{ "id": "0d6d69b8-80be-44b1-b3a1-95a239401565", "created_at": "2026-04-06T01:28:56.17583Z", "updated_at": "2026-04-10T03:35:59.563821Z", "deleted_at": null, "sha1_hash": "ef7ffae0b100488d3055ae338b15f6c99b003936", "title": "GozNym Banking Malware: Gang Busted, But Is That The End?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 10606613, "plain_text": "GozNym Banking Malware: Gang Busted, But Is That The End?\r\nBy SentinelOne\r\nPublished: 2019-05-20 · Archived: 2026-04-06 01:18:09 UTC\r\nAmid all last week’s cybersecurity bad news, there was at least one bright spot for the security world to cheer about. On\r\nThursday, Europol announced that they had dismantled the criminal network behind the GozNym banking malware, which\r\nhas been aggressively targeting businesses and financial institutions in multiple countries. According to Europol, a botnet of\r\nsome 41000 infected computers was using the GozNym malware to siphon up to $100 million from its unsuspecting victims.\r\nhttps://www.sentinelone.com/blog/goznym-banking-malware-gang-busted/\r\nPage 1 of 9\n\nGozNym is a hybrid creation specifically coded to, among other things, avoid detection by legacy AV solutions. The gang\r\nhad combined the Nymaim malware, a first stage loader with persistence capabilities, with a second-stage infection\r\ncontaining a version of the Gozi ISFB banking trojan, hence the name GozNym.\r\nNymaim has been around for several years but is notable for its ability to avoid security solutions. As previous researchers\r\nhave revealed, Nymaim checks for running processes that belong to certain AV vendor products.\r\nhttps://www.sentinelone.com/blog/goznym-banking-malware-gang-busted/\r\nPage 2 of 9\n\nAlthough Nymaim was initially used as a dropper for ransomware, it has become increasingly associated with banking\r\nmalware since around 2015. It was first combined with Gozi as a second stage payload in early 2016.\r\nThe Gozi banking trojan, aka Ursnif, is an established malware whose source code has been leaked and analyzed several\r\ntimes over the past few years. Leaks allowed the GozNym gang to cherrypick its most useful methodologies. Among those\r\nare the abilities to install an MBR (Master Boot Record) rootkit and to generate a custom list of C2 servers using its own\r\nDomain Generation Algorithms (DGA).\r\nHowever, the primary engine underlying GozNym and related variants such as Dreambot, IAP and PowerSniff, is ISFB – a\r\ndynamic link library (DLL) designed to analyze and modify HTTP traffic on the victim’s computer. It is this component that\r\nallows the criminals to hijack the user’s banking credentials through its ability to inject and manipulate a browser’s web\r\nsessions.\r\nGozi ISFB also supports various plugins that are traded in underground marketplaces and which can give it a variety of\r\ncapabilities, such as stealing emails and passwords.\r\nThe GozNym Criminal Network\r\nThe criminal network behind GozNym was a sophisticated setup, Europol reported, spanning four East European countries\r\nand orchestrated through underground, Russian-speaking online criminal forums.\r\nSpammers were employed to create and send hundreds of thousands of phishing emails. The emails, designed to look like\r\nlegitimate business correspondence, encouraged the recipient to click on a malicious link or file attachment. Word.doc\r\nattachments with encrypted VBA macros are, surprisingly, still an effective technique. If the social engineering trick worked,\r\nthe victim’s machine was redirected to a server that dropped the GozNym malware.\r\nhttps://www.sentinelone.com/blog/goznym-banking-malware-gang-busted/\r\nPage 3 of 9\n\nThe purpose of the GozNym malware is to capture victims’ banking login credentials and deliver these to the gang, who\r\nwould then use the captured credentials to fraudulently gain access to victims’ accounts. The stolen funds were then\r\nlaundered through U.S and other foreign bank accounts controlled by the criminals.