Trojan-Spy:W32/Ursnif.GU is a sophisticated banking trojan belonging to the Ursnif (also known as Gozi) malware family, one of the longest-running and most successful financial theft operations in cybercrime history. This particular variant specializes in credential harvesting, keylogging, and web injection attacks designed to intercept banking sessions and capture login credentials for financial institutions, email accounts, and cryptocurrency wallets. Originally emerging from leaked source code of the Gozi trojan in 2010, the Ursnif family has evolved through countless iterations, with the GU variant representing a modern branch that combines proven credential-theft techniques with contemporary evasion tactics.

Trojan-Spy:W32/Ursnif.GU — cybersecurity illustration
Photo by Tima Miroshnichenko on Pexels

Unlike generic adware or browser hijackers, Ursnif.GU operates with stealth as its primary objective. Infected users typically notice no obvious symptoms—no pop-ups, no browser homepage changes, no system slowdowns—while the trojan silently logs keystrokes, captures screenshots during banking sessions, and exfiltrates stored passwords from browsers and email clients. This silent operation can continue for weeks or months, giving attackers ample time to harvest credentials, monitor account balances, and plan fraudulent wire transfers or account takeovers. The financial damage from a successful Ursnif infection often only becomes apparent when unauthorized transactions appear or when victims receive fraud alerts from their banks.

Think you're infected right now? Immediately disconnect from the internet (unplug Ethernet or disable Wi-Fi), then call us at (770) 679-2298. Do NOT perform any online banking or enter passwords until the infection is confirmed removed. Banking trojans like Ursnif.GU capture credentials in real-time, so every login you attempt while infected gives attackers additional access. We can perform emergency diagnostics and begin the removal process right away—time matters with credential-stealing malware.

Threat Profile

Attribute Details
Malware Family Ursnif (Gozi ISFB variant)
Classification Banking Trojan, Credential Stealer, Keylogger
Aliases Trojan:Win32/Ursnif, ISFB, Gozi, Dreambot, Snifula
Platform Windows (all versions 7 through 11; 32-bit and 64-bit)
First Observed Ursnif family: 2007; GU variant: ~2018–2019
Primary Distribution Malicious email attachments (Office macros, PDF exploits), compromised websites with exploit kits, software cracks, other malware droppers
Persistence Mechanisms Registry Run keys, scheduled tasks, COM hijacking, DLL sideloading (variant-dependent)
Capabilities Keylogging, form grabbing, web injection (browser manipulation), screenshot capture, network traffic interception, credential theft from browsers/email clients, lateral movement preparation
Command & Control HTTPS-encrypted communication with C2 servers, domain generation algorithm (DGA) for backup servers, typical for this family
IoC Characteristics Random-named DLL files in %APPDATA% or %LOCALAPPDATA%, registry modifications to AppInit_DLLs or similar loader mechanisms, encrypted configuration files
Payload Delivery Often delivered as second-stage payload via Emotet, TrickBot, or other botnets; sometimes delivered directly through phishing campaigns
Removal Difficulty Moderate to High—requires process termination, registry cleanup, DLL removal, and thorough scan for additional payloads or rootkit components

How It Spreads

Ursnif.GU relies on social engineering and technical exploitation to gain initial access to victim systems. The most common infection vector involves phishing emails crafted to appear as legitimate business correspondence—invoices, shipping notifications, tax documents, or payment confirmations from recognizable companies. These emails contain malicious attachments, typically Microsoft Office documents with embedded macros or PDFs with exploit code. When the user opens the attachment and enables macros (or when a vulnerability is exploited automatically), a dropper script downloads the Ursnif payload from a compromised website or attacker-controlled server.

In many campaigns, Ursnif.GU arrives not as the initial infection but as a second-stage payload delivered by larger botnets. Emotet and TrickBot campaigns frequently dropped Ursnif variants onto already-compromised systems, using them as specialized credential harvesters while the primary botnet focused on lateral movement and ransomware delivery. This multi-stage approach makes attribution difficult and increases the overall damage potential of a single infection chain.

Common distribution methods include:

  • Phishing emails with malicious Office documents—invoice-themed Word or Excel files that download the trojan when macros are enabled
  • Exploit kit campaigns—compromised or malicious websites using browser vulnerabilities to silently install the trojan without user interaction
  • Software cracks and pirated applications—Ursnif bundled with keygen tools, game cracks, or "free" versions of paid software
  • Malvertising campaigns—fraudulent advertisements on legitimate websites that redirect to exploit kit landing pages
  • Watering hole attacks—targeted compromise of websites frequented by specific industries (accounting firms, legal practices) to infect visitors
  • Botnet deployment—automatic installation by other malware families (Emotet, TrickBot, Qakbot) as part of multi-payload campaigns

What It Does On Your Machine

Once executed, Ursnif.GU establishes persistence and begins its surveillance operations with remarkable subtlety. The trojan typically injects itself into legitimate Windows processes—particularly browser processes like chrome.exe, firefox.exe, or iexplore.exe—allowing it to intercept web traffic and capture form submissions before they're encrypted for transmission. This technique, known as web injection or man-in-the-browser attack, enables the trojan to harvest login credentials, account numbers, and security question answers as victims access their banking websites, even when those sites use HTTPS encryption.

