The Ursnif trojan is one of the most active and prevalent variants of the Gozi malware, also known as Dreambot. The trojan is often spread by exploit kits, email attachments, and malicious links. Ursnif has continued to evolve over the last few months, adding Tor and peer-to-peer (P2P) capabilities in July 2016. Though the function exists, few of the Ursnif samples use the Tor network as their primary mode of communication with the C2 infrastructure. When the Angler exploit kit was widely used, it was used to deliver the Ursnif trojan. In May, Ursnif was delivered in a malvertising campaign by the Neutrino exploit kit. In August, the trojan was delivered by the RIG exploit kit. Ursnif has been delivered by email throughout 2016 and targeted users in the United States, Australia, Canada, Italy, Poland, Switzerland, and the United Kingdom. The attackers used Microsoft Word attachments with malicious macros to distribute Ursnif to US victims.


  • August 2016: Dreambot is delivered by the RIG exploit kit. (BroadAnalysis)

  • August 2016: Dreambot trojan adds Tor and peer-to-peer functionality. (Proofpoint)

  • September 2016: Dreambot, also known as Ursnif, is now capable of sandbox evasion to avoid detection. (Softpedia)

  • January 2017: In an early 2017 spam campaign, ZIP attachments that contained SVG files would execute and initiate an EXE file. This file installs the Ursnif banking trojan. (Bleeping Computer)

  • October 2017: New Malicious Macro Evasion Tactics Exposed in URSNIF Spam Mail. (Trend Micro)

  • November 2017: Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. (FireEye)

  • November 2018: Threat actors are deploying new tactic of inserting malicious URLs within Office document embedded videos to deliver the Ursnif trojan. (Trend Micro)

Technical Details

  • Proofpoint provides technical details on the Dreambot/Ursnif trojan, available here.