Gatak trojan was first observed in 2012 and has since affected thousands of organizations. It is programmed to spread rapidly once it has infected an organization. The trojan infects victims by convincing them to visit sites claiming to be pirated enterprise software products. The software license key generators are infected with malicious code. Additionally, Gatak is spread using watering hole attacks, infecting websites that the targeted group visits often. The trojan creates a backdoor on the compromised machine and then steals sensitive data and propagates through the targeted network infecting additional devices. The trojan has also pushed additional malware, such as ransomware, onto affected machines. Gatak has focused its efforts against the healthcare industry, at 40 percent of its top 20 most affected organizations. The trojan evades detection by going into “sleep mode” after the initial infection. The trojan downloads instructions from pre-programmed URLs using steganography to hide in seemingly harmless images.


  • November 2016: Gatak puts itself to sleep in order to evade detection. (The Register)
  • November 2016: According to Symantec, 62% of Gatak trojan infections occur on enterprise computers. (Symantec)

Technical Details

  • Trend Micro provides technical details on the Gatak trojan, here.

One example of the Gatak variant. Image Source: Trend Micro

Trojan VariantsNJCCICGatak