The Dreambot trojan is one of the most active and prevalent variants of the Gozi malware, also known as Ursnif. The trojan is often spread by exploit kits, email attachments, and malicious links. Dreambot has continued to evolve over the last few months, adding Tor and peer-to-peer (P2P) capabilities in July 2016. Though the function exists, few of the Dreambot samples use the Tor network as their primary mode of communication with the C2 infrastructure. When the Angler exploit kit was widely used, it was used to deliver the Dreambot trojan. In May, Dreambot was delivered in a malvertising campaign by the Neutrino exploit kit. In August, the trojan was delivered by the RIG exploit kit. Dreambot has been delivered by email throughout 2016 and targeted users in the United States, Australia, Canada, Italy, Poland, Switzerland, and the United Kingdom. The attackers used Microsoft Word attachments with malicious macros to distribute Dreambot to US victims.


  • August 2016: Dreambot is delivered by the RIG exploit kit. (BroadAnalysis)
  • August 2016: Dreambot trojan adds Tor and peer-to-peer functionality. (Proofpoint)
  • September 2016: Dreambot, also known as Ursnif, is now capable of sandbox evasion to avoid detection. (Softpedia)
  • January 2017: In an early 2017 spam campaign, ZIP attachments that contained SVG files would execute and initiate an EXE file. This file installs the Ursnif banking trojan. (Bleeping Computer)
  • October 2017: New Malicious Macro Evasion Tactics Exposed in URSNIF Spam Mail (Trend Micro)

Technical Details

  • Proofpoint provides technical details on the Dreambot trojan, available here