{ "id": "71707409-5b7e-4422-bf4c-beb05b70dff2", "created_at": "2026-04-06T00:09:56.167577Z", "updated_at": "2026-04-10T03:36:36.91577Z", "deleted_at": null, "sha1_hash": "a1888b908d5fba43b6a9dfcabdbf1b3d3850d3bc", "title": "Banking Trojans: A Reference Guide to the Malware Family Tree", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 521787, "plain_text": "Banking Trojans: A Reference Guide to the Malware Family Tree\r\nBy Authors \u0026 Contributors\r\nArchived: 2026-04-05 23:34:50 UTC\r\nIntroduction\r\nF5 Labs attack series education articles help you understand common attacks, how they work, and how to defend\r\nagainst them.\r\nWhat is a Trojan?\r\nA trojan is any type of malicious program disguised as a legitimate one. Often, they are designed to steal sensitive\r\ninformation (login credentials, account numbers, financial information, credit card information, and the like) from\r\nusers.\r\nTrojan malware takes its name from the classic Trojan horse ploy from the war between the Greeks and the\r\nindependent city of Troy. The ancient Greeks were able to defeat the city of Troy by hiding soldiers inside a giant\r\nwooden horse they left behind as a gift while they feigned retreat following a 10-year war. Little did the Trojans\r\nrealize that by taking the horse as a trophy of war, they were bringing an elite Greek fighting force right inside the\r\nwalls of their city, ultimately leading to the fall of Troy. A malicious gift thus became known as a Trojan Horse.\r\nA banking trojan operates in much the same way—disguising itself as something good or beneficial to users, but\r\nhaving a far more sinister, hidden purpose. Even a mobile app that appears to serve a genuine purpose (for\r\nexample, a game, flashlight, or messaging service) can secretly be a trojan looking to steal information. Trojans\r\nevade detection by having dormant capabilities, hiding components in other files, forming part of a rootkit, or\r\nusing heavy obfuscation.\r\nEvery individual family of malware has its own “signature moves,” and with each iteration, malicious actors grow\r\nmore sophisticated. Banking trojans are a specific kind of trojan malware. Once installed onto a client machine,\r\nbanking trojans use a variety of techniques to create botnets, steal credentials, inject malicious code into browsers,\r\nor steal money.\r\nHow Banking Trojans Began\r\nIt took almost 20 years for banking customers to get comfortable with the idea of online banking, which began in\r\nthe 1980s. With the majority of banks offering online banking by the year 2000, it wasn’t long before attackers\r\nfound ways to exploit this new attack surface using banking malware. Banks were quick to realize that they were\r\nattractive targets to attackers, and they responded by hardening their systems. In turn, cybercriminals soon realized\r\nthat it was difficult to attack the institutions themselves, so they pivoted, targeting customers instead. Stealing\r\ncustomer credentials was a more feasible avenue of attack, and out of this the first banking trojans were created.\r\nhttps://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree\r\nPage 1 of 10\n\nBanking trojans targeted users primarily through spam, phishing, advertising, drive-by-downloads, or social\r\nengineering. They can falsely advertise themselves as attachments or games.\r\nSince then, the scope, technical ability, and focus of the malware authors has changed. What first started as\r\nmalware that primarily targeted customers of financial institutions evolved to target a range of industries,\r\nincluding online advertisers, digital analytics firms, financial tech companies, social media sites, and\r\ncommunication platforms. Today, banking trojans are pervasive across the Internet, and all sorts of institutions—\r\nnot just financial institutions—need to be aware of how to protect themselves and their customers.\r\nSpeaking the Language\r\nBefore we look at specific banking trojans, there’s a bit of malware jargon that helps make these descriptions\r\neasier to understand:\r\nMalware family. A collection of malware that’s produced from the same code base.\r\nVariant. Malware that’s built from an existing code base, but with a new signature that is not included in\r\nthe list of known bad signatures used by anti-virus and anti-malware solutions.\r\nStrain. Another name for a malware variant.\r\nMalware version. Another name for a malware variant.\r\nDescendant. Similar to a variant, descendant refers to malware that’s based on an existing code base and\r\nintegrates different tools or techniques.