Ursnif (aka Gozi/Gozi-ISFB), discovered in 2006, may be one of the oldest banking Trojans still active. After its source code was leaked, a number of variants sprang up. SAIGON may be more of a generic backdoor than just a banking Trojan. During infection, SAIGON is stored in the registry as a Base64-encoded shellcode blob. On a scheduled basis, a task is used to launch the blob using PowerShell. Communication with its command and control servers is via multipart/form-data encoded requests over HTTPS using the POST command. Although SAIGON may share Ursnif’s source code. it may be designed for a more targeted attack approach than Ursnif.