Ursnif

Category: banking_trojan · Aliases: gozi, isfb, papras, snifula, dreambot · Sample count (EMBER 2018): 8,188 · Enrichment: hand-curated · Updated: 2026-05-27

Overview

Ursnif, also known as Gozi or ISFB, is a long-running banking trojan family with origins tracing back to 2007 that has been repeatedly forked and updated by multiple threat actor groups. It specializes in stealing banking credentials, browser data, and cryptocurrency wallets, and is commonly delivered through phishing emails with malicious attachments. Ursnif uses webinjects, hidden VNC, and process injection to maintain stealth. The leaked Gozi source code is the foundation for many modern banking trojans, and Ursnif itself remains under active development.

MITRE ATT&CK Techniques

This family has been observed using the following ATT&CK techniques: T1566.001 T1185 T1071.001 T1055

Frequently Asked Questions

What is Ursnif?

Ursnif, also known as Gozi or ISFB, is a long-running banking trojan family with origins tracing back to 2007 that has been repeatedly forked and updated by multiple threat actor groups. It specializes in stealing banking credentials, browser data, and cryptocurrency wallets, and is commonly delivered through phishing emails with malicious attachments. Ursnif uses webinjects, hidden VNC, and process injection to maintain stealth. The leaked Gozi source code is the foundation for many modern banking trojans, and Ursnif itself remains under active development.

How does Ursnif spread?

Ursnif (Gozi/ISFB) spreads through phishing emails with malicious macro documents, ISO images, and JavaScript droppers, with operators frequently rotating delivery techniques.

What are the signs of an Ursnif infection?

Browser injection on banking sites, outbound traffic to compromised hosts used as C2, scheduled tasks for persistence, and AV detections for Ursnif, Gozi, ISFB, or Dreambot are key indicators.

What should I do if I think I have Ursnif on my system?

If you suspect this malware on your system, do not attempt manual removal. Contact SystemHelpdesk expert MSP support at 855-783-7555 for professional incident response guidance.

Need help with an active incident? If you suspect this malware on your system, do not attempt manual removal. Contact SystemHelpdesk expert MSP support at 855-783-7555 for professional incident response guidance.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/ursnif.json

About this catalog

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families extracted from the EMBER 2018 benchmark. The catalog is also published on Hugging Face and Kaggle.

If you encountered ursnif, you may also see related banking_trojan threats. Explore the full banking_trojan category in this catalog:

View all 18 banking_trojan families →