\r\nCampaign. A series of operations undertaken by malware authors intended to infect a specific set of\r\ntargets.\r\nRootkit. Code that targets the lowest level functions of an operating system. It is often used by malware to\r\nhide, both from users and from the operating system itself.\r\nBootkit. Code that targets the operating system when it starts up. It often runs automatically when the\r\nsystem starts.\r\nDropper. Usually used at the first stage in a malware infection, droppers are designed to install some other\r\nkind of malware onto a target system.\r\nSample. A single example of a malware variant that is studied by engineers to determine characteristics of\r\nthe malware variant.\r\nhttps://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree\r\nPage 2 of 10\n\nA Reference Guide to the Malware Family Tree\r\nActive and Notable Trojan Banking Malware Families\r\nThe number of banking malware families—and strains within those families—is constantly evolving. What\r\nfollows is not a comprehensive list of all banking trojans, but includes some of the most destructive banking trojan\r\nfamilies seen since 2007.\r\nZeus. Also known as ZBOT, Zeus is the most widespread banking malware. First seen in 2007 grabbing\r\nuser credentials, altering webpage forms, and redirecting users to fake sites (among other things), it\r\nconsistently evolved. Zeus and was pervasive across the Internet until 2010 when, according to Kaspersky\r\nLab, its author reportedly “retired” and sold the source code to the developer of SpyEye, another family of\r\nbanking trojans.1 Zeus has been attributed to an anonymous developer in Russia, however, cybercriminal\r\ngangs can easily cross national borders. The source code has been publicly available since 2011, and a\r\nnumber of variants have been developed. The original version of Zeus malware worked on Microsoft\r\noperating systems and was spread through spam and drive-by downloads. Since then, Zeus variants have\r\nevolved in technique and sophistication. Some are able to evade detection and others were designed to\r\ngenerate income through a pay-per-click model. Although the original version of Zeus has been largely\r\nneutralized by anti-virus software, it continues to be dangerous through its numerous descendants. Zeus\r\nhttps://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree\r\nPage 3 of 10\n\nand its spinoffs can be seen all over the web, as there are thousands of variants, including notable ones such\r\nas Citadel, Gameover, and Atmos.\r\nGozi. Also known as Ursnif, Gozi is one of the oldest banking trojans. To put it simply, Gozi tricks users\r\ninto completing financial transactions in accounts that aren’t theirs. It’s been around since 2007 and, as one\r\nof the original banking trojans, has caused millions of dollars in damages. In 2010, the Gozi source code\r\nwas leaked, which lead to the creation of several different versions of the malware. It was leaked for a\r\nsecond time in 2015, which led to further modularization and development of new versions of the malware.\r\nIn 2016, Latvian hacker Deniss Calovskis was sentenced to time served (21 months) for developing the\r\noriginal Gozi code.9 Arresting a key developer often stops banking trojans, but it appeared to have little\r\naffect with Gozi. After more than ten years, Gozi continues to be one of the most sophisticated and\r\nconstantly evolving malwares. When first developed, Gozi used rootkit components to hide its processes.\r\nMore recently it has added both client-side and server-side evasion techniques and has continued to evolve.\r\nRecently, Gozi and Tinba have been connected through their use of shared web injection techniques.\r\nAlthough the scope has expanded for many banking trojans, Gozi continues to target financial institutions.\r\nAs of March 2019, Gozi has been connected to DanaBot for targeting some of the same Italian banks. Gozi\r\nshows no signs of stopping and is considered one of the most dangerous pieces of banking trojan malware.\r\nGozNym. GozNym is a hybrid of Gozi and Nymaim. The Nymaim malware itself is a dropper. It acts\r\nsolely as a gateway—a delivery system for other strands of malware. GozNym uses Nymaim’s advanced\r\nstealth capabilities to unload the previously mentioned Gozi malware. Researchers originally tracked both\r\npieces of malware individually. Nymaim on its own is famous for its sophisticated evasion techniques and\r\nwas seen as early as 2013.10 As of late 2015, security researchers noticed that Nymaim was fetching a Gozi\r\nmodule and using it to launch attacks. Attacks by the first GozNym hybrid malware were detected in April\r\n2016 targeting Polish banks. These attacks were quickly followed up with another geo-centric campaign\r\ntargeting major US banks and e-commerce platforms.11 GozNym continued its operations all over the\r\nworld, targeting a range of countries from Canada to Spain to Brazil and Japan.