GootKit was first discovered 2014 and uses a variety of evasion techniques to remain undetected. Researchers believe it is a close-hold tool used by select threat actors to conduct online banking fraud attacks targeting consumer and business bank accounts in Europe. The threat actors were very active in 2016, using GootKit to infiltrate retail and business banking accounts, steal credentials, and manipulate online banking sessions using social engineering. They eventually take over the accounts and transfer cash from the victim account to one under their control. In June 2016, IBM researchers discovered that developers added a lighter video-grabbing module, enhanced virtual machine detection capability, and installation flow modifications for evasion. GootKit is delivered to victims via malicious attachments in phishing emails and via exploit kits, such as Neutrino, Angler, and most recently, RIG.


  • July 2016: GootKit banking trojan upgraded. (SC Magazine)
  • May 2017: GootKit moves away from web injections to redirection attacks to target banks. (SecurityWeek)

Technical Details

  • IBM X-Force provides technical analysis of GootKit, available here.