Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now
25
Global rank
114 infographic chevron month
Month rank
106 infographic chevron week
Week rank
0
IOCs

Ursnif is a banking Trojan that usually infects corporate victims. It is based on an old malware but was substantially updated over the years and became quite powerful. Today Ursnif is one of the most widely spread banking Trojans in the world.

Trojan
Type
Unknown
Origin
1 January, 2014
First seen
15 May, 2025
Last seen
Also known as
Gozi
Dreambot
ISFB

How to analyze Ursnif with ANY.RUN

Type
Unknown
Origin
1 January, 2014
First seen
15 May, 2025
Last seen

IOCs

IP addresses
31.41.44.63
62.173.140.103
62.173.138.251
62.173.139.11
31.41.44.48
46.8.19.116
185.77.96.40
46.8.19.239
146.70.35.138
146.70.35.142
Domains
checklist.skype.com
wxan.com
cochrimato.com
alogencian.com
config.edge.skype.com
146.70.35.138
146.70.35.142
google.com
URLs
http://gaw.explik.at/webstore/RNHtPlfANi/giaN24yn0x2ibZVKs/CMtM93bFZ3nF/03e0TsfiLKv/szvF8pyGMqwBh0/xmP8zw_2B_2BjD0oYdqWv/DRS6fTNu6DzpsC_2/BADEUY9AU_2F22f/SyLvTn7h6lfYyQ_2Be/uPYjty8Ra/L9ZZjDczzFe_2BbGPHFh/VpQiviwDGacEoE_2Ff4/PhDxbHimKRVq1AtdO3Cv5b/EHcQ8pVZsvPoV/ef_2BCDF/mwyac28CeLygTZFs2joi8bj/Q9D80FThCt/EVAQpUqRU0_0A_0D1/lJ9DSk_2BGzp/ES_2FQDqJhx/BFFOawifVnaIoU/rhfPeQIjaqJ2CQbqg92ay/BiAq_2FhNP/fec4d
http://low.explik.at/webstore/r48sYaGZ2KpdYRSeUiGY/HjYxcPJK8ts_2BrsYAw/GbzvVZLeX9PP7C_2Bq0I5w/6uH7vyaQ3VlRG/qvZbRFuy/heSgD11tPVIMgO3KQUgLa5T/yh12SQwEi3/ooE3cFclyU6efuv8V/s_2B0pV_2BMa/r5y7_2Bd3lq/84hb0KjhDHvYwc/msconqJ0nVtWRpo0vv9Zn/b1OM5WGJ8_2FEbp5/AP7NHR9FYsktIul/vkAL5L7uU613tRikkl/NQdK1AYwH/J3yxbAkAvb1Pihb7_0A_/0DpjKzFZ0i2lsDHydPz/LB3Us9fO3D_2FtqQQ3lZpi/KZUyXIvOn/k
http://gaw.explik.at/webstore/lipD2qyOw_/2Fok83L1bTQC1Zlzm/Xbsl9dGowK1M/ZWtXKL7sROA/GP8rK_2BwCNBRY/_2BJS9KEYTmu7exP_2BuW/3slD5OJ8h1tZZ0fl/fYgn2N0qxMT3pm6/d7bToTljY32Ms_2BgG/cpl_2FEpx/Idtw4SxnFuB0HClqS4w5/vSa39CKVO2G6xi27CzC/4O9TYUfGqD6mgtLBuZnWoS/JWGndaX7LJiwX/9D9fcz_2/BESTTU_2FQt2h4M7dioX4iW/twqtI1T_2B/HUG5TxBD1Qy9_0A_0/DzQjJDlC6hv_/2BS0kVz26ys/0fYpPjapFeGYqr/5912RXjsc9gB_2BJwUP4x/aXSgA9mPmgT/SN8f
