{ "id": "05cb8357-990a-4c7b-90c4-dee65dc2491a", "created_at": "2026-04-06T00:07:17.655512Z", "updated_at": "2026-04-10T03:25:13.101631Z", "deleted_at": null, "sha1_hash": "ff24e2e6adb7d33354388cf4d672fe88886927d9", "title": "GozNym Banking Trojan Targeting German Banks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 35693, "plain_text": "GozNym Banking Trojan Targeting German Banks\r\nBy Chris Brook\r\nPublished: 2016-08-23 · Archived: 2026-04-02 11:40:41 UTC\r\nFresh from targeting banks in Poland, the banking Trojan GozNym has begun taking aim at banks in Germany.\r\nGozNym’s Euro trip rolls on. Fresh from targeting banks in Poland, the banking Trojan has reportedly begun\r\ntaking aim at banks in Germany.\r\nFor many, August marks the long, dog days of summer but developers behind GozNym appear to be working\r\nhard. According to numbers published by IBM’s X-Force team this week, researchers have seen a 3,550 percent\r\nhike in the Trojan this month over numbers it saw in July. The surge marks a 526 percent rise when compared to\r\nthe total number of attacks since the Trojan’s iteration.\r\nThe Trojan, a hybrid of Nymaim and Gozi malware, initially formed in April and thrives on carrying out\r\nredirection attacks via DNS poisoning. In the attacks, unsuspecting bank customers are redirected to a seemingly\r\nlegitimate replica of their bank’s site and then tricked into giving up their login information.\r\nNow GozNym is now targeting 13 banks and subsidiaries in Germany, Limor Kessem, Executive Security Advisor\r\nat IBM, said Tuesday. The Trojan’s usual redirection attacks are being complemented with web injection-based\r\nattacks that cater to the banks as well.\r\nKessem told Threatpost on Tuesday that unlike the redirection attacks, which are designed to show victims a\r\ncompletely fake page, the injections rely heavily on social engineering visuals. The injections, which can come in\r\nthe form of modifications to the bank’s page, or pop-ups throughout a session, mean a victim may not notice them.\r\nThe ability to use of both redirection and injection attacks gives the malware more customization, experts say.\r\n“Almost all targets of the injection attacks are also on the redirection attack list, which means that the malware can\r\nchoose a preferred path for each case (which we’ve seen in other redirection attacks, like Dyre and Dridex),”\r\nKessem said, “the ‘decision,’ if you will, is taken on the server side by the attacker, and does not seem to rely on a\r\nbuilt-in logic.”\r\nIn April, shortly after the Trojan’s discovery, researchers observed a massive GozNym campaign targeting 24\r\nNorth American banks. Attackers used that campaign to steal $4 million over the course of two weeks before they\r\nexpanded GozNym’s scope to include corporate, SMB, investment banking and consumer bank accounts in\r\nPoland.\r\nBy the end of April, GozNym had redirection instructions for 17 Polish banks in its repertoire, along with an extra\r\n230 URLs designed to assist attackers in targeting community banks and email service providers in the Eastern\r\nEuropean country.\r\nhttps://threatpost.com/goznym-banking-trojan-targeting-german-banks/120075/\r\nPage 1 of 2\n\nWhen we last heard from the Trojan, its operators were seen launching redirection attacks on four large, U.S.\r\nbanks in June.\r\nThe fact that the cybercriminals behind GozNym have already adapted the Trojan for three different languages and\r\nin countries which have different banking systems is unique, according to Kessem. Attackers behind Dyre have\r\nused similar tactics in the past but have only deployed their attacks in English speaking countries and Spain.\r\n“Looking at GozNym’s timeline, it is evident that the gang operating the malware has the resources and savvy to\r\ndeploy sophisticated cybercrime tactics against banks,” Kessem said Tuesday, “The project is very active and\r\nevolving rapidly, making it likely to spread to additional countries over time.”\r\nSource: https://threatpost.com/goznym-banking-trojan-targeting-german-banks/120075/\r\nhttps://threatpost.com/goznym-banking-trojan-targeting-german-banks/120075/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "ETDA" ], "references": [ "https://threatpost.com/goznym-banking-trojan-targeting-german-banks/120075/" ], "report_names": [ "120075" ], "threat_actors": [ { "id": "b753c6a8-a83d-47bc-829d-45e56136eb7d", "created_at": "2023-01-06T13:46:38.97802Z", "updated_at": "2026-04-10T02:00:03.169611Z", "deleted_at": null, "main_name": "GozNym", "aliases": [], "source_name": "MISPGALAXY:GozNym", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434037, "ts_updated_at": 1775791513, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ff24e2e6adb7d33354388cf4d672fe88886927d9.pdf", "text": "https://archive.orkl.eu/ff24e2e6adb7d33354388cf4d672fe88886927d9.txt", "img": "https://archive.orkl.eu/ff24e2e6adb7d33354388cf4d672fe88886927d9.jpg" } }