{
	"id": "986cdb94-ef25-4a92-936a-5e129c6fbbc7",
	"created_at": "2026-04-06T00:16:50.013475Z",
	"updated_at": "2026-04-10T13:12:24.512788Z",
	"deleted_at": null,
	"sha1_hash": "2b279879ebba315d50a0c888f921cdb28050251e",
	"title": "Digital banking fraud: how the Gozi malware works",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2233083,
	"plain_text": "Digital banking fraud: how the Gozi malware works\r\nBy Federico Valentini, Francesco Iubatti\r\nArchived: 2026-04-05 12:39:16 UTC\r\nIntroduction\r\nAlso known as RM3, ISFB, Ursnif, Dreambot, CRM, and Snifula, Gozi can be considered as a group of malware\r\nfamilies which are based on the same malicious codebase. Historically, it has been known as one of the most\r\nwidely spread and longest-standing Banking Trojans with more than 14 years of activity. Its unique modular\r\narchitecture facilitates multiple Threat Actors (TAs) in carrying on with their own malicious purposes, which in\r\nmost cases are included in the following categories:\r\nBanking fraud\r\neCommerce fraud\r\nPOS devices compromise\r\nRansomware\r\nSince its source-code was leaked in 2015, tracking all the different variants appears to be knotty and time\r\nconsuming due to its fragmentation and the several distinct names used by security firms and researchers. The\r\nmain functionalities of Gozi families, and derivatives, include:\r\nActing as info-stealer by collecting system activities and data (including network and browser data)\r\nRecording keystrokes (keylogging)\r\nRecording videos or making screenshots\r\nPerforming MitB attacks on the targeted websites (e.g., Formgrabbing, Web-injects)\r\nRedirect browser navigation to malicious websites\r\nEnabling hVNC (hidden-VNC) and SOCKS proxy\r\nFocusing on the Banking fraud category, during the last 2 years we were able to analyze in-depth a specific TA\r\n(or a group of affiliates) which distributes Gozi infections on EU territory to corporate banks and their customers. \r\nDuring our analysis, we were able to extract multiple TTPs on how this specific TA leverages Gozi to execute\r\nunauthorized transactions to a well-organized network of bank mule accounts controlled by the same group.\r\nOUR FINDINGS\r\nMore than 50 different banks and financial institutions appear to be targeted by this group, which includes\r\nboth retail and corporate environments in Europe.\r\nThrough Gozi, the TA delivers a specific Web-inject family, which we dubbed as RATBANK (also known as\r\n‘delsrc’), which is used to discriminate interesting bots and to perform Account Takeover (ATO) fraud only on\r\nvalid ones.\r\nhttps://www.cleafy.com/cleafy-labs/digital-banking-fraud-how-the-gozi-malware-work\r\nPage 1 of 8\n\nThe TA behind this pattern has a deep knowledge of how those targeted corporate banking environments work,\r\nwhich steps are needed to authorize a bank transfer, and how different 2FA (two factor authentication)\r\nmechanisms can be bypassed, by identifying specific weaknesses in their implementation.\r\nDuring Q4 2020, the same group started distributing another Android malware (Alien) to expand their attack\r\nsurface also on mobile devices.\r\nThe TA has access to native-speaking operators who perform vishing attacks in the attempt to elicit victims during\r\nthe execution of an ATO scenario and to try to isolate all the communication between victims and their banks with\r\nSocial Engineering tricks.\r\nThe TA has access to a significant and well-structured set of money mule accounts, in multiple SEPA (Single Euro\r\nPayment Area) and NON-SEPA countries, which are typically discriminated against by the amount of the\r\nunauthorized transaction.\r\nIn the last 2 years, we identified more than 100 bank accounts controlled by this group, with the largest amount\r\nbeing 1,5M Euro, handled in a single bank transfer during a targeted Account Takeover fraud.\r\nGozi malspam distribution: a recent example\r\nGozi has a very stable malspam distribution routine as many different campaigns have been used to spread this\r\nmalware. In recent malspam campaigns, the well-known actor TA551 has been caught multiple times pushing\r\nGozi infection to European citizen as follows:\r\nhttps://www.cleafy.com/cleafy-labs/digital-banking-fraud-how-the-gozi-malware-work\r\nPage 2 of 8\n\nFigure 1 – TA551/Shathak [1] pushing Gozi in Europe (April 2020)\r\nTA551 (also known as Shathak) is a sophisticated threat actor behind an email-based malware distribution\r\ncampaign that often targets end-users on a global scale.Historically, TA551 has pushed different payloads\r\nbelonging to multiple malware families such as Gozi/Ursnif, IcedID, and Trickbot.