http://low.explik.at/webstore/a7QSDfue_2BBE74TlTX_2F5/nX1vIPdVWe/XHgwDkPvju2EKcnpu/KCUXfZ_2BsUj/4mwIroKWkwl/iq_2BccELGngE_/2F4tf7Kh0v_2FS4eUUt8_/2BffhNA0c53_2Ffb/3gZxyfS1o_2BOD7/azTzLX2ahGquZYIZO0/U68nV5K4_/2BlYLUNOOvsaZn82gVwH/5obemaSQKlnlZXs_2Bw/gqvzxKMTG3DNssPWtzzlgL/sCIMz_2BDaBSw/46bgN_2B/1QTKfx4kgWJ_2F5xOZTe8N8/bJ5DcZkIO_/0A_0DaiYNAUwJodFE/uWCssSwOJeGr/VwkDaWkgTvS/ZtKEjwOhHjYLqo/FTSGm27KkZ/_2Fgip3Ox/Zh
http://gaw.explik.at/webstore/_2F2duDbnRKb0bCZ6iR9yG/fJm6ak8026H5F/LYj9_2FW/W66tR4MTMqBc7uFYhuIat9_/2BnP73zZ8q/um2MpMEGyQFtqN4Kx/5WWWF_2Fj9nL/teAxJYt_2FK/T1YEDoh7quIOda/TA_2B6VfqjlS3CVU8_2FQ/3we3wHZL7SFJUiuX/tbxPYm8Hx96bGUR/_2FSLpH7s10SYtWhm9/yVsO4AV6Q/IJxwm_2FFF_2Fh8ReN_2/FT2IXjv7_2BPOkbrzIC/HAnGpJX1jKapDzPEuL5aHy/Nk38MX_0A_0DO/1s4Ph_2F/dts5t0zoyXAlUvd3sQWLpSh/TSW2p2ZzGp/jFstXkE
http://low.explik.at/webstore/N7V1TFvq9NTNejcNS0/0FYmDbZCY/A2_2FAZo_2FnW7ve7pHq/uWi0xiOm_2B4bkbQyXj/bjosmSN8jVdOaXV6Yr6fX5/phMrl4eboWgUh/rtzXHX_2/F1HX_2F_2BbnlO7uuR4nl5q/IsSWHvg1Jm/MaaAxrTNAtDdg_2FE/hAGen9kwGVCV/_2Fvb9sqtpz/aUI8l1_2F5qkP1/nvmZigVS4GJwrhni_2FSp/XgX0uj4d_2BhEAWc/aQ3hPEprK_2FLRS/lhZFXHH50SJfVXYK_2/F_2BB6c7q/fCeV6_0A_0DiHs3q5vGw/c_2FPIYgyy_2FQBL13_/2BdD0e3vh4_2BXPzMItWfo/PgHg3
http://gaw.explik.at/webstore/dJboU_2FaH0u2kWRutZbJ/JKBfjy94WGaL_2Bx/zc1s1lWJMZgf_2B/I1OpxBXPKEPtaj6R7T/416hs4q5t/0ydtHLeA2Xj5Gud10IC9/kNTTefale5u8CtedKMr/StzIBhejxYDQAauVac1fGc/lBxAq9gt2DXu6/nK7jC4Hn/RfnMGGWEbcz9VPWHjeimpwU/UL4jCEN_2F/fE4u7rI7y6ZWRdu_2/BHiKGx9Eazi9/NWPQSM4RH7P/zlqxw9qewYJnsg/A3lai_2Fhf2G6Khx_0A_0/DHJYgVglB3XTaksH/0FYl1HHIibOs4Je/kTAuqzqHZlDsP/MR6_2F
http://low.explik.at/webstore/MsNQBNNRuTNcmCu2BLM/xnOpsemwuskNcDsNmLK7mJ/PtnbUAcKFxqNe/_2FFmWru/_2BKR8YQcUjHpgnJrqSEjUD/sY9EVueYtY/bX9IDg_2FT3u0O2Ed/IEuwuO2Vhe11/0HuVofv5pcb/kx3T_2FtEIguWY/_2BOYYopX_2FJASDVNecF/LQNaJfMVEffwVZiM/UW_2F2jeTSeGYDP/U_2BcBNu_2BNytN9N4/X2_2BeS_2/FwxFYOqExRPGCcAsOwtZ/EjjicA_2Bf_2FSTYI7W/l9N6vlBitRc_0A_0DZA58A/rwOkpVeVC44ea/Y6bTeZNl/_2FY2upp_2F0RlEc4cn3PST/krG3_2BhdG/C2p0mZCSkwz/MVJG
http://gaw.explik.at/webstore/hKUMf1jWG_2BtWY/Xd11Cq_2BKz1z_2FNX/6xPGn_2Br/dV_2F4w6kf5srwsxwYNW/mGei8wmL0siVDFnLOGw/KcMDtLnELp4iidJiSc2H_2/BKBC_2BSCx17v/X7vMYe5Y/AE4kqvP3GXpuEvKkkUNAKmK/o8d_2BmoKw/L0zl6U3050U7eXIsi/PcVV3TgjKI5q/_2FRDW7gWoz/Dwu0cLk0DpAHX7/2AoZRmVqzm7Fz3dpn0knA/WIffOh4StDK7dgqG/8_2BJERzsIM896C/eRd92WG7f_0A_0DwyQ/cLM4zGcob/damKUPt_2BMLKbz9qS_2/BQWRG5MLFmrVlk/UtnYg