The keylogging component operates continuously in the background, recording every keystroke and storing the data in encrypted log files for periodic transmission to command-and-control servers. Modern Ursnif variants employ intelligent logging that focuses on high-value targets—they recognize when you're on banking websites, cryptocurrency exchanges, email login pages, or business application portals, and prioritize capturing those sessions. Some variants include screenshot capabilities that activate when specific window titles are detected (containing words like "bank," "login," "account," or financial institution names), providing attackers with visual confirmation of account balances and security challenge questions.

Beyond credential theft, Ursnif.GU harvests stored credentials from browsers, email clients (Outlook, Thunderbird), and FTP programs. It searches for and exfiltrates digital certificates, saved Wi-Fi passwords, and VPN credentials—anything that could provide attackers with deeper network access or the ability to impersonate the victim. In corporate environments, this reconnaissance information often serves as the foundation for business email compromise (BEC) attacks, where criminals use stolen email credentials to send fraudulent wire transfer requests to accounting departments.

The malware's network communication typically occurs over encrypted HTTPS channels to blend with legitimate traffic, making detection by network monitoring tools more difficult. Configuration updates and additional modules can be downloaded from C2 servers, allowing attackers to adapt the trojan's behavior based on what they discover about the infected system. If the victim appears to have access to high-value accounts or corporate networks, attackers may deploy additional tools for lateral movement or escalate to manual keyboard control for targeted theft operations.

Typical Filesystem and Registry Artifacts (Ursnif.GU Variants)
%APPDATA%\Microsoft\Windows\Templates\[random 8-character].dll %LOCALAPPDATA%\{GUID}\[random].dat ; encrypted configuration %TEMP%\[random].tmp ; keylog storage before C2 transmission Registry persistence (common locations): HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ [random name] = rundll32.exe [path to DLL],[export function] HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ Shell = explorer.exe, [malicious command] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ AppInit_DLLs = [path to malicious DLL] ; process injection Scheduled task (variant-dependent): \Microsoft\Windows\Maintenance\[legitimate-sounding name] Triggers: At logon, daily at random intervals Action: rundll32.exe or regsvr32.exe executing malicious DLL

Manual Removal — Step by Step

01

Disconnect From the Internet Immediately

Before proceeding with any removal steps, physically disconnect your computer from the network—unplug the Ethernet cable or disable Wi-Fi. This prevents the trojan from transmitting any additional stolen credentials, receiving updated instructions from its command server, or potentially spreading to other devices on your network. Banking trojans communicate continuously with their controllers, so cutting that connection is your first priority.

02

Boot Into Safe Mode with Networking

Restart your computer and boot into Safe Mode with Networking, which loads only essential Windows services and drivers. On Windows 10/11, hold Shift while clicking Restart, then navigate to Troubleshoot > Advanced Options > Startup Settings > Restart, and select "Enable Safe Mode with Networking" (option 5). Safe Mode prevents most malware persistence mechanisms from loading, giving you a cleaner environment to work in while still allowing internet access for downloading removal tools.

03

Identify and Terminate Malicious Processes

Open Task Manager (Ctrl+Shift+Esc) and carefully examine running processes. Ursnif variants often inject into legitimate processes like explorer.exe or browser processes, making them difficult to identify. Look for suspicious instances of rundll32.exe or regsvr32.exe running without obvious parent processes, or processes consuming network bandwidth despite being offline. Right-click suspicious processes, select "Open file location," and note the path before ending the process—legitimate Windows processes run from System32, while malware often runs from AppData or Temp folders.

04

Remove Registry Persistence Mechanisms

Press Win+R, type "regedit," and navigate to common autostart locations: HKCU\Software\Microsoft\Windows\CurrentVersion\Run and HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Look for entries with random names, suspicious paths pointing to AppData or Temp directories, or commands using rundll32.exe to load DLL files you don't recognize. Delete any suspicious entries, but document them first by exporting the registry key as a backup. Also check HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon for modifications to the Shell value—it should only contain "explorer.exe" without additional parameters.

05

Delete Malicious Files and Folders

Navigate to the file locations you identified in Task Manager and registry entries. Common locations include subfolders in %APPDATA%\Microsoft\Windows\, %LOCALAPPDATA% with GUID-style names, and %TEMP%. Delete the entire folders containing suspicious DLL files, .dat configuration files, and .tmp log files. Enable viewing of hidden files and system files through File Explorer options to ensure you can see everything. Ursnif components often use the hidden attribute to avoid casual detection.

06

Check and Remove Scheduled Tasks

Open Task Scheduler (search for it in the Start menu) and examine the task library, particularly under Microsoft\Windows folders. Look for tasks with generic or system-sounding names that trigger at logon or regular intervals and execute rundll32.exe, regsvr32.exe, or powershell.exe with suspicious parameters. Right-click and delete any tasks that reference the file paths you've identified as malicious. Legitimate Windows tasks have clear descriptions and publishers; malware tasks typically have blank or vague descriptions.