\r\nGozNym was one of the most notorious banking trojan hybrids but its reign was short lived. In September\r\n2016, security researchers at Talos were able to “sinkhole” the GozNym botnet, essentially stopping\r\noperations.12 In November 2016, US authorities indicted Krasimir Nikolov, a Bulgarian national, for the\r\ndistribution of the GozNym banking trojan51 and in April 2019 he pled guilty to the charges.52 Operations\r\nwith GozNym slowed after Nikolov’s arrest, however Nymaim remains an active threat and there has been\r\nsome recent speculation that parts of GozNym may yet reemerge in new malware forms.53\r\nCarberp. This malware first emerged in 2009. Its purpose was to steal banking credentials. Along with\r\nhooking network APIs,13 Carberp works like many other banking trojans by logging keystrokes, spoofing\r\nwebsites, and hiding instances of itself in specific locations.14 In 2012, eight individuals involved with\r\nCarberp’s operations were arrested by Russia’s Ministry of Affairs. In 2013, however, Carberp made a\r\ncomeback with improved paid versions and mobile app variants available in the wild. In 2013 Carberp’s\r\ncode and bootkit were leaked; components of Ursnif (also known as Gozi) and Citadel were also found\r\ninside.15 Carberp was adopted by the Carbanak gang in 2016 and was spotted attempting to steal money\r\nfrom banks all over the world.16 This organized cybercrime gang allegedly began in 2013 and is suspected\r\nhttps://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree\r\nPage 4 of 10\n\nof other organized criminal activity, including money laundering and drug and human trafficking. In 2018\r\nthe alleged leader of the Carbanak criminal gang was arrested.17 Since then, Carberp has remained quiet,\r\nthough still an active threat. Silence, another group that has used many of the same techniques as\r\nCarbanak, has been active in the cybercrime scene targeting banks in Russia, Armenia, and Malaysia.54\r\nCarberp is still a threat, and it is very possible that it will make a strong resurgence.\r\nSpyEye. First spotted in the wild in 2009, SpyEye targeted Windows users running some of the most\r\npopular web browsers. It logged keystrokes and used form grabbing techniques to steal users' credentials.\r\nAs well as being a banking trojan in its own right, it attempted to target and remove the competitive\r\nmalware, Zeus. SpyEye originally had a “kill Zeus” feature in its toolkit that claimed to remove Zeus from\r\nan already infected machine. SpyEye never reached the same distribution of Zeus, though it had many of\r\nthe same features. In 2010, one of Zeus’ authors allegedly shared Zeus’ source code with the SpyEye\r\ndevelopers and they merged the two toolkits.18 SpyEye was particularly destructive from 2010 through\r\n2012 and allegedly caused close to $1 billion in financial damages.19 In 2016, Russian Aleksandr\r\nAndreevich Panin, who went by the moniker, Gribodemon, and Algerian Hamza Bendelladj, who went by\r\nthe moniker of Bx1, were sentenced to a combined 24 years 6 months in prison for developing and\r\ndistributing SpyEye.20\r\nShylock. Shylock’s authors clearly had an appreciation for Shakespeare as this trojan took its name from\r\nThe Merchant of Venice and contained snippets from the play in its files.21 Shylock began its campaign in\r\n2011, capturing users' online banking credentials and then tricking them into transferring funds to attacker-controlled accounts. It used modular, adaptable functionality that responded quickly to security\r\ncountermeasures. Shylock was first detected in July 2011. By the end of 2011, its distribution had grown\r\nsignificantly. It continued to expand over the course of 2012 and maintained its presence up until 2014.22\r\nUnlike many other banking trojans, Shylock was privately owned and was not sold in an underground\r\nmarketplace. Also, unlike some other banking trojans, Shylock maintained a narrow geographic remit\r\nthroughout its active time, notably focusing its attention on the UK with some US banking institutions also\r\nappearing on the target list. Shylock’s authors ran it as a business, working typical 9 to 5 hours with code\r\ncompilations occurring on specific days.23 In July 2014, an eastern European gang connected with Shylock\r\nhad its domains and command-and control servers shut down.24 Activity for shylock trailed off after the\r\nassets were confiscated.