The malware—known by the portmanteau GozNym—is a hybrid of two strains of known malware “that takes the best of both,” according to a blog post by IBM’s X-Force, part of IBM’s security division. The program is largely targeting business accounts, mostly in the U.S., and mostly via credit unions and “popular e-commerce platforms.” IBM (IBM) didn’t name the specific institutions but says they have been notified.

The malware works by targeting customers rather than the banks directly. The malware makes its way into users’ computers when the account holder clicks on attachments or links in emails, then remains hidden until the user accesses his or her bank account.

Once the user does so, the malware can deploy a range of methods to steal and transmit information. The program can log keystrokes to steal usernames and passwords and even capture images of the banking screen, an IBM security adviser told the Wall Street Journal. The user, meanwhile, has no idea the malware is functioning in the background.

Get Data Sheet, Fortune’s technology newsletter.

IBM believes the malware originated with a criminal organization in Eastern Europe, where a group known to have developed a Trojan horse program called Nymain is believed to have obtained widely leaked malware code known as Gozi ISFB and integrated it into their own malware (hence: GozNym). In its hybrid form, the Nymain Trojan executes first as a means to breach systems, then launches Gozi ISFB to complete the financial fraud.

So far the malware has targeted 22 banks in the U.S. and two in Canada thus far. More than half of the attacks have targeted business banking and credit unions, though 17% of GozNym’s victims are in retail banking.