{ "id": "8f3a8eb1-23bb-4588-ae86-77f8677cbbcd", "created_at": "2026-04-06T00:14:34.398182Z", "updated_at": "2026-04-10T03:25:13.079869Z", "deleted_at": null, "sha1_hash": "5d5405071100061f5d342057150e0cad692cb48d", "title": "Gozi ISFB - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 34485, "plain_text": "Gozi ISFB - Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 19:55:05 UTC\r\nDescription2006 Gozi v1.0, Gozi CRM, CRM, Papras\r\n2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)\r\nIn September 2010, the source code of a particular Gozi CRM dll version was leaked. This led to two main\r\nbranches: one became known as Gozi v2, which was merged with Pony and became Vawtrak/Neverquest.\r\nThe other branch became known as Gozi ISFB, or ISFB in short. Webinject functionality was added to this\r\nversion.\r\nThere is one panel which often was used in combination with ISFB: IAP. The panel's login page comes with the\r\ntitle 'Login - IAP'. The body contains 'AUTHORIZATION', 'Name:', 'Password:' and a single button 'Sign in' in a\r\nminimal design. Often, the panel is directly accessible by entering the C2 IP address in a browser. But there are\r\nISFB versions which are not directly using IAP. The bot accesses a gate, which is called the 'DreamBot' gate.\r\nISFB often was protected by Rovnix. This led to a further complication in the naming scheme - many companies\r\nstarted to call ISFB Rovnix. Because the signatures started to look for Rovnix, other trojans protected by Rovnix\r\n(in particular ReactorBot and Rerdom) sometimes got wrongly labelled.\r\nIn April 2016 a combination of Gozi ISFB and Nymaim was detected. This breed became known as GozNym. The\r\nmerge uses a shellcode-like version of Gozi ISFB, that needs Nymaim to run. The C2 communication is\r\nperformed by Nymaim.\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=9bbd1a95-2295-44d3-9bbf-9db87a98adb3\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=9bbd1a95-2295-44d3-9bbf-9db87a98adb3\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=9bbd1a95-2295-44d3-9bbf-9db87a98adb3" ], "report_names": [ "listgroups.cgi?u=9bbd1a95-2295-44d3-9bbf-9db87a98adb3" ], "threat_actors": [ { "id": "b753c6a8-a83d-47bc-829d-45e56136eb7d", "created_at": "2023-01-06T13:46:38.97802Z", "updated_at": "2026-04-10T02:00:03.169611Z", "deleted_at": null, "main_name": "GozNym", "aliases": [], "source_name": "MISPGALAXY:GozNym", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434474, "ts_updated_at": 1775791513, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5d5405071100061f5d342057150e0cad692cb48d.pdf", "text": "https://archive.orkl.eu/5d5405071100061f5d342057150e0cad692cb48d.txt", "img": "https://archive.orkl.eu/5d5405071100061f5d342057150e0cad692cb48d.jpg" } }