http://low.explik.at/webstore/VOZKheSXAZcGAouUB/14A8wb7AHSQS/DTbaHW6F28s/HTMOwMRLgGl4_2/BNzFQV14Jnye0WVouLifw/nghnwybHh6wy_2Bb/PyX94F8qNKnHAOy/rL4PfdDYRScdJaJsbZ/bfOI96HiX/Tg7lP8USW8urS6KonRAk/3tErguIWJRtpm4rEOpE/lYBwk7FtclUzuQDvjNGmeY/zYJAjJrHuhcMu/ixNfi47X/5TFLtergAjlnp0IOh2mRPg3/M3FLK5CI5t/iZCF42C9_0A_0DEWK/1Lum55FRWJVU/JeneW6f_2Fk/HMAs67Mqhraoav/tLGYwEQLWEepMxO99pKV8/RX8uejOF/0
http://gaw.explik.at/webstore/t1pZkb8h42qUvGuJIYtB/669x5FWAPSn1gRsfYrU/3dQhdLJ3vqRy6iPf5RILSx/I41ZMCl_2BTp2/37tkMLXE/vnqVcp_2B_2FOxprrHzY3B5/Kn2G3eULMr/3JamdFORLl5AlBA57/LNC_2Brd9NGX/L4uVmx1Dgkg/_2FbhZzRsYbXtM/QRp2borEGm0bhTEkrx8UW/tN7vACg4RwllyhI0/6ypZ7z4azqKssYi/aA_2F5T_2BKrqinGWH/yp36I9vNK/mFbV1_2FuWBbJrHv8crv/_0A_0Dw_2FDMDtaEnt7/vT6vHfs_2FHIeCs45uhLup/lCkT3QlA33UhL/VPUWYPh4/VumI9Nl5vs6n2WB/F
http://low.explik.at/webstore/UVJgmK3xnup_2B/5EaUm4HvmxJorjRky2BM4/RtH6tVcCO8LsqLTG/tv9Ao8VGoaBT0X0/4m5_2FK1xkaJPjBBFc/_2FzV93DZ/6FTn27z3RnhpieTF9hQD/XL_2FcUnBoidg77MokI/orLNaRCDlbqhu6QNWbjxtL/VHls2cZn_2B0t/0G33g2Xo/RT_2Fk4kPKub2mcvfrPJf31/fpDr63QdxV/RporBLLovQNaxEbhy/cxTyhQGgBvoK/5Ptn0koXmWH/hG86_2F3TGaceQ/G4_2FC_0A_0DE_2BxrGg9/eNYnR6d1Avm3xYnL/thHwOWoThEw_2Bs/ctecNRrV/qhn
http://gaw.explik.at/webstore/j8lSiQKHrq1ihP/t4d7UfXFyN6tPmF3QI71T/StVkdOqvM5x6adv7/jrihA2wGdU6fAeW/0ZNQggQLz50XwAI1Ls/x9v6Pkzab/vq_2FcCPyxs67WGJTWi7/EjPZV1gA0VbY_2BSpPJ/h0bytzlTFAhl1286OyJG_2/F4zE8K3x4DcjG/ESFCnTRz/vQd1BLbwfdRiqZ42opoD8E4/dLcdyJbySO/OfMvue1DbOoSgth_2/FsqI9p1O5gOT/5Fwb9HZsL7E/LeP_2B1abyQQNo/_0A_0DsDq24avgUyDDScV/98O_2FHZVpU3HAaj/azNAuyACUC2amyT/G8cmeEp9cSKGASS60h/jKzwgN
http://gaw.explik.at/webstore/Kde20iXr1cp/frktPlkld6x9_2/FZz4F3sT5Ypxb7LhW4kCY/cwVmO1ZVuHkHG1JZ/VLYWnc9_2BsEWor/daPWHncnd_2FyPHah7/53vb7ZEUx/MyN0hx3h6CwQ8qsuILmW/87WW2yqLGBIaH4lGMp7/hm5q0MEorvgVI_2FyzZl7Z/xsQMab77oJE4F/IIZUXqrQ/UMQJHvVeydxe6JhhTmmsqsd/IMh9OctKNR/HeMKtbWUDiF047_2B/zb_2BcJFZXd0/eVYemL1Vmkx/xJHN8_0A_0D9Wl/3KtF8_2FU_2Fxs6P_2B7_/2BK11xQyJhEPjIxJ/Ad0034tZ6gQt/yqc
