{ "id": "ca6151ac-ec58-49ec-bf26-4d4e4b6dbad3", "created_at": "2026-04-06T00:09:15.23248Z", "updated_at": "2026-04-10T13:12:22.362332Z", "deleted_at": null, "sha1_hash": "d89ade785c5e76b0d12a29250d7c5f3f896ddb2e", "title": "Chapter 1 — From Gozi to ISFB: The history of a mythical malware family.", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3677671, "plain_text": "Chapter 1 — From Gozi to ISFB: The history of a mythical\r\nmalware family.\r\nBy Benoit ANCEL\r\nPublished: 2022-10-24 · Archived: 2026-04-05 17:56:38 UTC\r\nDisclaimer:\r\nThis article does not contain any IOCs or infrastructure details. Instead, the aim is to explain the whole business\r\ndynamic of a long-lasting malware family. This work is based on almost 10 years of research and intel gatherings\r\nhttps://medium.com/csis-techblog/chapter-1-from-gozi-to-isfb-the-history-of-a-mythical-malware-family-82e592577fef\r\nPage 1 of 27\n\nand tries its best to stick to the truth and the facts observed around ISFB. Hopefully, it will give some insight on\r\nhow the top cyber crime groups have been working over the years.\r\nA 10 years journey\r\nFor the last 10 years, a certain malware family has caused lot of ink flow and left a lot of people confused: ISFB.\r\nWith this series of articles, I aim to illustrate the whole journey from the early start, over the leak of Gozi 1, to the\r\nrecent mutation of ISFB into LDR4. It is a very long and intense journey to describe, so I will try my best to be as\r\nrigorous as possible to finally document what ISFB has been doing since 2012.\r\nIn chapter 1, the first steps of our journey will describe where ISFB originates from. Its history has caused\r\nextreme public confusion, so we will break down the different branches of ISFB step-by-step and explain how we\r\nend up in the current situation of 2022.\r\nOnce the ISFB ecosystem is uncovered, I will focus on the business and the threat actors in a 2nd chapter. With\r\nthe technical analysis of the different ISFB branches being already extremely well documented, I will go through\r\nyears of daily operation of the ISFB crew, from the developer organisation to the affiliates and their connection.\r\nThat will address some unanswered questions and show how the ISFB groups are tightly connected to high\r\nranking groups like Evil Corp.\r\nWhat is ISFB?\r\nFirst of all, what is ISFB? ISFB is a malware family encapsulating a whole set of tools primarily used to defraud\r\nonline banking accounts; it is a banking trojan. ISFB is not the first of its kind, the features available are\r\nsomewhat like the Zeus trojan, just way more advanced.\r\nISFB evolved over the years, and we have seen features like:\r\nVictims fingerprinting: the malware can collect local information about the victim computer, OS type, IP\r\naddress, computer name, list of Anti-Virus applications, check if the computer is attached to a Domain\r\nController etc.\r\nLoader feature: It can load a 2nd stage attack as EXE or DLL or execute any command through\r\nCMD/Powershell.\r\nKeylogger/Formgrabber: ISFB can steal the clipboard and every keystroke from the infected PC.\r\nFurthermore, the malware injects itself into the web browser and capture every HTTP POST request, which\r\nmakes credential and stealing credit card easy.\r\nWebinjects/Replacer: The main feature of the module is injecting code into the web browser that will\r\nmonitor which websites the victims are visiting. If a banking website is identified, ISFB injects a small\r\nsnippet of JavaScript into the online banking website to steal the login credentials. This is commonly\r\nknown as web injection, a technique commonly used by banking trojans. ISFB introduced an evolution to\r\nthat attack with their Replacers. ISFB injects the web browser and checks for opened websites, if it\r\nidentifies a bank from its configuration file, instead of injecting JavaScript, ISFB redirects the victim into a\r\ncloned website of the banking login, completely controlled by the ISFB operator while keeping the legit\r\nURL in the address bar. That allows the attacker to have direct access to a victim and for example bypass\r\n2FA without having access to the victim’s smartphone.\r\nhttps://medium.com/csis-techblog/chapter-1-from-gozi-to-isfb-the-history-of-a-mythical-malware-family-82e592577fef\r\nPage 2 of 27\n\nVNC/SOCKS: To assist the web-injects/replacers, ISFB offers a VNC and reverse socks proxy module.\r\nOnce the operator has obtained the online banking credentials, they need to log into the account while\r\nbypassing the anti-fraud protection. To achieve this, they wait for the victim to be online, and if the anti-fraud protection is only based on the IP, they use a socks proxy. If the anti-fraud is based on browser\r\nfingerprint, IP, and behavior (like most modern banks), they would use VNC and login directly from the\r\nvictim computer remotely.\r\nVideo recorder: ISFB can record the screen if a victim is visiting a specific website. The fraudsters can\r\nthen study how a victim is usually moving money with the online banking account. Once they have gained\r\nenough knowledge about a target, they can reproduce the same behaviour to move money without\r\ntriggering any suspicious behaviour anti-fraud mechanisms during the transfer.\r\nEmails stealer: not all the ISFB forks have it, but the email stealer is an important component. The stealer\r\nis used to detect email software like Outlook and steal the credentials and the contacts list. The operators\r\nare known to use that feature to maintain a constant feed of fresh login credentials for SMTP accounts, plus\r\na list of valid emails to spam. Those corporate contact lists often include clients and partners of a company,\r\nwhich in turn, gives the spammer high value spam targets.