The GozNym trojan emerged in April 2016 as it was observed targeting US and Canadian financial institutions. GozNym is a hybrid of two existing malware code, Nymaim and Gozi ISFB. GozNym primarily targets the financial services industry, seeking to compromise credentials used for online banking, steal data, and conduct fraudulent wire transfers. The trojan leverages the stealth and persistence of the Nymaim malware, along with the Gozi ISFB’s banking trojan capabilities to facilitate fraud by compromising web browsers.  According to IBM's researchers, GozNym is introduced to computers via malicious Microsoft Word macros, which then trigger the Pony Loader to launch the Nymaim executable. Nymaim then executes the Gozi ISFB component.


  • April 2016: IBM X-Force Research first reported on the GozNym hydrid and the successful targeting of 22 US and two Canadian institutions in Business Banking (28%), Credit Unions (27%), E-Commerce (22%), Retail Banking (17%). The cybercriminals also reportedly branched out into a campaign against European financial institutions, namely Polish banks. (IBM Security Intelligence Blog)

  • May 2016: A representative of IBM Security reiterated the threat to the financial industry posed by GozNym, and more losses are likely after they observed at least $4 million stolen by GozNym in April. (CNBC)

  • November 2016: Krasimir Nikolov of Bulgaria was indicted by U.S. authorities for his role in distributing the GozNym malware. Nikolov faces up to 100 years in prison. (Bleeping Computer)

  • May 2019: GozNym cybercrime network dismantled in international operation. (DoJ)

Technical Details

  • IBM Security Intelligence provides technical details on the GozNym trojan, available here.

    • MD5

      • 2A9093307E667CDB71884ECC1B480245

      • C5AB408B9F710EBD63A515217A975274


One example of the GozNym trojan. Image Source: Security Intelligence

Trojan VariantsNJCCICGozNym