http://netsecurez.com/pictures/SW7mGHKzKpS6r/XWxr0XMe/Ru3a9LcgC1v0U56sv7MhOK7/LinmCgH7pB/XQ3AQIjQLPr4da1L_/2FRw5ycq80om/LgTMPMNp7uH/A3Iv_2BVsGtRlY/4amqCv8OYKr5oL3wUT99X/XOSk9g1lk_2FZSfo/CX1OwPe0u07fzjT/2z0xINH4xG0axorIT9/YgiqzGgxn/e0t3nlbIY8f84bo9ePZ8/URTS2SKhEZTCyiPm3sD/eNbgGWiBNRs77Ua_2FzvBp/6lldhoUX_2BBz/TalFLECH/QzcQ5eWvlbZ1_2BBC/55zi.tog
http://netsecurez.com/pictures/jQlZkrwlitp_2F/Vi1weEpZhBG2f7KiCzB4G/m6H2At8L2ZRe6QfL/R5B_2Br2azZ5_2B/9D5bwJgcfxhhyDBgZS/4ry7rygMQ/G6OtBgxPGsJu0MO9CRjj/093lL5XYxgnm2YMZWnp/i44oyy3_2FnpqDD68XpLdf/Ri77vsgmv2iho/OPmAxCu_/2BVKiPzOqjOwD6jLwrIHso2/tZOGCSaMhS/nFxq5lsuQm1htOeYG/D2kr8kktM_2B/SF_2F_2B6xY/K_2FM23lSZ_2B2/JT913fI7DShnVgg5JBgBY/IuiojVpyYIW/zxR2.tog
http://netsecurez.com/pictures/_2FWtFJO9gLxK9VG/HgOh_2FMhLEwgOc/xuV4cNgKXIrWoe9jmF/m_2B_2BzJ/dE8eWq9LD_2F6azeEP_2/BF2r2m_2BBPW8Jv_2Bt/6UQ8ljUb0_2F5_2BM_2BbT/DDn4iYVtL_2Ft/PE8ZT_2B/xZk6ne_2FwlRR_2FSVmuABO/hXPXPa1_2F/07Hl5Q1TDo5jc75lK/ke44K_2F5zO4/lvEmcCnQD2T/AxZZQd1C5JMFKE/BM5IVw528F9iNmU7T7igS/PFox5j7sXTXhWXga/wWhv2Cujp_2FIxS/_2FBnRtDFaPzVW4KNn/QIC16znHhI_2BoaKLC/Hi7.tog
http://netsecurez.com/jerry/gTCGieVSnPc9/cI6L263d7vk/IQVgGOokPC_2Bs/X4XQ4Zy_2BfTG6jMo9q9R/igcjLpKAtAujxJ0T/7oxeVyvTenEvgsC/H8DHI_2FZCCUq2h6yj/nhmfdyjHU/2y1kbKTHm1ISKYmYtxtq/vKnZMzbdcYTfNJTEXtk/c8by_2B0Bls2xHZAaJwCNN/feVJkyKV3465y/JUpnDFPt/j1tHvbYFsX4MKN4N8h9zHux/GOJFpx3Nbs/RrAz9DIRm0385_2BK/vCioYq5c0jyg/Ym4J7xUUB73/LkN2fU_2BIeye5/fGm_2FuQ1JqSRdjYaP9LM/cpEndmg.bob
http://netsecurez.com/jerry/G86ZiMIDh/U5uT_2F2Dqref5EoGrLW/wd8cNDEsJ2uD_2Fvc46/brXgGfkB9oGbp3YA1ypLQr/FmEwG30W0ZCP_/2FjR6ziM/Sivx6fSleBdUZcPPh7U0p_2/FIvpHRaCku/IPj2AKcTh6LXYHNyy/dmPwWWcALfS4/5XnzvEjustX/WTPU2H5g5VixHc/iCCY9lLGCqmQdun0Hcwy1/s4gH_2F9fN2JvXZq/gq55UA18igHLKXN/HmuldF_2B_2Fa4o_2F/8PV0HhukP/VsItmxjt5gv5iXIAd9wz/MOE5Ih0ojW3AQRzbO4q/GxzMqbO6ZUuiV_2/B67N66.bob
http://netsecurez.com/jerry/FPbUlk8yz4S7EbWjRA/75Iy90u0t/YFefIdzSnDn0mUm8ucIi/kQId1qDtgwrckBwxWEb/fi7RmoFLdAMO7vwWiYPgEB/4kGsIajcVxumf/GmCUzOYN/QYM9kQyCSuIc8RzxbuGHMoC/5qtCggrkw0/HZVK0Nfv_2Fq0ZJPJ/P5b8Nl0wq5dM/j6nPT0UV74i/_2Bu_2F_2BA5gr/Gyosl69ypUnsc7Yg_2Fuy/LZJCge_2FfkMQZM5/lomA6Szoqfj0m_2/BAlxx7GHEZUlt6avH3/_2F8effy7/3VsWgy2j14AZEp30sSPw/TgVKkA8bi81Nja37EdE/n.bob
Last Seen at