\r\nFile stealer: A module that makes exfiltration of specific files from the victims hard drive possible. It is\r\ncommonly used to steal BTC wallets as an example.\r\nISFB was created to defraud online banking but operators often use it as an entry point for a second stage attack\r\nsuch as ransomware or extortion.\r\nUrsnif, CRM, Gozi, ISFB… what is going on ?\r\nTo understand where ISFB has spawned from you have to go back to the CRM/Gozi malware, the Kuzmin Gang,\r\nand Service76. I am not going to dig into the Gozi story; however, you can find great documentation from\r\nphishlabs article or through the very interesting podcast Malicious life (part1 and part2).\r\nLong story short:\r\nGozi v1 (Also called CRM1) was born around 2005 by combining several other malwares (Ursnif was one\r\nof them). The malware is part of an operation from the Kuzmin Gang.\r\nIn 2010 The Kuzmin Gang evolved Gozi v1 (CRM1) into Gozi v2 (CRM2) that 2 years later became “Gozi\r\n2 Prinimalka”, also called Vawtrak.\r\nWhen the Kuzmin Gang moved from Gozi v1 to Gozi v2, the v1 source code was sold, and later in 2010\r\nthe source code was leaked.\r\nLet’s take 2010 as a starting point. The Kuzmin Gang launches the big update of Gozi v2 and as usual in the\r\ncyber-crime industry, once they moved to the v2, they sold the source code of the v1. During that transaction, the\r\nsource code unfortunately leaked due to a non protected download link. It doesn’t matter much for our story who\r\noriginally bought the Gozi v1. The important part is that the Gozi v1 source code was sold, somebody snagged the\r\ncode, rewrote it, and started a new empire: ISFB.\r\nISFB was born in 2011/2012 as a highly modified version of the source code of Gozi v1. Over the years, the code\r\nhas moved further and further away from the original Gozi v1, but this is where our story begins.\r\nhttps://medium.com/csis-techblog/chapter-1-from-gozi-to-isfb-the-history-of-a-mythical-malware-family-82e592577fef\r\nPage 3 of 27\n\nThe infosec industry created several conventions to name ISFB, leaving the developer of ISFB quite irritated.\r\nDuring a discussion between a client asking for anti-reverse features and the ISFB developer, the developer said:\r\n“If they still call all the branches Gozi, although from Gozi there is only a request format with ID, group and\r\nserver number […], we don’t need anti-reverse”. You may have heard of ISFB through the names Ursnif, Papras,\r\nGozi or even sometime Rovnix, but, really, it is most of time ISFB. The signature names don’t matter much in the\r\nend as long as the threat is blocked, but to easier understand our story I will call them by their internal names.\r\nISFB is born\r\nAround 2011, a very skilled system developer is looking around for a new project. For some reason he is looking\r\nfor a fresh start in the cyber-crime industry, he has solid development skills and luckily for him, the Gozi v1\r\nsource code had recently leaked. Let us call him ISFB_Coder.\r\nISFB_Coder retrieved the code of Gozi v1, started editing it, and created a whole business around it.\r\nHe started by versioning the code as if the fork of Gozi v1 was “CRM2” or ISFB. Both those names are officially\r\nstill inside the source code today, and lots of references to CRM can be found. Note that it is not the same CRM2\r\nas Vawtrak!\r\nThis whole phase of rewriting the code of Gozi v1 took a serious amount of work. We had to wait until 2013 to\r\ndiscover the first traces of ISFB in the wild. A fair amount of the gap between 2011 and 2013 was for sure due to\r\nthe development and the testing of the malware, but also due to a very probable private usage of ISFB_Coder’s for\r\na few times.\r\nISFB Versioning: the nightmare\r\nOnce ISFB_Coder was ready to open his product up to partners and make way more money, he took ISFB\r\n(CRM2) and split it into several branches over the years.\r\nISFB is not one unique product, it’s a range of products. Each major versions has its own features. Some ISFB\r\nversions are exclusive to one group, other branches have been totally resold as a service like IAP or the public\r\nbranch of Dreambot. The main thing that ISFB_Coder tries to avoid is to share the source code of the bot. Sharing\r\ntoo much of the source code inevitably leads to a public leak, as he previously experienced in 2015 when one of\r\nhis partners publicly leaked the source code of a branch of ISFB.\r\nWe suppose that ISFB versions started at version 2.00.000 up to now 3.x.xxx. Each major versions has its own\r\nfeatures and each major versions has its own subbranches with custom features.\r\nSome major branches as example:\r\nISFB 2.14.xxx: Used to be the IAP/Dreambot early branch after 2.12.xxx, with the first integration of Tor\r\nonion as available C2.\r\nISFB 2.15.xxx: The bot uses content compression (gzip).\r\nISFB 2.16.xxx: Uses a loader instead of a direct DLL.\r\nISFB 2.17.xxx: Used to be an evolution of 2.16 mainly (but not only) used by IAP2 and the end of\r\nDreambot.\r\nhttps://medium.com/csis-techblog/chapter-1-from-gozi-to-isfb-the-history-of-a-mythical-malware-family-82e592577fef\r\nPage 4 of 27\n\nISFB 2.5.xxx: Originally meant as a loader for WastedLocker, the code ended up used by the IAP2.\r\nISFB 3.x.xxx (CRM3): complete rewrite of the network protocol, this branch was — and still is — the\r\nmost exclusive and prestigious one.