\r\nEven though TA551 often targets English-speaking victims, it has been caught targeting German, Italian and\r\nJapanese users as well by using geofencing techniques that make payloads not accessible to users in all regions\r\nand better protected against malware analysts and researchers.\r\nThe following list shows multiple maldocs that, last April, spread Gozi infection from a specific TA551/Shathak\r\ncampaign focused on both German and Italian lures:\r\nhttps://www.cleafy.com/cleafy-labs/digital-banking-fraud-how-the-gozi-malware-work\r\nPage 3 of 8\n\nFigure 2 - Gozi maldocs pushed[2] by TA551/Shathak\r\nFigure 3 - TA551/Shathak German and Italian maldoc template\r\nFrom a high-level perspective, atypical Gozi infection is characterized by the following steps:\r\n1. The user opens the Word document attached to the received email and enables a malicious macro which\r\ntriggers the download of a dynamic link library (.dll) from a remote server.\r\n2. The downloaded .dll will be executed via RegSvr32.exe and unpack the core Gozi loader into memory,\r\nwhich is designed to manage all the interactions with the infected machine (e.g download/launch additional\r\nmodules, update configuration, etc.).\r\nhttps://www.cleafy.com/cleafy-labs/digital-banking-fraud-how-the-gozi-malware-work\r\nPage 4 of 8\n\n3. Gozi uses Internet Explorer (IE) COM objects to communicate with its C2server; it creates a running\r\ninstance through the CoCreateInstance() API.\r\nThe previous steps can be better visualized with the following “process graph view” which has been extracted\r\nfrom a recent Gozi malspam campaign:\r\nFigure 4 - Gozi process tree view[3]\r\n[1] Source: https://twitter.com/malware_traffic/status/1385241028924518410\r\n[2] Source: https://www.malware-traffic-analysis.net/2021/04/22/index.html\r\n[3] Source: https://app.any.run/tasks/5c628008-9f2c-49d1-8a94-aa878e46076f/\r\nExploring the “Gozi fraud core toolkit”\r\nAfter a new victim has been successfully infected, the TA will deliver a specific configuration through the core\r\nGozi loader, to instruct the bot on where to retrieve additional modules (also referred to as “second stages”),\r\nwhich typically includes:\r\nWeb-inject kit(s) for the targeted applications\r\nhVNC module\r\nSOCKS module\r\nhttps://www.cleafy.com/cleafy-labs/digital-banking-fraud-how-the-gozi-malware-work\r\nPage 5 of 8\n\nFigure 5 - Fraud-related additional modules (hVNC, Web-injects) from Gozi configuration\r\nWeb-injects are typically part of a MitB attack with the goal of modifying the content of a legitimate web page in\r\nreal-time by performing API hooking. They are considered as an extension of the formgrabbing technique since\r\nthey can intercept and manage web responses, altering the content before it is displayed on the browser (bypassing\r\nTLS protocol).  \r\nhVNC stands for Hidden VNC and means that the malware controls a machine without the victim’s knowledge.\r\nInstead of controlling a victim’s desktop, an attacker can open a hidden instance in the shape of a virtual desktop\r\nand control it invisibly behind the scenes, even as the unwitting victim continues using his or her computer.\r\nSOCKS module enables TA to remotely connect to the infected bot, routing all the internet data through the same\r\nIP address as the victim, bypassing anti-fraud countermeasures such as network heuristics, etc.\r\nWe refer to those three modules as the “Gozi fraud core toolkit” since those are the modules used by high-skilled\r\nfraud operators for conducting banking fraud nowadays which typically happens only on the most valuable bots.