Recent blog posts

post image
ANY.RUN Becomes a Gold Winner in Threat Intel...
watchers 145
comments 0
post image
How Malware Analysis Training Powers Up SOC a...
watchers 311
comments 0
post image
Evolution of Tycoon 2FA Defense Evasion Mecha...
watchers 2973
comments 0

What is Ursnif malware?

Ursnif, also known as Gozi, is one of the most widely spread banking trojans – it is aimed at stealing banking credentials and usually targets corporate victims. Some security solutions can detect it as Win32 Ursnif, Trojan Ursnif or Win32 spy.

As for the Gozi malware basics, the trojan was developed based on the fairly old Gozi-ISFB trojan, after its code got leaked in 2014. Since then, Ursnif has been evolving and becoming more powerful, which lead it to become one of the top used banking trojans today.

General description of Ursnif trojan and Gozi malware explanation

Ursnif Trojan is a dangerous malware that can collect the system activity of the victims, record keystrokes, and keep track of network traffic and browser activity. The malware stores the data in an archive before sending it to the C2.

The malware uses malicious Microsoft Office documents to get into the users’ machine and requires macros to be activated. Once opened, the document will prompt the user to enable macros. If the user plays along with the instruction, the malware drops a VB script into the temp directory of the current user, upon which it is automatically decoded, and the malicious payload is downloaded.

According to the analysis, in some versions, the Gozi malware operates via a macro that is programmed to check the country using the Application. International MS Office property. If the result does not correspond to a list of pre-selected countries, the malware terminates its execution.

Interestingly, the malware terminates execution if it detects that it’s being launched on a virtual machine. Hackers implement this precaution technique in order to complicate the analysis process and, hopefully, prevent the effective development of countermeasures.

Ursnif malware analysis

A video is available at ANY.RUN malware analysis service allows us to see a simulation of the malware execution in a lot of detail. YOu can also investigate other malware like Hawkeye or Raccoon.

ursnif gozi dreambot execution graph Figure 1: A visual process graph generated by ANY.RUN shows the lifecycle of Urnsnif

How to avoid infection by Ursnif?