\r\nEach major branch has subbranches, some private, some public, and despite having for example the branch 2.17,\r\nsome customers still prefer to stay with the 2.15 or 2.16. Not everybody moves to the latest versions.\r\nTo recap, ISFB_Coder is a development company, developing a product that he also makes use of personally. The\r\ncore of his product is ISFB, and he offers custom features for trusted partners across a wide range of ISFB\r\nversions.\r\nIn addition to this fact, we know ISFB is not the only product on ISFB_Coder’s shelves. As for example, he sold a\r\nransomware in 2019 (WastedLocker) and his coding style is noted around other malware families like Caberp, but\r\nfor our story, will stay with ISFB.\r\nIn the following graph you can see the major branches of ISFB. The graph does not cover other projects that\r\nspawned out of the ISFB leak in 2015 (Saigon, Goznym…) or the small groups using the malware, but it covers\r\nthe most active campaigns around ISFB_Coder.\r\nPress enter or click to view image in full size\r\nThe important thing is: You cannot do threat intel on ISFB by solely looking at the bot versions. Completely\r\ndifferent group of actors use the same versions, at the same time, and if you want to understand the threat\r\nhttps://medium.com/csis-techblog/chapter-1-from-gozi-to-isfb-the-history-of-a-mythical-malware-family-82e592577fef\r\nPage 5 of 27\n\ncorrectly, you must look deeper into the binaries and beyond. Small details like for example the algorithm of the\r\nconfig encryption distinguish different versions. Some used RC6 some Serpent for the same bot version.\r\nI have tried to recap the different versions for the major branches over the years:\r\nPress enter or click to view image in full size\r\nPlease bear in mind that we only cover the major branches. We have observed other actors using the v3, for\r\nexample in Switzerland or Japan, or even a Goziat v3. Those campaigns being relatively small, and that story\r\nbeing long and confusing, I have chosen to leave them out for now.\r\nCRM2: v2.xx.xxx\r\nAs explained, ISFB_Coder started his ISFB business from a fork of Gozi 1, that was branded as CRM2. At that\r\ntime, CRM2 was the main and only version of ISFB available. CRM2.5 and CRM3 were both much later.\r\nThe plan was to have a core (CRM2) and to adapt it on demand for different partners. He wanted both private\r\n(exclusive) versions and an open “as-a-service” version, kind of like Zeus was back then.\r\nThe “as-a-service” version is the less advanced version and has been sold to so many different people over the\r\ntime that it has become very complex to map out.\r\nIAP /Dreambot/IAP2\r\nExample of sample IAP: ffcb650b28719d3bde1b032b14cfe7f5d7f2a73878d752737da0ba8a4f8bb70c\r\nISFB_Coder being a system developer, he is not building a panel for ISFB. He will sell you the bot,\r\ndocumentation for the API and then you must create a panel by yourself.\r\nFor a malware-as-a-service, as they tried to do it, that is an obvious problem. In 2014, the clients want a bot with a\r\npanel included. That’s where IAP came alive.\r\nIAP, discovered in 2014, is the name of a panel project built to control ISFB bot’s version CRM2. In September\r\n2014, Yurii Khvyl wrote a blogpost exposing the installation manual of IAP:\r\nhttps://medium.com/csis-techblog/chapter-1-from-gozi-to-isfb-the-history-of-a-mythical-malware-family-82e592577fef\r\nPage 6 of 27\n\nTo develop this panel, ISFB_Coder partnered with a web developer. That developer was in the close circle of the\r\nISFB core group, and he ended up developing several panels for ISFB. The one for IAP as mentioned but also the\r\none for the “Global Network” branch. The developer was not really appreciated by the ISFB core groups,\r\ndescribed by some of his partners as “a unique kind of failure”, and ended up being arrested in 2016 in Kiev for\r\nhis work on ISFB. His arrest involved a shady story implicating ISFB_Coder and the partner owning RM3 but to\r\njump to the point: Betraying the ISFB group leads to jail time.\r\nIAP panel looked like this back then:\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://medium.com/csis-techblog/chapter-1-from-gozi-to-isfb-the-history-of-a-mythical-malware-family-82e592577fef\r\nPage 7 of 27\n\nThis version was very popular between 2014 and 2016 and has been seen in a lot of different countries around the\r\nworld. IAP was not the first ISFB version used in the wild, but it was the first one to gain large attention.\r\nManaging IAP took a lot of energy, so ISFB_Coder delegated the responsibility to a 3rd party manager to deal\r\nwith the business and bug reports, but with the panel developer doing jail time, the project took a hit, and the\r\nbusiness was in danger.\r\nMeanwhile, another version of CRM2 had been detected in the wild. It was an exclusive partner version from\r\n2013 that offered Tor onion C2s. This actor was looking to replace IAP and called it Dreambot.\r\nExample of sample: 7e0bf604d3ab673a519feb5d5375f0f88cf46e7cd1d3aa301b1b9fb722e9cef7\r\nThe partner who owned Dreambot asked for a fork with small features on demand and then opened the previous\r\nversion of Dreambot for public sale.\r\nIAP and Dreambot were so alike, that at some point, the IAP bots were able to join Dreambot panels without any\r\nproblems, because the malware network communication was exactly the same.\r\nDreambot is a good example of the capabilities of ISFB. The partner who owned Dreambot requested CRM2 to\r\nsupport Tor. ISFB_Coder strongly disagreed, explaining that deploying the Tor lib would make the AV detection\r\nrates explode compared to the clear web C2.