{ "id": "2c59be2a-76fa-4bf3-b44b-3c057a1aa602", "created_at": "2026-04-06T00:10:42.158575Z", "updated_at": "2026-04-10T03:25:13.024304Z", "deleted_at": null, "sha1_hash": "f06409c8f4084da8bb4ba5449162e8f21702fcf6", "title": "Attackers Behind GozNym Trojan Set Sights on Europe", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 36583, "plain_text": "Attackers Behind GozNym Trojan Set Sights on Europe\r\nBy Chris Brook\r\nPublished: 2016-04-25 · Archived: 2026-04-02 11:16:16 UTC\r\nThe banking malware GozNym has spread into Europe and begun plaguing banking customers in Poland with\r\nredirection attacks, IBM said.\r\nThe banking malware GozNym has legs; only a few weeks after the hybrid Trojan was discovered, it has\r\nreportedly spread into Europe and begun plaguing banking customers in Poland with redirection attacks.\r\nThe malware has started targeting corporate, SMB, investment banking and consumer accounts at banks,\r\nincluding some in Portugal and the U.S., in addition to Poland, according to researchers at IBM’s X-Force team.\r\nIn the attacks, bank customers are redirected to a replica of their bank’s actual page and tricked into giving up\r\nsensitive information such as credentials and authentication codes. With GozNym, attackers dupe users by\r\nshowing them the actual bank’s URL and SSL certificate. An overlay mask, facilitated by a Moscow-based server,\r\ncovers the page, hiding any malicious content on the phishing page, something that makes it look normal to users\r\nand researchers alike.\r\nLimor Kessem, a cybersecurity expert with IBM described the latest iteration of the malware Monday in a post on\r\nthe company’s Security Intelligence blog.\r\nAfter a user is redirected to the malicious page, the overlay is removed and users are encouraged to enter their\r\nbank username and password. From there, the information is fired off to another server.\r\n“After that initial fake login, the malware displays a delay screen via webinjection asking the victim to\r\nwait,”Kessem wrote on Monday, “While the victim is on hold, the fraudster queries the C\u0026C server for additional\r\nwebinjections to trick users to divulge further information about their accounts,”\r\nAccording to Kessem the malware has redirection instructions for 17 banks, and features an additional 230 URLs\r\nto assist attackers in targeting community banks and email service providers in Poland.\r\nThe technique is similar to one used by the Dridex Trojan earlier this year. Attackers took a page from Dyre\r\nand peddled Dridex by launching redirection attacks focused on U.K. users in January.\r\nThe method, which technically redirects users through local DNS poisoning, requires a fair bit of work; recreating\r\nand maintaining fake bank sites can be an arduous task, but Kessem claims the group behind GozNym – Nymaim\r\n– appear up to the task.\r\n“Convincing redirection attacks are a resource-intensive endeavor that require their operators to invest heavily in\r\ncreating website replicas of individual targeted banks. The Nymaim gang stands out as one of very few groups\r\nwith this capability,” Kessem wrote.\r\nhttps://threatpost.com/attackers-behind-goznym-trojan-set-sights-on-europe/117647/\r\nPage 1 of 2\n\nThe GozNym Trojan surfaced earlier this month after two other Trojans, Nymaim and Gozi, merged. Attackers\r\nwent on to use the Trojan to steal $4 million from 24 banks, including 22 in the United States and two in Canada,\r\nin just two weeks. The malware is distributed primarily through laced spam emails that lure recipients into\r\nopening attachments.\r\nKessem warned the Trojan was a “very problematic threat” just 11 days ago when she spoke to\r\nThreatpost, calling the combination of the two Trojans a “double-headed beast,” adding that the number of attacks\r\nstemming from the malware the company observed were extremely high, especially given it had only existed for a\r\nfew weeks at that point.\r\nSource: https://threatpost.com/attackers-behind-goznym-trojan-set-sights-on-europe/117647/\r\nhttps://threatpost.com/attackers-behind-goznym-trojan-set-sights-on-europe/117647/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "ETDA" ], "references": [ "https://threatpost.com/attackers-behind-goznym-trojan-set-sights-on-europe/117647/" ], "report_names": [ "117647" ], "threat_actors": [ { "id": "b753c6a8-a83d-47bc-829d-45e56136eb7d", "created_at": "2023-01-06T13:46:38.97802Z", "updated_at": "2026-04-10T02:00:03.169611Z", "deleted_at": null, "main_name": "GozNym", "aliases": [], "source_name": "MISPGALAXY:GozNym", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434242, "ts_updated_at": 1775791513, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f06409c8f4084da8bb4ba5449162e8f21702fcf6.pdf", "text": "https://archive.orkl.eu/f06409c8f4084da8bb4ba5449162e8f21702fcf6.txt", "img": "https://archive.orkl.eu/f06409c8f4084da8bb4ba5449162e8f21702fcf6.jpg" } }