Glitch effectGlitch effect

Gozi Malware


Published: 12/12/2025

What is Gozi Malware?

Gozi malware is a widely known banking Trojan, first discovered in 2007, that targets financial institutions by stealing sensitive data such as login credentials and personal banking information. Its key functions include keylogging, form grabbing, and injecting malicious code into web sessions. Gozi is considered a high-risk threat due to its ability to adapt and evade detection.

When was Gozi first discovered?

Gozi was initially discovered in early 2007 by security researchers analyzing a leaked sample. It gained notoriety for its effectiveness and has since evolved into various sophisticated versions.

Who created Gozi?

The original Gozi developers are a matter of public record following US Department of Justice prosecutions:

  • Nikita Kuzmin (lead developer): Arrested in 2010, pled guilty in 2011 to computer intrusion conspiracy, and sentenced in 2016 to 37 months in prison. Kuzmin developed the core Gozi trojan and operated it as crimeware-as-a-service.
  • Deniss Calovskis (web injects author): Extradited from Latvia and pled guilty in 2014 to conspiracy to commit computer intrusion. He developed the dynamic web injection system that made Gozi particularly effective at stealing banking credentials.
  • Mihai Ionut Paunescu (infrastructure provider): Extradited from Romania and convicted for providing bulletproof hosting services that kept Gozi's command-and-control infrastructure online despite takedown attempts.

These prosecutions targeted the original Gozi (circa 2007–2010). However, after Kuzmin's arrest, the source code was leaked and sold to multiple cybercriminal groups, leading to numerous variants that remain active today under different operators whose identities are largely unknown.

What does Gozi target?

Gozi primarily targets Windows-based systems and focuses on financial institutions and online banking platforms. Its geographical impact has been widespread, with campaigns identified across North America, Europe, and other regions.

Gozi distribution method

Gozi malware typically spreads through phishing emails with malicious attachments, drive-by downloads on compromised websites, and exploit kits that take advantage of unpatched software vulnerabilities.

Technical analysis of Gozi Malware

Tactics, Techniques & Procedures (TTPs)

Gozi uses stealthy persistence mechanisms and advanced evasion tactics mapped to the MITRE ATT&CK framework. Understanding these techniques is essential for effective detection and defense.

Persistence:

  • T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
  • T1543.003 - Create or Modify System Process: Windows Service

Defense Evasion:

  • T1055.005 - Process Injection: Thread Local Storage
  • T1055.012 - Process Injection: Process Hollowing
  • T1027.010 - Obfuscated Files or Information: Command Obfuscation
  • T1027.013 - Obfuscated Files or Information: Encrypted/Encoded File
  • T1036.005 - Masquerading: Match Legitimate Resource Name or Location
  • T1070.004 - Indicator Removal: File Deletion
  • T1112 - Modify Registry
  • T1564.003 - Hide Artifacts: Hidden Window
  • T1497.003 - Virtualization/Sandbox Evasion: Time Based Checks

Credential Access:

  • T1056.004 - Input Capture: Credential API Hooking
  • T1185 - Browser Session Hijacking

Discovery:

  • T1057 - Process Discovery
  • T1012 - Query Registry
  • T1082 - System Information Discovery
  • T1007 - System Service Discovery

Collection:

  • T1005 - Data from Local System
  • T1113 - Screen Capture
  • T1074.001 - Data Staged: Local Data Staging

Command and Control:

  • T1071.001 - Application Layer Protocol: Web Protocols
  • T1090 - Proxy
  • T1090.003 - Multi-hop Proxy (Tor)
  • T1132 - Data Encoding
  • T1568.002 - Dynamic Resolution: Domain Generation Algorithms

Execution:

  • T1059.001 - Command and Scripting Interpreter: PowerShell
  • T1059.005 - Command and Scripting Interpreter: Visual Basic
  • T1047 - Windows Management Instrumentation
  • T1106 - Native API

Lateral Movement:

  • T1080 - Taint Shared Content
  • T1091 - Replication Through Removable Media

Exfiltration:

  • T1041 - Exfiltration Over C2 Channel

Gozi leverages Dynamic Web Injection (T1185) to steal credentials without victim awareness, injecting malicious payloads into trusted processes (T1055.005, T1055.012) while transferring data to command-and-control servers over HTTPS (T1071.001) or Tor (T1090.003).

Indicators of Compromise (IoCs)
  • Suspicious domain connections and IPs
  • File hashes linked to Gozi/ISFB/Dreambot/GozNym samples
  • Unfamiliar processes in task manager or altered system files
  • Registry modifications in autostart locations
  • Unexpected TOR client drops or hidden windows

Source URLs:


Malware Guide

Our malware guide shows you how to shut down those infiltration paths before they ever become a crisis.

Read the Malware Guide

How to know if you’re infected with Gozi?

Signs of infection include unexplained system slowdowns, unusual network activity, missing funds from financial accounts, or alerts from endpoint protection tools.

Gozi removal instructions

Removing Gozi requires comprehensive action. Begin by disconnecting the infected computer from the network to prevent further damage. Use trusted EDR solutions or remediation tools to identify and remove malicious files. A complete system reinstallation may be necessary if the infection is severe.

Is Gozi still active?

Yes, Gozi remains active, with cybercriminal groups releasing updated variants to bypass modern security defenses. Vigilance is required to guard against this persistent threat.

Mitigation & Prevention Strategies

Preventing Gozi infections involves implementing robust cybersecurity practices such as regular software patching, enabling multi-factor authentication, and conducting regular phishing awareness training. Continuous monitoring via managed detection and response services like th Huntress Managed Cybersecurity Platform can help proactively mitigate Gozi attacks.

Related Educational Articles & Videos

Gozi FAQs

Gozi is a banking trojan designed to steal confidential financial information through methods like keylogging and web session injection. It works by infiltrating systems via phishing or exploit kits and relaying stolen data to cybercriminal-controlled servers.

Gozi spreads through malicious email attachments, fraudulent links, and drive-by downloads on compromised websites. Once executed, it persists by embedding itself in legitimate processes and evading detection tools using techniques like process injection and registry modifications.

Organizations can protect against Gozi by implementing regular software patching, enabling multi-factor authentication, conducting phishing awareness training, and deploying managed detection and response services. Continuous monitoring via EDR solutions and network traffic analysis can detect Gozi's distinctive command-and-control patterns.

Yes, Gozi remains a relevant threat as updated variants continue to emerge. Cybercriminals refine its capabilities to bypass evolving defenses, making constant vigilance necessary. The modular architecture and leaked source code ensure multiple threat actors can operate independent campaigns using Gozi-based malware.

Protect What Matters

Secure endpoints, email, and employees with the power of our 24/7 SOC. Try Huntress for free and deploy in minutes to start fighting threats.
Try Huntress for Free