\r\nThe Dreambot owner is targeting US and CA, he is used to receiving a huge amount of abuse reports on his C2\r\nand he really needed that Tor option. The Dreambot owner had decided, with the help of the ISFB API\r\nDocumentation, to develop his own Tor lib for ISFB and he incorporated it into Dreambot. ISFB is made in such a\r\nway that developing your own module is quite easy and well supported by ISFB_Coder.\r\nThat double version of Dreambot (private/public) was already observed by Proofpoint in 2016:\r\nhttps://medium.com/csis-techblog/chapter-1-from-gozi-to-isfb-the-history-of-a-mythical-malware-family-82e592577fef\r\nPage 8 of 27\n\nPress enter or click to view image in full size\r\nThe config shown in the screenshot is for Dreambot private edition.\r\nThe public demand for the Tor lib ended up being so high that the Dreambot owner decided to give the source of\r\nhis Tor lib to ISFB_Coder for free, for integration into the official sources. Peer pressure made ISFB_Coder bend\r\non that one. We observed another ISFB partner with his own branch switching to Tor for the C2s and announcing\r\nlosing around 30% of his bots due to Tor detection in corporate environments.\r\nIAP being dead, it was easy for Dreambot to fill the gap as the “as a service” branch with a better UI for the\r\ncommand \u0026 control server.\r\nThe first version of the panel was developed in Perl, and it is highly suspected that the developer of the IAP panel\r\nhelped with the first Dreambot panel. This panel was first disclosed by Maciej Kotowicz at Botconf 2017 in his\r\ntalk ISFB, Still Live and Kicking\r\nThe first version of the panel:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/csis-techblog/chapter-1-from-gozi-to-isfb-the-history-of-a-mythical-malware-family-82e592577fef\r\nPage 9 of 27\n\nIt evolved into a better version, still in Perl:\r\nPress enter or click to view image in full size\r\nEnding up as a completely re-branded panel in PHP:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/csis-techblog/chapter-1-from-gozi-to-isfb-the-history-of-a-mythical-malware-family-82e592577fef\r\nPage 10 of 27\n\nWe tried to give some insight into several of the Dreambot affiliates, but the turnover being too high, and the\r\naffiliates working with Dreambot end up being too far away from the core group to be interesting for this story.\r\nThat doesn’t undermine the colossal damage done by these affiliates over the years all over the world though,\r\nfrom banking fraud to ransomware attacks.\r\nThe story of Dreambot ends in 2020. The whole branch evolving from 2.12.xxx in 2014, to end-of-life in version\r\n2.17.xxx. The IAP project came back to life in 2018 as IAP2 and later as 2.5, and after a test phase, all of the\r\naffiliates moved to IAP2 letting Dreambot to die in peace.\r\nIAP2: back for good\r\nExample of sample: b74327fb49965c60d3d066788c5e0ece297187944e4336d6fea79135455f62fb\r\nWhile Dreambot was busy dying, another version took the lead: IAP2. IAP2 started in the wild in 2 versions,\r\n2.14.xxx or 2.17.xxx (Standalone DLL or DLL combined with a Loader) and has been extremely active in Poland,\r\nGermany, and Italy, but also USA or Canada. It is still distributed by spam in Italy today.\r\nThe first version of the panel was actually 2 panels, one for the loader (called “Lodiri”), and another for the\r\nworker (called “Newadminka” dealing with webinjects, VNC etc). The loader was deployed by the affiliates\r\nthemselves, making it extremely exposed and vulnerable. The affiliates being usually sloppy people that don’t care\r\nmuch about the malware they use, they often end up deploying the panel in insecure way or simply leaving the\r\nsource code in a panel.zip file.\r\nIf you monitored ISFB between 2018 and 2020 you will probably remember all the samples with the static\r\nencryption key “10291029JSJUYNHG”. That was IAP2.\r\nIAP2 “Lodiri” panel:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/csis-techblog/chapter-1-from-gozi-to-isfb-the-history-of-a-mythical-malware-family-82e592577fef\r\nPage 11 of 27\n\nPress enter or click to view image in full size\r\nIAP2 “Newadminka“ panel:\r\nPress enter or click to view image in full size\r\nAs for IAP1/Dreambot, the management was delegated to a 3rd party.\r\nhttps://medium.com/csis-techblog/chapter-1-from-gozi-to-isfb-the-history-of-a-mythical-malware-family-82e592577fef\r\nPage 12 of 27\n\nAfter 2 years of business, IAP2 evolved into IAP2.5 in 2020, using the base CRM2.5. This time, we noticed clues\r\nleading us to believe the developer of this panel is actually the admin of the Dreambot private / RM2 (goziAT)\r\nbranch. This is the essence of the ISFB business; ISFB_Coder is the developer, but the whole empire consists of a\r\nstrongly linked pool of affiliates helping each other, year after year.\r\nThe new panel of IAP2.5 in 2020 is very similar to the RM3 panel, and is based on the framework SmartAdmin.\r\nThe early panel is called “Hyper”. Later on it obtained the same name as the first RM3 panel: “P-II”:\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://medium.com/csis-techblog/chapter-1-from-gozi-to-isfb-the-history-of-a-mythical-malware-family-82e592577fef\r\nPage 13 of 27\n\nIAP2 was still active all around the world. In 2020 they even tried to develop their business in Colombia, but\r\nwithout much success.