We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Trojan:Win32/Gozi
Aliases: Ursnif (other) ISFB (other) Papras (other)
Summary
This banking trojan was first discovered in 2007. It is intended to steal sensitive information from infected computers, including banking credentials, passwords, and other sensitive information.
It alters online pages in real-time using a method known as web injection, which enables it to steal sensitive data as the user inputs it.
For more information about Gozi and other human-operated malware campaigns, read these blog posts:
- DEV-0569 finds new ways to deliver Royal ransomware, various payloads
- Stopping Active Directory attacks and other post-exploitation behavior with AMSI and machine learning
- Zero Trust and its role in securing the new normal
Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