\r\nCitadel. First identified in 2011, Citadel, a Zeus variant, primarily targeted credentials that were stored in\r\npassword managers using its keylogging capabilities. Citadel was especially active from 2012 through\r\n2014. In 2017, prosecutors asserted that Citadel had infected over 11 million machines.25 Using advanced\r\nevasion techniques, Citadel achieved unprecedented distribution. IBM researchers estimated that, at one\r\npoint, 1 in every 500 machines worldwide was infected with the malware.26 Citadel offered a unique\r\ninteractive feature on underground markets for customers (that is, other criminals) that enabled them to file\r\nbug reports and get technical support.27 This feature ultimately led to its demise. In 2015, “Rainerfox,”\r\nalso known as Dimitry Belorossov, was arrested and sentenced to nearly five years in prison for\r\ndistributing Citadel. In 2017, Mark Vartanyan, a Russian national who went by the moniker “Kolypto,”\r\npled guilty to fraud for helping to develop part of the Citadel malware. He was sentenced to five years in\r\nhttps://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree\r\nPage 5 of 10\n\nprison for his part.28\r\n Since 2017, news about Citadel has slowed but, like many other banking trojans that\r\nhave reemerged from dormancy, it remains an active threat.\r\nTinba. Also known as Tiny Banking Trojan, Tinba was first discovered in the wild in 2012 when it was\r\nfound to have infected a number of computers in Turkey. It is the smallest banking trojan known,\r\nconsisting only of a 20 KB file. It typically runs geo-specific campaigns, though varies its regions. Tinba’s\r\ncode was first leaked in 2014 and proved to be a useful resource for malware researchers to analyze.29\r\nTinba has also been linked to other banking trojans in the past. It is allegedly a highly modified version of\r\nZeus, as it has a similar architecture.30 In 2016, F5 labs reported that Tinba and Gozi used almost identical\r\nweb injects. They seem to have been bought from the same webinject workshop. Tinba has not been in the\r\nnews recently, but it would be naive to think that it is gone for good.\r\nVawtrak. Also known as Neverquest or Snifula, Vawtrak is a descendent of the Gozi banking trojan. First\r\ndiscovered in 2013, Vawtrak was active in geographically targeted campaigns and employs a Cybercrime-as-a-Service business model. This is not unique to Vawtrak, as other trojans, including Gameover Zeus,\r\nalso use this business model. Instead of selling the malware outright, Vawtrak’s authors offer malware\r\ndelivery based on a service agreement. For example: A Number of Passwords stolen from X number of\r\nUsers, using bank Y in country Z.31 There have been a few technical papers detailing the analysis of the\r\nVawtrak malware and its evolution over the years.32 In January 2017, Vawtrak’s alleged author, Russian\r\nnational Stanislav Vitaliyevich Lisov, who went by the moniker “Black” and “Blackf,” was arrested and as\r\nof February 2019, pled guilty to creating, running, and infecting users with the Vawtrak banking trojan.33\r\nVawtrak’s activity declined after Lisov’s arrest, however, another banking trojan, Bokbot (also known as\r\nIcedID) has been connected to the group behind Vawtrak.34\r\nEmotet. This malware was first identified by security researchers in 2014 as a simple banking trojan. Later\r\nversions of the malware evolved and included the addition of malware delivery services, including the\r\nability to install other banking trojans.35 In August 2017, Emotet was connected to another banking trojan,\r\nDridex—Emotet “dropped” Dridex as an additional payload.36 The technique of using one piece of\r\nmalware to drop another is not new, but it is significant to see banking trojans “working together.” As of\r\nSeptember 2018, Emotet was utilizing the EternalBlue Windows vulnerability (first seen with the\r\nWannaCry ransomware) in order to propagate.37 This powerful vulnerability has had a patch out, however,\r\nthere are still devices out there that haven’t yet patched against the SMB (file sharing) vulnerability.\r\nEmotet is not a continually running malware; it tends to run through geographically centered campaigns,\r\nyet its techniques are constantly evolving and it continues to be dangerous.