07

Scan with Specialized Removal Tools

Temporarily reconnect to the internet (still in Safe Mode) and download Malwarebytes Anti-Malware and ESET Online Scanner. Run a full system scan with both tools—Malwarebytes excels at detecting trojan components, while ESET provides a second opinion and catches rootkit elements that may have been installed. Allow both tools to quarantine all detected threats. If you have access to enterprise-grade tools, Kaspersky TDSSKiller is particularly effective against Ursnif variants with rootkit components.

08

Reset All Browsers and Clear Stored Data

Banking trojans often inject malicious browser extensions and modify browser settings to maintain persistence. In each installed browser (Chrome, Firefox, Edge), perform a complete reset to default settings, which removes extensions, clears cookies, and resets the homepage and search engine. Then manually clear all browsing data including passwords, autofill data, and site settings. This eliminates injected JavaScript and harvested form data that might still be stored locally.

09

Change All Passwords from a Clean Device

This is critical: do NOT change passwords from the infected computer, even after cleaning. Use a different device (a smartphone, tablet, or another computer you're confident is clean) to immediately change passwords for all financial accounts, email accounts, and any other services you accessed while infected. Enable two-factor authentication wherever possible. Contact your bank to alert them of potential credential compromise—they may need to issue new account numbers or cards and will monitor for fraudulent activity.

10

Reboot Normally and Verify Clean Status

Restart the computer normally (not in Safe Mode) and monitor behavior closely for the first few hours. Run one more full scan with your antivirus software to confirm no threats are detected. Check Task Manager for any unusual network activity or unfamiliar processes. Monitor CPU and disk usage for unexpected spikes. If everything appears normal after 24 hours of use, the immediate threat has likely been removed, but remain vigilant—banking trojans sometimes leave dormant backdoors that reactivate days or weeks later.

Prevention

  1. Maintain skepticism toward email attachments—never enable macros in Office documents from unknown senders, and verify unexpected invoices or shipping notifications by contacting the sender through a known phone number, not by replying to the email. Legitimate businesses rarely send unsolicited documents requiring macro activation.
  2. Keep Windows and all software current with security updates—Ursnif campaigns frequently exploit known vulnerabilities in outdated software, particularly in browsers, PDF readers, and Office applications. Enable automatic updates for Windows and all applications, or establish a regular update schedule if automatic updates aren't practical for your environment.
  3. Use reputable antivirus software with real-time protection—consumer-grade solutions from vendors like Bitdefender, Kaspersky, or ESET provide effective detection of known Ursnif variants and behavioral blocking of suspicious activity. Keep the antivirus database updated and don't disable real-time scanning to improve performance.
  4. Avoid pirated software and "free" versions of paid applications—software cracks, keygens, and unofficial download sites are common distribution channels for banking trojans. The money saved on a pirated application is negligible compared to the potential financial losses from credential theft.
  5. Implement least-privilege principles—don't use an administrator account for daily computing. Create a standard user account for routine tasks; this limits malware's ability to make system-wide changes and install persistence mechanisms that affect all users.
  6. Enable two-factor authentication on all financial and email accounts—even if attackers steal your password, 2FA provides a critical second barrier. Use app-based authenticators (Google Authenticator, Authy) rather than SMS codes when possible, as SMS can be intercepted through SIM-swapping attacks.
  7. Monitor financial accounts and credit reports regularly—early detection of fraudulent activity limits damage. Set up account alerts for transactions over specific thresholds and review statements weekly rather than waiting for monthly summaries. Consider credit monitoring services that alert you to new accounts opened in your name.
  8. Educate everyone who uses shared computers—in families and small businesses, one careless user can compromise everyone. Conduct brief security awareness discussions about recognizing phishing emails, avoiding suspicious downloads, and reporting anything unusual immediately rather than trying to fix it quietly.
Our 90-Day Warranty
When we remove Trojan-Spy:W32/Ursnif.GU from your computer, you're covered by our 90-day malware-free guarantee. If the same infection returns within three months of our service—not a new infection, but the same threat we removed—we'll clean it again at no additional charge. That's our commitment to doing the job right the first time.

Bring It In

Banking trojans like Ursnif.GU require more than just running an antivirus scan—they demand thorough forensic analysis to identify all components, ensure complete removal, and verify that no backdoors or secondary payloads remain. At Computer Repair Roswell, we perform comprehensive malware removal that includes registry analysis, filesystem examination, network traffic monitoring, and verification testing to confirm your system is genuinely clean. We also provide guidance on credential recovery—which accounts need immediate attention, what steps to take with your bank, and how to monitor for identity theft in the weeks following an infection.

Our shop is located in Roswell, Georgia, and we've been handling sophisticated malware infections for the local community for years. We understand the urgency when financial credentials are at stake, which is why we offer same-day diagnostic appointments for suspected banking trojan infections. Call us at (770) 679-2298 to schedule your appointment, or stop by during business hours—we're at 1122 Hembree Road. Bring your computer in, and we'll perform an initial assessment while you wait. Don't let credential-stealing malware put your financial security at risk—professional removal ensures the job is done completely and correctly.