\r\nThis is an interesting pattern that we observed especially over the last year: from the initial malspam campaign to\r\nthe actual banking fraud attempt, it can take weeks or even months, and during this period operators enrich their\r\nbotnet automatically via RATBANK, exfiltrating in the background useful information, such as:\r\nValid credentials\r\nPersonal information and phone numbers(for further vishing attacks, if required)\r\nAccount balances\r\nRecent bank transfers\r\n2FA mechanism in use (e.g., SMS based, token based, QR codes)\r\nRATBANK appears to be the main Web-inject kit used by this TA, which works as aRitB (RAT in the Browser),\r\ninjecting a malware code into the browser memory by using MitB (Man in the Browser) techniques. In this way\r\nthe victim’s browser becomes a middle man component for all monitored web sessions. These specific attacks are\r\nvery hard to detect since the compromised user continues to act undisturbed in a normal-looking web session on\r\nhis own device and with his own IP address, known to (and therefore not suspected by) the targeted bank.\r\nhttps://www.cleafy.com/cleafy-labs/digital-banking-fraud-how-the-gozi-malware-work\r\nPage 6 of 8\n\nFigure 6 - RATBANK injected during the login process into a targeted website\r\nDuring our analysis, we were also able to intercept “less-common” configurations where we noticed the usage of\r\nanother Web-inject kit in addition to RATBANK, also known as tables, and well described in the following\r\nresearch published by FireEye in 2018.\r\nFigure7 - Two different Web-inject kits found on recent Gozi campaigns\r\nAn example of a related sample that has been caught delivering this specific configuration has been provided in\r\nAppendix 1: IOCs.\r\nOnce extracted, we identified more than 50 different financial institutions targeted by this specific configuration,\r\nincluding both retail and corporate banking environments, as shown in the following table:\r\nCountry Number of targets Webinjects kit (family) Additional modules\r\nhttps://www.cleafy.com/cleafy-labs/digital-banking-fraud-how-the-gozi-malware-work\r\nPage 7 of 8\n\nItaly 39 RATBANK (delsrc) SOCKS-5, hVNC\r\nGermany 12 tables   NA\r\nAppendix1: IOCs\r\n2ef16b02901c1bdd819ddf1aa96f3994 (Gozi maldoc)\r\n0b26191e482cf7c321efeb8d2569caac (Gozi loader)\r\nx-energy[.org/components/com_finder/img32.rar(hVNC 32 bit)\r\nx-energy[.org/components/com_finder/img64.rar(hVNC 64 bit)\r\necertificateboly[.us (RATBANK C2)\r\nSource: https://www.cleafy.com/cleafy-labs/digital-banking-fraud-how-the-gozi-malware-work\r\nhttps://www.cleafy.com/cleafy-labs/digital-banking-fraud-how-the-gozi-malware-work\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cleafy.com/cleafy-labs/digital-banking-fraud-how-the-gozi-malware-work"
	],
	"report_names": [
		"digital-banking-fraud-how-the-gozi-malware-work"
	],
	"threat_actors": [
		{
			"id": "26a04131-2b8c-4e5d-8f38-5c58b86f5e7f",
			"created_at": "2022-10-25T15:50:23.579601Z",
			"updated_at": "2026-04-10T02:00:05.360509Z",
			"deleted_at": null,
			"main_name": "TA551",
			"aliases": [
				"TA551",
				"GOLD CABIN",
				"Shathak"
			],
			"source_name": "MITRE:TA551",
			"tools": [
				"QakBot",
				"IcedID",
				"Valak",
				"Ursnif"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "40b623c7-b621-48db-b55b-dd4f6746fbc6",
			"created_at": "2024-06-19T02:03:08.017681Z",
			"updated_at": "2026-04-10T02:00:03.665818Z",
			"deleted_at": null,
			"main_name": "GOLD CABIN",
			"aliases": [
				"Shathak",
				"TA551 "
			],
			"source_name": "Secureworks:GOLD CABIN",
			"tools": [],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "90f216f2-4897-46fc-bb76-3acae9d112ca",
			"created_at": "2023-01-06T13:46:39.248936Z",
			"updated_at": "2026-04-10T02:00:03.260122Z",
			"deleted_at": null,
			"main_name": "GOLD CABIN",
			"aliases": [
				"Shakthak",
				"TA551",
				"ATK236",
				"G0127",
				"Monster Libra"
			],
			"source_name": "MISPGALAXY:GOLD CABIN",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "04e34cab-3ee4-4f06-a6f6-5cdd7eccfd68",
			"created_at": "2022-10-25T16:07:24.578896Z",
			"updated_at": "2026-04-10T02:00:05.039955Z",
			"deleted_at": null,
			"main_name": "TA551",
			"aliases": [
				"G0127",
				"Gold Cabin",
				"Monster Libra",
				"Shathak",
				"TA551"
			],
			"source_name": "ETDA:TA551",
			"tools": [
				"BokBot",
				"CRM",
				"Gozi",
				"Gozi CRM",
				"IceID",
				"IcedID",
				"Papras",
				"Snifula",
				"Ursnif",
				"Valak",
				"Valek"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434610,
	"ts_updated_at": 1775826744,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2b279879ebba315d50a0c888f921cdb28050251e.pdf",
		"text": "https://archive.orkl.eu/2b279879ebba315d50a0c888f921cdb28050251e.txt",
		"img": "https://archive.orkl.eu/2b279879ebba315d50a0c888f921cdb28050251e.jpg"
	}
}