\r\nKronos. Kronos is known in Greek mythology as the “Father of Zeus.” Kronos malware was first discovered in a\r\nRussian underground forum in 2014 after the takedown of Gameover Zeus. It was more expensive than many\r\nother banking trojans, costing $7,000 to buy outright or $1,000 for a one-week trial. Many other banking trojans\r\ncould be bought from underground forums for hundreds, not thousands, of dollars. Kronos marketed itself as one\r\nof the most sophisticated trojans, and many malware researchers commented that its author(s) clearly had prior\r\nknowledge of malware techniques. 2 The code is well obfuscated using many different techniques. Security\r\nresearchers from Kaspersky Lab postulated that Kronos may be a spin-off of the Carberp banking trojan, The code\r\nhttps://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree\r\nPage 6 of 10\n\nis well obfuscated using many different techniques. Security researchers from Kaspersky Lab postulated that\r\nKronos may be a spin-off of the Carberp banking trojan, 3 and IBM analysts also connected Kronos to Zeus\r\nthrough its compatible HTML injection mechanism. 4 In August 2017, Marcus Hutchens, the security researcher\r\nwho single handedly put a halt to the WannaCry ransomware outbreak, was indicted and charged with writing with\r\nintent to distribute Kronos malware. In April 2019, Hutchins pled guilty to two of the ten charges laid against him.\r\n5\r\n As of July 26th 2019, Hutchins was sentenced to time served with supervised release. 6 Unlike many other\r\nbanking trojans, Kronos did not die out with the arrest of a supposed key author. In July 2018, Kronos reemerged\r\nwith three distinct campaigns targeting Germany, Japan, and Poland. There is also some circumstantial and\r\nspeculative evidence in the malware research community suggesting that Kronos has been rebranded and is being\r\nsold as the Osiris banking trojan. 7 Kronos is still active and continues to be a threat.\r\nDyre. Also known as Dyreza, Dyzap, and Dyranges, Dyre first emerged in 2014 targeting major online\r\nbanking services. Dyre is allegedly a variant of Zeus malware, though no official attribution to the source\r\ncode can be confirmed.8 When Dyre first emerged, it sent shock waves through the malware analysis world\r\nwith its sophistication and destructiveness. Dyre caused losses in the tens of millions of dollars for large\r\nUS-based banks. F5 labs reported in April 2015 that Dyre was the first trojan to use completely fake login\r\npages, server-side web-injects, and modular architecture. F5 labs published a comprehensive report on\r\nDyre detailing its unique fraud techniques, its crypto evolution, and stealth abilities. Along with its\r\ntechnical evolution, Dyre moved on from targeting just banks to targeting software-as-a-service (SaaS)\r\ncompanies such as Salesforce and browsers such as Microsoft Edge. In February 2016, researchers\r\nreported that Dyre had stopped spreading in November 2015 after Russian authorities arrested a number of\r\ngang members who were the alleged authors of Dyre’s code.38\r\nTrickbot. Known as one of the successors to the infamous Dyre botnet, Trickbot continues to grow in\r\nsophistication and technique. F5 labs first reported on it as a pure banking trojan targeting the financial\r\nservices industry in 2016. It is typically spread through malicious spam emails, targets users’ financial\r\ninformation, and acts as a malware dropper for other programs. Like many other pieces of malware, it can\r\nharvest credentials, spread laterally through a network, and conduct reconnaissance.39 When Trickbot first\r\nburst onto the scene, the code looked a lot like Dyer’s source code, though it was missing functionality in\r\ncomparison. Like many pieces of financial malware, Trickbot’s first iterations exclusively targeted\r\nfinancial institutions. It quickly expanded its focus from banks in Australia, the UK, and Canada to banks\r\nin Germany, as well. Within months of its first reported actions, Trickbot quickly expanded from banks to\r\ninclude US Credit Card Companies, wealth management services, and Customer Relationship Management\r\nproviders. Further, Trickbot expanded its technical capabilities by adding a layer of encryption. Reportedly\r\nlast seen in January 2019,55 Trickbot has some new technical updates that include the ability to grab\r\nremote application credentials. Trickbot’s authors are showing that they’re still active, and companies\r\nshould be aware that this malware is still a threat.