\r\nThis kind of work on new business areas is typical from the 2020 “crisis”. Banking Trojan operators started to\r\nrealize that collecting good volume of bots that can stay alive on a computer for long time is hard and that\r\ndeploying ransomware was more profitable.\r\nIAP2 is still today very active in the wild and we will likely be seeing it around for a while, probably until the\r\nRM3 branch is delegated to the as-a-service branch.\r\nRM2/GoziAT\r\nExample of sample (Dreambot private):\r\nf815a76a46034e200a7be1ccc319174da6bebed8426df7adac6374b5abc94f47\r\nGet Benoit ANCEL’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nBack to 2013. A very early adopter of ISFB is a partner with his own exclusive variant ISFB variant. Heavily\r\ninvolved in the whole ISFB project, this partner “Expro”, is a professional developer and a quite talented\r\nbotmaster. Expro started his adventure with ISFB_coder in 2012/2013 with the ISFB variant we call Dreambot\r\nprivate.\r\nExpro leads a group of old-time carders whose focus is on attacking Canada and USA. Both are seen as dangerous\r\ncountries that most of the other partners do not want touch.\r\nThis is an amusing thing observed among several Russians threat actors in the carding industry. They seem to be\r\nvery afraid of the FBI, saying that they have big resources and they are determined. Those criminals are dependent\r\nhttps://medium.com/csis-techblog/chapter-1-from-gozi-to-isfb-the-history-of-a-mythical-malware-family-82e592577fef\r\nPage 14 of 27\n\non many different American services like Apple, Microsoft or even Google and they are very aware that the US\r\nlaw enforcement could have access to that data quite easily.\r\nCombined with the fact that the US has a massive amount of cyber security companies looking for fresh IOCs\r\neverywhere, it makes the threat actors more comfortable operating in Europe or Australia like ISFB. This\r\nmisunderstanding of international cooperation between law enforcement has created some kind of legend that if\r\nyou don’t touch the US you will has less problems with their law enforcement.\r\nBesides targeting the US and CA, Expro distributed his malware in a very broad way, distributing large volumes\r\n(of spam, exploit kit, bundle…) to low quality targets (people with very outdated OS, gaming computers, all the\r\nanti-malware sandboxes of the industry) instead of a low volume to high quality targets.\r\nThe tactic somehow works but it caused Expro a lot of problems. As mentioned before, attacking the US in a\r\nnoisy way attracted abuse reports on his infrastructure from AV companies, and so, he realized the need for\r\nspecific features like Tor.\r\nExpro is a close partner to ISFB_coder. He develops and sells several panels for ISFB like the one for RM3 or\r\nLDR4 (not for free) and is sharing resources with the ISFB partners.\r\nThe RM3 group and Expro are also very close to each other. The way they cooperate has made them work\r\ntogether on a daily basis since 2012. For a long time, Expro hosted his infrastructure inside the RM3\r\ninfrastructure, and both groups exchanged their experiences with ISFB. They test and report bugs together, give\r\nfeedback about each others variants, unionize together to push new feature requests to ISFB_coder, they even help\r\neach other with OPSEC and backend protection issues.\r\nYou can still observe this relationship disclosed by Mandiant in the article “From RM3 to LDR4: URSNIF Leaves\r\nBanking Fraud Behind” where Expro is the developer of the LDR4 panel.\r\nThe relation between RM3 and Expro is very interesting to study. Both doing business on their own and\r\nsupporting each other. In part 2, I will dig deeper into the details of their relationship, given that RM3 has such a\r\ndense life, it deserves its own article.\r\nIn 2018 Expro moved from Dreambot to a new update. Checkpoint named it GoziAT, as reference to the frequent\r\nusage of .at tld used as C2.\r\nExample of sample (GoziAt): 21a03d9c845e446cb96eba7c93aa6403b8a9aaa744801e77468bf73c0507d028\r\nGoziAT is now the common name for Expro’s branch, but if we should respect the internal naming convention, the\r\nmost probable name would simply be “RM2”.\r\nThe RM2 branch used to have a static CnC beacon format. The bot sends its requests to a URL path like\r\n“/images/[encoded data].[avi|bmp|gif|jpeg]”\r\nAs mentioned in Checkpoint’s great analysis, in 2020 GoziAt was using a custom path, changing time to time for\r\nexample to /wpapi/, /rpc/, /wpx/…\r\nhttps://medium.com/csis-techblog/chapter-1-from-gozi-to-isfb-the-history-of-a-mythical-malware-family-82e592577fef\r\nPage 15 of 27\n\nThis is because GoziAt is distributed in such a wild way, it’s very quickly detected by the AV engines. Expro tried\r\nto add some dynamic to ISFB.\r\nCheckpoint is also raising a valid point where they noticed “These campaigns tend to hang on to the same\r\ndomains and IP addresses for a relatively long time, which may not be the best choice opsec-wise”. This is\r\nexplained by the fact that Expro is putting all his efforts in the onion C2s and not the clear web domains. In\r\nseveral campaigns none of the clear web domains were working and only the onions were up.\r\nWhile Expro distributes in a very noisy way, he concentrated a lot of his efforts into hiding his backend behind a\r\nlayer of proxies, making him able to survive for very long time.\r\nWith the CRM2.5 available in 2020, Expro jumped on that boat and shifted to his own branch, being basically\r\nGoziAt2.5/RM2.5.\r\nExample of sample (GoziAt2.5): 1c2fd2e6d4f1e0e2ee23f4b9ae0ea061cc1f4b41a28ec184ce7e70d5be263e8f\r\nExpro is continuing his journey; you can still catch samples from his botnet spamming campaigns in the US.