{
  "family": "ursnif",
  "sample_count": 8188,
  "category": "banking_trojan",
  "description": "Ursnif, also known as Gozi or ISFB, is a long-running banking trojan family with origins tracing back to 2007 that has been repeatedly forked and updated by multiple threat actor groups. It specializes in stealing banking credentials, browser data, and cryptocurrency wallets, and is commonly delivered through phishing emails with malicious attachments. Ursnif uses webinjects, hidden VNC, and process injection to maintain stealth. The leaked Gozi source code is the foundation for many modern banking trojans, and Ursnif itself remains under active development.",
  "cta": "If you suspect this malware on your system, do not attempt manual removal. Contact SystemHelpdesk expert MSP support at 855-783-7555 for professional incident response guidance.",
  "aliases": [
    "gozi",
    "isfb",
    "papras",
    "snifula",
    "dreambot"
  ],
  "enrichment_level": "hand-curated",
  "faq": [
    {
      "@type": "Question",
      "name": "What is Ursnif?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "Ursnif, also known as Gozi or ISFB, is a long-running banking trojan family with origins tracing back to 2007 that has been repeatedly forked and updated by multiple threat actor groups. It specializes in stealing banking credentials, browser data, and cryptocurrency wallets, and is commonly delivered through phishing emails with malicious attachments. Ursnif uses webinjects, hidden VNC, and process injection to maintain stealth. The leaked Gozi source code is the foundation for many modern banking trojans, and Ursnif itself remains under active development."
      }
    },
    {
      "@type": "Question",
      "name": "How does Ursnif spread?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "Ursnif (Gozi/ISFB) spreads through phishing emails with malicious macro documents, ISO images, and JavaScript droppers, with operators frequently rotating delivery techniques."
      }
    },
    {
      "@type": "Question",
      "name": "What are the signs of an Ursnif infection?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "Browser injection on banking sites, outbound traffic to compromised hosts used as C2, scheduled tasks for persistence, and AV detections for Ursnif, Gozi, ISFB, or Dreambot are key indicators."
      }
    },
    {
      "@type": "Question",
      "name": "What should I do if I think I have Ursnif on my system?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "If you suspect this malware on your system, do not attempt manual removal. Contact SystemHelpdesk expert MSP support at 855-783-7555 for professional incident response guidance."
      }
    }
  ],
  "faq_count": 4,
  "mitre_attack": [
    "T1566.001",
    "T1185",
    "T1071.001",
    "T1055"
  ],
  "cisa_advisory": null,
  "last_updated": "2026-05-27"
}