The best way to stay safe from Ursnif is to keep the macros turned off and not turn them on if prompted by a Microsoft Office file downloaded from an untrustworthy source, such as an email from the unknown sender. In addition, following good techniques of staying safe online such as not downloading files from suspicious emails, is another great way to avoid infection.

Ursnif execution process

In the case of our simulation, the execution of the malware starts when the user opens a Word or Excel file and enables the macro. Ursnif uses the browser's COM object to connect to its C2 server and receive additional data.

Based on the analysis, Ursnif trojan uses exploits to start legitimate software like Outlook, which in turn launches cmd.exe only to spawn a PowerShell script. If a strike is directed at select countries, the malware checks where the victim is from during this stage. Then, the PowerShell script downloads and executes the final payload, which is Ursnif itself. Lastly, the loader starts malicious activities and injects its code into the explorer.exe process.

After installation, the malware will try to inject into an active explorer.exe process to establish persistence. If the injection fails, Ursnif will launch a new svchost.exe process and will inject itself instead. this technique appears to be a useful pointer for detection. After that, Ursnif will hook the APIs of common web browsers such as Chrome, Opera, Internet Explorer, and Firefox. The loader uses the browsers' COM object to communicate to its C2 server. Then, the malware will begin monitoring web activity and steal the payment information as soon as the victim visits a banking or a payment webpage. Then Ursnif sends collected data to a C2 server via the IE COM object.

Communication with C&C

In order to prevent domain name disclosure, the malware generates the domain names locally using the technique of the Domain Generation Algorithm (DGA) instead of them being hardcoded. Uniquely, the malware gathers information for domain name generation in the DGA process by taking bits of text from popular websites. If you decrypt the URL in the script, you may get the data sent to the C2 server.

The malware is also known to be able to execute commands received from the control server.

How to detect Ursnif using ANY.RUN?

Ursnif uses COM objects to execute the malware's payload, and usually, it runs multiple iexplorer.exe processes. The loader creates a COM object that is a hidden API function. Knowing this information, take a look at the process tree after a while during execution, and determine either sample is Ursnif or not. Check the script to find out if a suspicious URL corresponds to malware activity.

ursnif process tree Figure 2: Ursnif process tree

Conclusion

Based on the source code of another malware that is already almost a decade old, Ursnif is a prime example of the fact that “old” does not mean ineffective when it comes to trojans.

On the contrary, despite its age, this malware is capable of launching devastating cyber attacks and managed to become one of the most popular banking trojans in the world. In addition to its powerful trojan functionality, the loader takes active actions to prevent researchers from studying it. Thankfully, malware hunting services like ANY.RUN allows researchers to study this malware in-depth and respond with appropriate countermeasures.

HAVE A LOOK AT

DarkTortilla screenshot
DarkTortilla
darktortilla
DarkTortilla is a crypter used by attackers to spread harmful software. It can modify system files to stay hidden and active. DarkTortilla is a multi-stage crypter that relies on several components to operate. It is often distributed through phishing sites that look like real services.
Read More
WannaCry screenshot
WannaCry
wannacry ransomware
WannaCry is a famous Ransomware that utilizes the EternalBlue exploit. This malware is known for infecting at least 200,000 computers worldwide and it continues to be an active and dangerous threat.
Read More
LokiBot screenshot
LokiBot
lokibot loader trojan
LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.
Read More
Bumblebee Loader screenshot
Bumblebee Loader
bumblebee
Bumblebee is a highly adaptable malware loader, often used by threat actors linked to the Conti and TrickBot cybercrime groups. Since its discovery in 2021, Bumblebee has been leveraged in phishing campaigns and email thread hijacking, primarily to distribute payloads like Cobalt Strike and ransomware. The malware employs obfuscation techniques, such as DLL injection and virtual environment detection, to avoid detection and sandbox analysis. Its command-and-control infrastructure and anti-analysis features allow it to persist on infected devices, where it enables further payload downloads and system compromise.
Read More
Trojan screenshot
Trojan
trojan trojan horse
Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.
Read More
Keylogger screenshot
Keylogger
keylogger
A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools.
Read More