\r\nGlobal Network / RM3\r\nLast but not least, we have the Global Network / RM3 branches. These branches are probably the most interesting\r\ngroup actor.\r\nManaged by a tyrannic boss, RM3_boss, this group works with the best. If they need to send spam, they hire\r\n“Sagrid” (TA543) or TA547. If they need to cash out money, they use QQAAZZ. If they need help, they call\r\nMaksim Yakubets from Evil Corp. It’s a powerful group with a sub-affiliates system generating a large amount of\r\nmoney.\r\nThey work more or less with the same business model since day one. In 2012/2013 RM3_boss agreed to join the\r\nISFB_coder project and bought his own branch dubbed “Global Network”.\r\nRM3_boss uses his branch in 2 ways:\r\nFor his own fraud team. Always focusing on AU and NZ and nothing else.\r\nFor a very selective set of affiliates always under his control.\r\nIf you want to use Global Network or RM3 from RM3_boss, you must deal with the sysadmin of RM3_boss and\r\nhis infrastructure. You will never get access to any source code or server, RM3_boss provides access to a stub and\r\ncredentials for a panel without root access. The whole business is based on trust, all affiliates must cash the money\r\nstolen out via the RM3_boss cash out network.\r\nBy forcing affiliates to launder the stolen money via RM3_boss, it allows him to bill his affiliates with a\r\npercentage of every fraud conducted via RM3. RM3_boss has full visibility on every fraud, takes his cuts and\r\ngives the rest back to the affiliates. He doesn’t care how many victims the affiliates infect; he only cares about the\r\nstolen money. I will get deeper in these terms in the part 2, but the way RM3_boss manages his business partners\r\nis a very interesting case.\r\nhttps://medium.com/csis-techblog/chapter-1-from-gozi-to-isfb-the-history-of-a-mythical-malware-family-82e592577fef\r\nPage 16 of 27\n\nIn 2013 ISFB CRM2, dubbed Global Network, was found spreading in Australia and New Zealand. The focus on\r\nthis area is because RM3_boss was convinced for years that the AVs industry has no interest in these countries,\r\ndespite them being very profitable targets for banking Trojans. The low media attention allowed him to stay\r\nhidden for a long time.\r\nThe Global Network panel was looking like:\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://medium.com/csis-techblog/chapter-1-from-gozi-to-isfb-the-history-of-a-mythical-malware-family-82e592577fef\r\nPage 17 of 27\n\nBy opening Global Network up to a short list of affiliates, the malware extended its propagation to places like PL,\r\nUAE, IT, DE, UK, CN, CH, and CA. The affiliates around UK and IT ended up cooperating with RM3_boss from\r\nearly 2013 and are still today in 2022 with LDR4 in UK.\r\nRM3_boss is a tyrant and a control freak; and that turns out to be the strength of the Global Network branch. He\r\nmakes certain that his malware campaigns never leak publicly, and if that should happen anyway, RM3_boss\r\nwould drop financial penalties on the responsible load seller. He spends time reading every news article\r\nmentioning any ISFB products, to make sure that he and only he, is using this particular version and that\r\nISFB_Coder is not cheating on their exclusive agreement. RM3_boss seems relatively well connected and he\r\nmade it clear with all his direct partners: if you try to betray him, he can send you to jail very easily.\r\nThe counter point to a work environment based on fear and threats, is that RM3_boss pays the people respecting\r\nthe rules a lot, and that is how he managed to keep skilled third party people working for him.\r\nGlobal Network followed the life of ISFB until 2017 where the anti-virus detection rates of Global Network (and\r\nCRM2 in general) became too good and started affecting the profits. To resolve that issue, RM3_boss put an order\r\nout to ISFB_Coder on a new variant: RM3.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/csis-techblog/chapter-1-from-gozi-to-isfb-the-history-of-a-mythical-malware-family-82e592577fef\r\nPage 18 of 27\n\nHe asked for a rewrite of the ISFB code and specifically the bot network part. The development of RM3 lasted\r\nfrom 2017 to 2018, and once ready, the panel looked like:\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://medium.com/csis-techblog/chapter-1-from-gozi-to-isfb-the-history-of-a-mythical-malware-family-82e592577fef\r\nPage 19 of 27\n\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://medium.com/csis-techblog/chapter-1-from-gozi-to-isfb-the-history-of-a-mythical-malware-family-82e592577fef\r\nPage 20 of 27\n\nThe move from Global Network to RM3 took longer than RM3_boss expected. In 2017 the AV detection of\r\nGlobal Network became way too good, and the profits of the team were dropping quickly. In order to temporarily\r\nfix this problem until RM3 was ready, RM3_boss decided to ask one of his partners for help; the member of Evil\r\nCorp: Maksim Yakubets.\r\nGlobal Network had become a pain to work with and RM3_boss decided to rent Dridex for a few months until\r\nRM3 became ready. The next chapter will cover that transaction in more details, but between June 2017 and\r\nbeginning of 2018 the RM3 group was observed using Dridex botnet 2302.\r\nIt is not the only time that RM3_boss had been involved with Evil Corp. We will dig into that chapter two but as\r\nalready suspected by Fox-IT, ISFB_Coder ends up being the actual developer of WastedLocker.