The Gozi Banking trojan was first discovered in January 2007 after a computer user witnessed a previously unknown piece of malware hijack several website accounts through a remote exploit. The main Gozi server was part of a Russian-owned business network typically seen serving a variety of malware. Gozi was considered a state-of-the-art modular trojan, spread through Internet Explorer exploits that compromised accounts to steal sensitive data including banking information.

Gozi inject targeting US Bank. Image Source: Krebs On Security

In 2010, Gozi's source code was accidentally leaked, allowing hackers to repurpose the code for other malware, such as Neverquest/Vawtrak trojans. In 2013, developers added a Master Boot Record rootkit to ensure that the malware remains on the system even if the operating system is reinstalled.

Through the years, Gozi has also been used as a mere vector to install additional injections on victims’ machines. In 2013, three individuals were arrested for using the Gozi trojan with 76 Service, a software-as-a-service (SaaS) scheme. The attackers would download Gozi onto the victim's device and then use the 76 Service to specially craft a code injection, like a pop-up requesting banking credentials, to gain sensitive information.

In February, IBM's X-Force discovered a new variant of the Gozi trojan. The developers updated the code injection mechanism to include form grabbing and webinjections for the Windows 10 Microsoft Edge browser. The trojan allows the attackers to control the browser to monitor victim activity.

In April, part of the source code for a Gozi trojan variant was combined with the Nymaim trojan source code to create the GozNym banking trojan. As of April, GozNym had been used against 24 U.S. and Canadian banks and stole millions of dollars.


  • January 2013: Three arrested in connection with Gozi trojan. (KrebsOnSecurity)
  • April 2013: Master Boot Record rootkit added to trojan functionality. (IBM)
  • February 2016: Gozi trojan implements webinjects for Microsoft Edge. (IBM)
  • April 2016: Gozi and Nymaim combined to form GozNym trojan. (IBM)
  • March 2018: Gozi variant Gozi ISFB Remains Active in 2018, Leverages “Dark Cloud” Botnet For Distribution. (Cisco Talos)

Technical Details

  • IBM provides technical details on the new variant of Gozi trojan, available here.