Ursnif is a banking trojan and a variant of the Gozi malware. According to MITRE ATT&CK, it has been spread through automated exploit kits, spearphishing attachments, and malicious links. While it is associated primarily with data theft, some variants add components such as backdoors, spyware, and file injectors, giving it a wide range of behaviors. Its long lineage and several code leaks have produced many related variants tracked under names like Gozi-ISFB and Dreambot.
Threat reports may refer to this family under multiple names:
This family has been observed using the following ATT&CK techniques: T1566.001 T1185 T1071.001 T1055
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
rule MALWARE_WIN_URSNIF {
meta:
description = "Detects Ursnif (banking_trojan)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "ursnif" ascii wide nocase
$s2 = "ursnif" ascii wide nocase
$s3 = "gozi-isfb" ascii wide nocase
$s4 = "dreambot" ascii wide nocase
$s5 = "isfb" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}title: Suspicious Ursnif Activity
id: 1bba09eb98151e0bd46d8c9227e8282e
status: experimental
description: Detects generic indicators of the ursnif malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*ursnif*"
- "*ursnif*"
- "*gozi-isfb*"
- "*dreambot*"
- "*isfb*"
condition: selection
level: mediumA banking trojan derived from the Gozi malware family, focused mainly on stealing banking credentials and other sensitive data.
It is tracked under names including Gozi, Gozi-ISFB, ISFB, and Dreambot, reflecting its shared code lineage and multiple variants.
MITRE documents distribution through automated exploit kits, spearphishing email attachments, and malicious links.
It is associated primarily with data theft, but certain variants add backdoors, spyware, and file-injection components for broader control.
The underlying Gozi/ISFB source code has leaked more than once, letting different actors build their own versions.
Keep your browser and OS patched (which closes exploit-kit holes), be wary of unexpected email attachments and links, and use multi-factor authentication on financial accounts so stolen passwords alone are not enough.
MITRE ATT&CK's Ursnif entry (S0386), linked on this page, documents its observed techniques and references vendor research.
Explore other malware families in the same category:
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/ursnif.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.