\r\nAfter some time, RM3 also ended up being well detected by the AVs, and in 2020 the group started to seriously\r\nlook for new opportunities. At this point the group was reselling bots for ransomware operations like Conti,\r\nDopplepaymer and even Darkside.\r\nAfter a catastrophic year 2021 in terms of business, RM3 was barely surviving in UK and only used for loading\r\nCobaltStrike. Microsoft removing Internet Explorer (RM3 needs IE to work) officially in 2022 killed every hope\r\nof future for the banking trojan.\r\nhttps://medium.com/csis-techblog/chapter-1-from-gozi-to-isfb-the-history-of-a-mythical-malware-family-82e592577fef\r\nPage 21 of 27\n\nThe group re-emerged in 2022 with an evolution of an old loader in v2.5, a loader dubbed LDR4.\r\nExample of sample: 2502a3f8c9a6a8681f9222e93b14e077bf879e3009571c646ee94275bc994d01\r\nDescribed by Mandiant recently, LDR4 is the new loader used by the RM3 group. In development since 2021, the\r\nloader is finally ready in 2022. So far it is the UK affiliate that is the primary user but we expect them to expand in\r\nmore countries any time soon.\r\nLDR4 panel (you can recognize SmartAdmin framework):\r\nPress enter or click to view image in full size\r\nFirst version of the panel in 2021\r\nPress enter or click to view image in full size\r\nhttps://medium.com/csis-techblog/chapter-1-from-gozi-to-isfb-the-history-of-a-mythical-malware-family-82e592577fef\r\nPage 22 of 27\n\nPress enter or click to view image in full size\r\nUpdate 2022 of the panel\r\nAnd as mentioned by Fumiko, the username Expro is leaking from the gate domain:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/csis-techblog/chapter-1-from-gozi-to-isfb-the-history-of-a-mythical-malware-family-82e592577fef\r\nPage 23 of 27\n\nExpro is the developer of the panel (based on the RM3 panel). He deploys and manages the sources. You can even\r\nfind the traditional file 123.txt usually used by RM3 since at least 2018 to store the botnet name of the gate:\r\nThe LDR4 loader is composed of the usual loading features, plus VNC/Socks and keylogging modules. Ready for\r\na more advanced 2nd stage.\r\nThe group is an amazing mix of great skills and an old way of doing things. Carders from the past trying their best\r\nto keep up with technology, but like many fragile businesses, RM3 are having trouble with a come back after the\r\nCovid-19 crisis. LDR4 seems to be their last chance now.\r\nConclusion\r\nPress enter or click to view image in full size\r\nISFB is today facing the same crisis as every other banking Trojan. The level of security in corporate\r\nenvironments is way higher now, and malware like ISFB is now well detected by all AVs. To commit bank fraud,\r\nhttps://medium.com/csis-techblog/chapter-1-from-gozi-to-isfb-the-history-of-a-mythical-malware-family-82e592577fef\r\nPage 24 of 27\n\nyou need to keep a victim infected sometimes for several days. With Windows Defender on Windows 10, or Azure\r\nendpoints deployed in corporate environments, combined with an anti-spam gateway, it is very hard for crimeware\r\ntools to stay undetected long enough to commit bank fraud. Phishing is way more cheap and profitable.\r\nTools like ISFB are today very outdated in terms of bypassing security measures, making the distribution of the\r\nmalware very hard. ISFB_Coder still codes his products like if it was 2007 and always refuses to introduce solid\r\nanti detection measures in the core of ISFB. Using the justification that bypassing security measure is the job of\r\nthe packer and not the bot. Those outdated views on the security products are now incompatible with an operation\r\nrelying on bots to staying on a computer several days in a row.\r\nThe distribution of banking trojans has an extra step of complexity. The victims must have access to online\r\nbanking data, which really is only a fraction of online people. Back in 2016, infecting 1000 victims a day with\r\nGlobal Network was a thing. In 2020, specially with COVID-19, infecting 50 victims was a good day. If the\r\nmalware distributor is doing good and manages to target a corporate accounting department, the operator can only\r\nhope for around 30% of his victims to actually have access to bank accounts. If you leave out people who cannot\r\naccess money or cases where the security is too high, there is not much money is left to steal.\r\nISFB is facing the same reality as Trickbot, Zloader, Ramnit, Dridex etc. Most of them gave up on the banking\r\nfraud part and became just loaders for loading 2nd stage attacks (often ransomware). With LDR4, ISFB_Coder\r\ntries to make his old partners stay in business with the move towards ransomware. But it’s 2022 already, and\r\ndespite still being a big problem, the party is over and there is objectively not much money left on the ransomware\r\nfield anymore.\r\nIAP2, RM3, LDR4 are surviving so far, but if ISFB_Coder doesn’t have an advanced tool hidden in his pockets,\r\neverything points to the end of the reign of ISFB.\r\nI have tried through this first chapter to present the overall operation behind ISFB. The way the versions have\r\nbeen distributed through affiliates is not something commonly seen. ISFB_coder tries to evolve like a software\r\ndevelopment company and managed to earn his living from his developments. With each ISFB branch being sold\r\nfor between 50,000 and 100,000 USD, without counting the support and the custom requests, jumping on the leak\r\nof Gozi v1 was a really smart move from ISFB_Coder.\r\nThe next chapter (coming up soon), will go deeper into the whole banking trojan crisis via the group Global\r\nNetwork/RM3, showing how the business of RM3_boss have evolved and what kind of issues they have faced.