Trojan:Win32/Goznym is a devastating, highly sophisticated hybrid banking trojan that merged the stealth and dropping capabilities of the Nymaim loader with the severe financial fraud and web-injection modules of the Gozi (ISFB) trojan.
Understanding GozNym
To the victim, a GozNym infection often results in catastrophic financial loss—the malware drains bank accounts while locking the screen to prevent interference. For threat intelligence analysts, GozNym represents a 'best of both worlds' cybercrime masterpiece. Before law enforcement dismantled the network, it caused tens of millions of dollars in damages globally by combining Nymaim's ability to silently bypass AV and deliver payloads with Gozi's legendary ability to intercept and manipulate online banking sessions.
Execution and Evasion Strategies
GozNym was primarily distributed via massive, highly targeted spearphishing campaigns (often using the Avalanche botnet infrastructure) containing weaponized macros. Upon execution, the Nymaim component utilizes heavy packing, anti-debugging, and anti-VM checks. It establishes persistence and reaches out to a DGA-generated C2 to download the Gozi component as an encrypted DLL. This DLL is injected directly into the browser process (e.g., explorer.exe or chrome.exe). GozNym then utilizes advanced API hooking to intercept HTTPS traffic (Man-in-the-Browser), injecting fraudulent HTML fields into legitimate banking websites to capture passwords, PINs, and bypass 2FA tokens.
Indicators of Compromise & Impact
The impact is immediate, severe financial theft. Threat hunters should investigate EDR alerts for 'Suspicious Browser Injection' or 'API Hooking Detected'. Network logs will reveal encrypted C2 communications using custom protocols to transmit the stolen credentials. Memory forensics is absolutely critical; analysts must dump the browser's memory to extract the injected Gozi DLL and the downloaded web-inject configuration files.
Observed techniques used by this family, mapped to the MITRE ATT&CK framework:
| Technique | Name | Tactic |
|---|---|---|
T1185 | Browser Session Hijacking | Collection |
T1055.001 | Process Injection: Dynamic-link Library Injection | Defense Evasion |
T1056.004 | Input Capture: Credential API Hooking | Credential Access |
T1105 | Ingress Tool Transfer | Command and Control |
T1568.002 | Dynamic Resolution: Domain Generation Algorithms | Command and Control |
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
rule MALWARE_WIN_GOZNYM {
meta:
description = "Detects Goznym (banking_trojan)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "goznym" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}title: Suspicious Goznym Activity
id: 1eb9b39aa1c832d6febde89b7a95e2d0
status: experimental
description: Detects generic indicators of the goznym malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*goznym*"
condition: selection
level: mediumOrdered checklist for responders. Adapt to your environment and engage professional support for active incidents.
Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.
Explore other malware families in the same category:
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/goznym.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.