Ursnif

Category: banking_trojan · Aliases: Ursnif, Gozi-ISFB, Dreambot, ISFB · Sample count (EMBER 2018): 8,188 · Enrichment: curated_sourced · Updated: 2026-06-09

Overview

Ursnif is a banking trojan and a variant of the Gozi malware. According to MITRE ATT&CK, it has been spread through automated exploit kits, spearphishing attachments, and malicious links. While it is associated primarily with data theft, some variants add components such as backdoors, spyware, and file injectors, giving it a wide range of behaviors. Its long lineage and several code leaks have produced many related variants tracked under names like Gozi-ISFB and Dreambot.

Known aliases

Threat reports may refer to this family under multiple names:

MITRE ATT&CK Techniques

This family has been observed using the following ATT&CK techniques: T1566.001 T1185 T1071.001 T1055

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_URSNIF {
    meta:
        description = "Detects Ursnif (banking_trojan)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "ursnif" ascii wide nocase
        $s2 = "ursnif" ascii wide nocase
        $s3 = "gozi-isfb" ascii wide nocase
        $s4 = "dreambot" ascii wide nocase
        $s5 = "isfb" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Ursnif Activity
id: 1bba09eb98151e0bd46d8c9227e8282e
status: experimental
description: Detects generic indicators of the ursnif malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*ursnif*"
            - "*ursnif*"
            - "*gozi-isfb*"
            - "*dreambot*"
            - "*isfb*"
    condition: selection
level: medium

References & External Analysis

Frequently Asked Questions

What is Ursnif?

A banking trojan derived from the Gozi malware family, focused mainly on stealing banking credentials and other sensitive data.

What other names does Ursnif go by?

It is tracked under names including Gozi, Gozi-ISFB, ISFB, and Dreambot, reflecting its shared code lineage and multiple variants.

How does Ursnif spread?

MITRE documents distribution through automated exploit kits, spearphishing email attachments, and malicious links.

What does Ursnif do once it infects a machine?

It is associated primarily with data theft, but certain variants add backdoors, spyware, and file-injection components for broader control.

Why are there so many Ursnif variants?

The underlying Gozi/ISFB source code has leaked more than once, letting different actors build their own versions.

How can I reduce exposure to banking trojans like Ursnif?

Keep your browser and OS patched (which closes exploit-kit holes), be wary of unexpected email attachments and links, and use multi-factor authentication on financial accounts so stolen passwords alone are not enough.

Where is the authoritative source for Ursnif?

MITRE ATT&CK's Ursnif entry (S0386), linked on this page, documents its observed techniques and references vendor research.

Related Families (Category: banking_trojan)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/ursnif.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.