Goznym

Category: banking_trojan · Aliases: None known · Sample count (EMBER 2018): 120 · Enrichment: expert-seo · Updated: 2026-06-09

Overview

Trojan:Win32/Goznym is a devastating, highly sophisticated hybrid banking trojan that merged the stealth and dropping capabilities of the Nymaim loader with the severe financial fraud and web-injection modules of the Gozi (ISFB) trojan.

Understanding GozNym
To the victim, a GozNym infection often results in catastrophic financial loss—the malware drains bank accounts while locking the screen to prevent interference. For threat intelligence analysts, GozNym represents a 'best of both worlds' cybercrime masterpiece. Before law enforcement dismantled the network, it caused tens of millions of dollars in damages globally by combining Nymaim's ability to silently bypass AV and deliver payloads with Gozi's legendary ability to intercept and manipulate online banking sessions.

Execution and Evasion Strategies
GozNym was primarily distributed via massive, highly targeted spearphishing campaigns (often using the Avalanche botnet infrastructure) containing weaponized macros. Upon execution, the Nymaim component utilizes heavy packing, anti-debugging, and anti-VM checks. It establishes persistence and reaches out to a DGA-generated C2 to download the Gozi component as an encrypted DLL. This DLL is injected directly into the browser process (e.g., explorer.exe or chrome.exe). GozNym then utilizes advanced API hooking to intercept HTTPS traffic (Man-in-the-Browser), injecting fraudulent HTML fields into legitimate banking websites to capture passwords, PINs, and bypass 2FA tokens.

Indicators of Compromise & Impact
The impact is immediate, severe financial theft. Threat hunters should investigate EDR alerts for 'Suspicious Browser Injection' or 'API Hooking Detected'. Network logs will reveal encrypted C2 communications using custom protocols to transmit the stolen credentials. Memory forensics is absolutely critical; analysts must dump the browser's memory to extract the injected Gozi DLL and the downloaded web-inject configuration files.

MITRE ATT&CK Techniques

Observed techniques used by this family, mapped to the MITRE ATT&CK framework:

TechniqueNameTactic
T1185Browser Session HijackingCollection
T1055.001Process Injection: Dynamic-link Library InjectionDefense Evasion
T1056.004Input Capture: Credential API HookingCredential Access
T1105Ingress Tool TransferCommand and Control
T1568.002Dynamic Resolution: Domain Generation AlgorithmsCommand and Control

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_GOZNYM {
    meta:
        description = "Detects Goznym (banking_trojan)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "goznym" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Goznym Activity
id: 1eb9b39aa1c832d6febde89b7a95e2d0
status: experimental
description: Detects generic indicators of the goznym malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*goznym*"
    condition: selection
level: medium

Containment & Response Steps

Ordered checklist for responders. Adapt to your environment and engage professional support for active incidents.

  1. Immediately isolate the endpoint from the network to halt the active exfiltration of banking credentials and prevent fraudulent wire transfers.
  2. Assist the user in immediately contacting their financial institutions to freeze accounts, block recent transactions, and reset all banking passwords.
  3. Capture a live memory image (RAM dump) to extract the injected GozNym DLLs and the downloaded web-inject configuration files.
  4. Perform a clean OS rebuild; GozNym establishes deep, complex hooks in the registry and browser processes that are extremely difficult to eradicate manually.

What to Avoid

Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.

  1. Do not allow the user to access any online banking or financial portals while the machine is infected.
  2. Avoid rebooting the machine before capturing memory, as the critical web-inject configurations exist only in RAM.

References & External Analysis

Related Families (Category: banking_trojan)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/goznym.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.