\r\nInfrastructure, distributors (Spam, Adwords…), cryptors, cashout, and how the defrauded money is divided\r\nbetween the group members. I am looking forward to presenting the actors running the whole operation, where\r\nthey come from and their actual role within the organisation. We will also look at the deeper relationship between\r\nExpro and RM3_boss and I will review the different affiliates that fall under the RM3_boss umbrella since 2013.\r\nI hope the ISFB mess is a little bit clearer and easier to apprehend in a more structured way. As much as it is not\r\nreally important to publicly name a malware with its internal name, it is really important to document the structure\r\nof the groups behind that malware. Defining the global structure of a threat is a mandatory step to help law\r\nenforcement to understand the situation.\r\nhttps://medium.com/csis-techblog/chapter-1-from-gozi-to-isfb-the-history-of-a-mythical-malware-family-82e592577fef\r\nPage 25 of 27\n\nIf you have any comments or leads around ISFB don’t hesitate to ping me, I will be more than happy to exchange\r\ninformation.\r\nStay tuned for the next episode!\r\nPress enter or click to view image in full size\r\nAcknowledgments\r\nI would like to extend my thanks to Maciek Kotowicz for opening the way into ISFB intel with his inspiring work.\r\nKafeine and Sammy for the huge work on campaigns classification and all the support given. Fumiko and Sandor\r\nNemes for the great reversing work, fr3dhk for his patience following IAP2. Fumiko again for all his support, his\r\nanalysis, the tools he provided, and the amount of time spent on this case, and of course everybody who worked\r\naround ISFB and who have allowed us to finally have a clear overview of the malware family.\r\nIllustration: wombo.art\r\nAnnexes\r\nDocumentation:\r\nISFB source code leak 2015\r\nIAP\r\nhttps://medium.com/csis-techblog/chapter-1-from-gozi-to-isfb-the-history-of-a-mythical-malware-family-82e592577fef\r\nPage 26 of 27\n\nUrsnif still in active development\r\nThe Rovnix reincarnation\r\nDreambot\r\nNightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality\r\n“URSNIF” aiming for Internet banking now uses “Bootkit”\r\nMalware Tales: Dreambot\r\nISFB, Still Live and Kicking — Maciej Kotowicz\r\nThe end of Dreambot? Obituary for a loved piece of Gozi\r\nIAP2\r\nGozi: The Malware with a Thousand Faces\r\nAnalyzing ISFB — The Second Loader\r\nUrsnif — A Polymorphic Delivery Mechanism Explained\r\nGlobal Network:\r\nURSNIF Data Theft Malware Shared on Microsoft OneDrive\r\nUrsnif Banking Trojan Campaign Ups the Ante with New Sandbox Evasion Techniques\r\n#papras w/o VM detection\r\nRM3\r\nRM3 — Curiosities of the wildest banking malware\r\nTrojan.Gozi.64\r\nGozi V3 Technical Update\r\nOld dog, with new tricks — ISFB v3 loader\r\nLarge Ursnif Campaign Hitting UK Using Brexit As Lure\r\nLDR4\r\nFrom RM3 to LDR4: URSNIF Leaves Banking Fraud Behind\r\nMisc\r\nA fileless Ursnif doing some POS focused reco\r\nSAIGON, the Mysterious Ursnif Fork\r\nSource: https://medium.com/csis-techblog/chapter-1-from-gozi-to-isfb-the-history-of-a-mythical-malware-family-82e592577fef\r\nhttps://medium.com/csis-techblog/chapter-1-from-gozi-to-isfb-the-history-of-a-mythical-malware-family-82e592577fef\r\nPage 27 of 27", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://medium.com/csis-techblog/chapter-1-from-gozi-to-isfb-the-history-of-a-mythical-malware-family-82e592577fef" ], "report_names": [ "chapter-1-from-gozi-to-isfb-the-history-of-a-mythical-malware-family-82e592577fef" ], "threat_actors": [ { "id": "02e5c3b8-54b4-4170-b200-7f1fd361b5a9", "created_at": "2022-10-25T16:07:24.557505Z", "updated_at": "2026-04-10T02:00:05.032451Z", "deleted_at": null, "main_name": "Scully Spider", "aliases": [ "Scully Spider", "TA547" ], "source_name": "ETDA:Scully Spider", "tools": [ "DanaBot", "Lumma Stealer", "LummaC2", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "Rhadamanthys", "Rhadamanthys Stealer", "Stealc" ], "source_id": "ETDA", "reports": null }, { "id": "1998ad13-b343-4409-9a37-b1930d156a28", "created_at": "2023-09-17T02:00:09.948891Z", "updated_at": "2026-04-10T02:00:03.372224Z", "deleted_at": null, "main_name": "Storm-0324", "aliases": [ "DEV-0324", "Sagrid", "TA543" ], "source_name": "MISPGALAXY:Storm-0324", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b753c6a8-a83d-47bc-829d-45e56136eb7d", "created_at": "2023-01-06T13:46:38.97802Z", "updated_at": "2026-04-10T02:00:03.169611Z", "deleted_at": null, "main_name": "GozNym", "aliases": [], "source_name": "MISPGALAXY:GozNym", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "6c4f98b3-fe14-42d6-beaa-866395455e52", "created_at": "2023-01-06T13:46:39.169554Z", "updated_at": "2026-04-10T02:00:03.23458Z", "deleted_at": null, "main_name": "Evil Corp", "aliases": [ "GOLD DRAKE" ], "source_name": "MISPGALAXY:Evil Corp", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "72bc3519-a265-4136-b85a-d5e331f085b1", "created_at": "2023-01-06T13:46:39.313045Z", "updated_at": "2026-04-10T02:00:03.28438Z", "deleted_at": null, "main_name": "TA547", "aliases": [], "source_name": "MISPGALAXY:TA547", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434155, "ts_updated_at": 1775826742, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d89ade785c5e76b0d12a29250d7c5f3f896ddb2e.pdf", "text": "https://archive.orkl.eu/d89ade785c5e76b0d12a29250d7c5f3f896ddb2e.txt", "img": "https://archive.orkl.eu/d89ade785c5e76b0d12a29250d7c5f3f896ddb2e.jpg" } }