\r\nDridex. First seen in 2011, Dridex has had a longer evolutionary journey than most malwares and has\r\nsurvived through the years by obfuscating its main command-and-control (C\u0026C) servers through proxies.\r\nDridex’s first appearances40 in September 2011 came under the name Cidex. It caused destruction to banks\r\nuntil June 2014 when Dridex version 1.1 appeared in the wild. Dridex emerged almost exactly one month\r\nhttps://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree\r\nPage 7 of 10\n\nafter Operation Tovar’s takedown of the Gameover ZeuS botnet, which also marked the end of Cidex\r\nattacks.41 Dridex and Gameover ZeuS have many similarities in their code, and attribution for Dridex42 is\r\ntied to a Russian-speaking gang that may be a spinoff from the “Business Club,” an organized cybercrime\r\ngang that developed the Gameover ZeuS botnet. A number of arrests were made in September 2015, but\r\nthat did little to stop Dridex. In February 2016, F5 labs published reports on the Dridex Botnet 220\r\ncampaign noting the evolution of the malware, and then in April 2016 noted that Dridex shifted focus from\r\nUK banks to US banks. In December 2018, researchers found connections between Dridex, Emotet, and\r\nUrsnif/Gozi malware.56 It continues to evolve technically and remains an active threat.\r\nDanaBot. One of the newer banking trojans, DanaBot first emerged in mid-2018,43 targeting Australian\r\nusers. Since it first appeared in the wild, DanaBot has been seen targeting European banks and email\r\nproviders. Like many other banking trojans, DanaBot has recently shifted focus away from exclusively\r\ntargeting financial services institutions for a number of reasons. Since users often share passwords across\r\nplatforms, compromising credentials is still useful for many cybercriminals. F5 Labs also published a\r\nnotable link between DanaBot, Gozi, and Tinba web injection patterns, supporting the idea that a great deal\r\nof fraud business logic is now implemented in JavaScript and sold to malware authors.\r\nRamnit. This unique banking trojan started out in 2010 as a worm and, sometime after the Zeus source\r\ncode leak, acquired parts of the Zeus code and became a banking trojan.44 Ramnit has continued to evolve\r\nin terms of sophistication, technique, and scope as a botnet since becoming a banking trojan. It remains\r\nactive despite a shutdown of 300 command-and-control servers in February 2015.45 After this setback,\r\nRamnit reappeared in late 2015 and again in mid 2016.46 In early 2017, F5 labs published a technical\r\narticle breaking down Ramnit’s new disappearing configuration file. Like many other banking trojans,\r\nRamnit has broadened its scope in recent years. Over the 2017 holiday season, Ramnit’s target list was\r\n64% eCommerce retailers in addition to financial services institutions. In 2018, Ramnit continued to work\r\nquickly, infecting over 100,000 machines in two months.47 Ramnit continues to be distributed via exploit\r\nkit and still runs active campaigns today, most recently returning back to target Italian financial institutions\r\n(/content/f5-labs-v2/en/labs/articles/threat-intelligence/ramnit-returns-to-its-banking-roots--just-in-time-for-italian-ta.html).\r\nPanda. Yet another Zeus variant, Panda was first discovered in Brazil in 2016, around the time of the\r\nOlympic games. Panda uses many of the traditional techniques from Zeus, including man-in-the-browser\r\n(MITB) attacks and keylogging, but sets itself apart through its advanced stealth capabilities. This has\r\nmade analyzing the malware more difficult. As of 2017, Panda was able to detect 23 forensic analytic tools\r\nand it is possible that it now detects even more.48 Like many other banking trojans, Panda has expanded its\r\ntarget list beyond just financial services institutions, and in 2018 was caught targeting cryptocurrency\r\nexchanges and social media websites. Moving to 2019, Panda continued to expand its scope. The March\r\n2019 campaign (/content/f5-labs-v2/en/labs/articles/threat-intelligence/panda-malware--it-s-not-just-about-cryptocurrencies-anymore.html) exclusively targeted US-based companies, many of which are in the web\r\nservices industry. Panda remains active; its stealth capabilities make it a unique malware family that\r\ncontinues to evade anti-virus software.