\r\nThe gang’s complex operation required many layers of enterprising criminals tasked with different duties.\r\nThe first stage primarily involved two people, the leader of the criminal network and a developer. Other cybercriminals were\r\nrecruited to provide specialist services and skills, including coding. In order to cover their tracks, crypters were used to\r\nimprove the malware’s ability to evade AV solutions. The gang also employed spammers to create mass email phishing\r\ncampaigns to lure in potential victims. Another layer in the network involved the Avalanche hosting service, which was used\r\nto register malicious domains and host the malware. The web of criminals involved spread further to include account\r\ntakeover specialists who managed the victims’ hijacked online banking accounts and initiated electronic transfers of funds.\r\nFinally, money launderers were used to provide bank accounts that received the victims’ stolen funds.\r\nhttps://www.sentinelone.com/blog/goznym-banking-malware-gang-busted/\r\nPage 4 of 9\n\nhttps://www.sentinelone.com/blog/goznym-banking-malware-gang-busted/\r\nPage 5 of 9\n\nhttps://www.sentinelone.com/blog/goznym-banking-malware-gang-busted/\r\nPage 6 of 9\n\nhttps://www.sentinelone.com/blog/goznym-banking-malware-gang-busted/\r\nPage 7 of 9\n\nIs That the End of GozNym?\r\nWhile the good news is that the actors behind GozNym have been unmasked, unfortunately they have not all been\r\napprehended. The source code and methodology behind GozNym’s creation is at least partially available (it is not currently\r\nknown if the Nymaim source code has been leaked), and there is clear evidence of cybercrime-as-a-service being an active\r\nbusiness model on the Dark Net and elsewhere.\r\nDefenders should realize also that GozNym is only part of a family of related malwares that have a long history and\r\ncomplex relationships:\r\nIt has also been suggested that the powerful ISFB module that underlies this form of banking trojan may be maintained\r\nand developed by at least three independent groups.\r\nGiven all that we know, it’s reasonably likely that GozNym or something similar will be seen active in the wild again before\r\nlong.\r\nHow to Protect Against GozNym\r\nSentinelOne customers are already protected against GozNym malware as demonstrated in this video. As soon as the\r\nmalware attempts to execute, the SentinelOne agent on the endpoint detects the threat and quarantines the malicious file,\r\nleaving the device in a clean, uninfected state.\r\nhttps://www.sentinelone.com/blog/goznym-banking-malware-gang-busted/\r\nPage 8 of 9\n\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nIf you are not already protected by SentinelOne, try a free demo to see how our easy-to-use, autonomous endpoint solution\r\ncan protect your business.\r\nSource: https://www.sentinelone.com/blog/goznym-banking-malware-gang-busted/\r\nhttps://www.sentinelone.com/blog/goznym-banking-malware-gang-busted/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.sentinelone.com/blog/goznym-banking-malware-gang-busted/" ], "report_names": [ "goznym-banking-malware-gang-busted" ], "threat_actors": [ { "id": "b753c6a8-a83d-47bc-829d-45e56136eb7d", "created_at": "2023-01-06T13:46:38.97802Z", "updated_at": "2026-04-10T02:00:03.169611Z", "deleted_at": null, "main_name": "GozNym", "aliases": [], "source_name": "MISPGALAXY:GozNym", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc289ba8-bc61-474c-8462-a3f7179d97bb", "created_at": "2022-10-25T16:07:24.450609Z", "updated_at": "2026-04-10T02:00:04.996582Z", "deleted_at": null, "main_name": "Avalanche", "aliases": [], "source_name": "ETDA:Avalanche", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775438936, "ts_updated_at": 1775792159, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ef7ffae0b100488d3055ae338b15f6c99b003936.pdf", "text": "https://archive.orkl.eu/ef7ffae0b100488d3055ae338b15f6c99b003936.txt", "img": "https://archive.orkl.eu/ef7ffae0b100488d3055ae338b15f6c99b003936.jpg" } }