent to an employee who unwittingly opened a malicious attachment and accidentally\r\ndownloaded an executable file pretending to be a .cab extension. \r\nThis file called out to command-and-control (C2) servers registered in Russia only a day prior to the launch of the\r\ncampaign -- and, therefore, the IPs were not blacklisted at the time of infection. A recent obfuscation technique\r\nnoted in this attack was the use of User Agents imitating Zoom and Webex to try and hide in network traffic.\r\nDarktrace has also tracked the malware in attacks against organizations in the US and Italy. \r\nAvast has shared its findings with the victim banks the company was able to identify, alongside CERTFin Italy, a\r\nfinancial services data exchange managed by the Bank of Italy and the Italian Banking Association (ABI).\r\nhttps://www.zdnet.com/article/ursnif-trojan-has-targeted-over-100-italian-banks/\r\nPage 1 of 2\n\nPrevious and related coverage\r\nObliqueRAT Trojan now lurks in images on compromised websites\r\nHackers exploit websites to give them excellent SEO before deploying malware\r\nNew Python-scripted trojan malware targets fintech companies\r\nHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0\r\nEditorial standards\r\nSource: https://www.zdnet.com/article/ursnif-trojan-has-targeted-over-100-italian-banks/\r\nhttps://www.zdnet.com/article/ursnif-trojan-has-targeted-over-100-italian-banks/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.zdnet.com/article/ursnif-trojan-has-targeted-over-100-italian-banks/"
	],
	"report_names": [
		"ursnif-trojan-has-targeted-over-100-italian-banks"
	],
	"threat_actors": [],
	"ts_created_at": 1775434187,
	"ts_updated_at": 1775791294,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2988471a13a1a733407e050a4953ad85f937eb62.pdf",
		"text": "https://archive.orkl.eu/2988471a13a1a733407e050a4953ad85f937eb62.txt",
		"img": "https://archive.orkl.eu/2988471a13a1a733407e050a4953ad85f937eb62.jpg"
	}
}