\r\nhttps://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree\r\nPage 8 of 10\n\nBackswap. A variant on Tinba, Backswap was first observed in March 2018 targeting Polish banks and\r\nbrowsers. Backswap is written entirely in assembly language and is considered “position-independent\r\ncode” (PIC), which means that it can be run from anywhere in memory. Its PIC status makes Backswap\r\nvery different from other banking trojans. The Polish CERT published a comprehensive technical analysis\r\non the code.49 Backswap quickly expanded scope in April 2018, adding additional banks and techniques\r\nthoroughly detailed by F5 Labs. The evolution of techniques continued through August 2018 when\r\nBackswap also made a geographical shift away from Polish banks to exclusively target Spanish banks.50\r\nThrough the latter part of 2018 and early 2019, Backswap continues to run campaigns, though its technical\r\nevolution has slowed.\r\nIndications of Compromise for Users and Enterprises\r\nWhile it can be difficult for the average user to detect that their device has been compromised, there are a number\r\nof clues to watch for. These clues can also be useful for security professionals managing user systems:\r\nBrowsers that load web pages slowly and run sites slowly.\r\nSlow computer start-up and slow performance when nothing else on the system is running could be a sign\r\nof a virus or trojan.\r\nA fan that is constantly running or a hard drive that is always spinning could be a sign of an infection.\r\nSuspicious behavior such as a computer suddenly slowing down, opening programs that you didn’t open,\r\nclosing programs repeatedly.\r\nNew or unexpected form elements in banking web pages, for example, fields that ask for credit card\r\nnumbers or PINs.\r\nFailed login attempts the first time you attempt to log in despite the password being entered correctly.\r\nUnexpected pop-up windows are often a sign of an infection. Clicking on those pop-ups can install\r\nadditional malware.\r\nMissing files or users noting that files are missing.\r\nHijacked email or other accounts.\r\nAnti-virus solutions that stop working.\r\nApplications that take a long time to start or won’t start at all.\r\nA computer that is actively doing something when no one is using it.\r\nHow Users Can Protect Against Banking Trojans\r\nKeep security, application, and utility software updated.\r\nUse two-actor authentication whenever the option is available.\r\nhttps://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree\r\nPage 9 of 10\n\nOnly download apps and files from trusted sources.\r\nUse a browser that you trust when doing online shopping and banking.\r\nUse all security features that banks offer.\r\nUse a password manager. Most banking trojans can log keystrokes. By using a password manager to fill in\r\npasswords, you avoid physically typing in credentials, which essentially renders a keylogger useless.\r\nCompare your bank’s login screen on your computer with the same login screen on someone else’s to\r\nensure they look the same.\r\nUse traffic filtering solutions to prevent data leakage.\r\nTake any security awareness training offered by your company or organization.\r\nLearn how to spot phishing emails and don’t click on suspicious links. This is how most banking trojans\r\nare installed.\r\nLearn how to spot fake websites.\r\nHow Enterprises Can Protect Against Banking Trojans\r\nEnterprises should consider implementing the following security controls based on their specific circumstances:\r\nSource: https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree\r\nhttps://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree" ], "report_names": [ "banking-trojans-a-reference-guide-to-the-malware-family-tree" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "91ff2504-6c1a-4eaa-832b-2c5e297426c5", "created_at": "2022-10-25T16:47:55.740817Z", "updated_at": "2026-04-10T02:00:03.678203Z", "deleted_at": null, "main_name": "GOLD EVERGREEN", "aliases": [ "The Business Club" ], "source_name": "Secureworks:GOLD EVERGREEN", "tools": [ "CryptoLocker", "JabberZeus", "Pony", "Zeus" ], "source_id": "Secureworks", "reports": null }, { "id": "b753c6a8-a83d-47bc-829d-45e56136eb7d", "created_at": "2023-01-06T13:46:38.97802Z", "updated_at": "2026-04-10T02:00:03.169611Z", "deleted_at": null, "main_name": "GozNym", "aliases": [], "source_name": "MISPGALAXY:GozNym", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434196, "ts_updated_at": 1775792196, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a1888b908d5fba43b6a9dfcabdbf1b3d3850d3bc.pdf", "text": "https://archive.orkl.eu/a1888b908d5fba43b6a9dfcabdbf1b3d3850d3bc.txt", "img": "https://archive.orkl.eu/a1888b908d5fba43b6a9dfcabdbf1b3d3850d3bc.jpg" } }