{
	"id": "d8d72145-cc76-4f6d-8ec7-66438c703b8e",
	"created_at": "2026-04-06T00:10:52.169795Z",
	"updated_at": "2026-04-10T03:20:16.980924Z",
	"deleted_at": null,
	"sha1_hash": "008559dbb0abdb2908725a5580b213071e29e705",
	"title": "Emotet is Back",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 429479,
	"plain_text": "Emotet is Back\r\nBy Maria Jose Erquiaga,\r\nPublished: 2022-03-28 · Archived: 2026-04-05 17:18:41 UTC\r\nThe text below is a joint work of Maria Jose Erquiaga, Onur Erdogan and Adela Jezkova from Cisco Cognitive\r\nteam\r\nEmotet (also known as Geodo and Heodo) is a banking trojan, but it is also a modular malware that can be used to\r\ndownload other malware as Trickbot and IcedID [8, 9, 13]. Emotet was observed for the first time in 2014 [9]. In\r\nJanuary 2021, in a combined effort by Interpol and Eurojust, Emotet was taken down [12]. However, Emotet rose\r\nagain in November 2021, and it has shown more activity since 2022) [6, 7].\r\nEven though Emotet was born as a banking trojan, it evolved in time and became highly modular threat. This\r\nevolution granted adversaries a tool for different purposes. Emotet can be used as an initial payload and remain\r\ninactive for extended periods of time until the adversaries decide to leverage it [10]. This feature of Emotet gives\r\nthe adversaries the flexibility to carry out a multi-stage infection process. This means that Emotet can act as\r\nbanking trojan, but also has been observed to drop additional malware in the infected systems [1]. Emotet has the\r\ncapability to gathering information of the infected systems and the adversaries can evaluate the value of the asset\r\n[14, 15] Some analysis shows that Emotet can drop CobaltStrike, which then drops ransomware [11]. For\r\nexample, one of the ransomware dropped by Emotet is Ryuk [9].\r\nIn the past few months, Emotet malware has been observed in the wild, and its detection growth considerably [1].\r\nEven though this Emotet re-appearance happened at (almost) the same time as Log4J vulnerability was\r\ndiscovered, there is not enough evidence that these two things are related. However, CobaltStrike, which is known\r\nto be related to Emotet, was using Log4J vulnerability [4].\r\nThe reappearance of Emotet motivated our deeper research and effort to update the detection ability for Global\r\nThreat Alerts  customers. As a result of it, the customers of Cisco Secure Network Analytics and Secure Endpoint\r\nusing GTA get better coverage of the threat now.\r\nWe summarize in this blog Emotet threat, it’s lifecycle and typical detectable patterns. In the second part of the\r\nblog we show how to use GTA to detect the Emotet.\r\nSummary of Emotet characteristics\r\nModular banking trojan\r\nDownloader/Dropper\r\nPolymorphic – can evade signature-based detection\r\nVirtual machine aware\r\nEmotet behavior\r\nhttps://blogs.cisco.com/security/emotet-is-back\r\nPage 1 of 6\n\nThe attack flow is detailed in Figure 1. According to the analysis presented by Brad Duncan [2], the attack vector\r\nseems to be phishing, via an email with an attached file (1). The file contained in the phishing email, is an Office\r\ndocument (2). When the victims open the office document files and enable macros (3) the Emotet DLL is\r\ndownloaded in the victim’s device (4). After downloaded, this DLL file is executed (5) and it generates the\r\nconnection with Emotet Command and control (6) [5, 7].\r\nFigure 1. Emotet attack flow\r\nAttached files and PowerShell execution\r\nOnce the victim opens and executes the infected files and enables the macros (mainly with docx or xml\r\nextensions), a command is executed to obtain and execute a HTML application. The pattern of the URL observed\r\nfor this step is the following:\r\nhxxp://{IP address}/[yy]/[y].{html|png}\r\nWhere “yy” are usually two alphabetical characters.\r\nFor example, one of the of the URLs founded in the wild:\r\nhxxp://91.240.118[.]172/hh/hello.png\r\nThen, it downloads PowerShell payload then it leads to downloading Emotet binary, which is a dll file from any of\r\nthe given URLs contained in the URL described above. The format, in this case can vary, some of the URL’s\r\npatterns look like this:\r\nhttp://ttisecurity[.]com/cgi/7RFeiqkgymCs/\r\nWhere the regex is:\r\n.*/(gci/){0,1}[a-z0-9\\_]{3,20}$\r\nhttps://blogs.cisco.com/security/emotet-is-back\r\nPage 2 of 6\n\nAnother pattern related to Emotet was\r\n.*/(wp-admin/){0,1}[a-z0-9\\_]{3,20}$\r\nDuring the download of the Emotet payload, user agent pattern was, Mozilla/5.0 (Windows NT; Windows NT %;\r\nen-US) WindowsPowerShell/5.1.%\r\nDLL execution and Emotet C2\r\nOnce the DLL files is in the infected system, it downloads a PE file and then establishes a communication with its\r\nCommand and Control, using HTTP or HTTPS protocols, on ports 80, 8080 and 443 [2]. Even though some\r\nresearchers claim there is no relationship between Log4J vulnerability and Emotet, there are some common\r\nbehaviours, as the use of the same IPs for C2. For example, those IP addresses are both related to Emotet and\r\nLog4j:\r\n250.21[.]2 and 116.124.128[.]206 founded in [4]\r\n94.252[.]3\r\n31.163[.]17\r\n178.186[.]134\r\n79.205[.]117\r\nDetecting Emotet with Global Threat Alerts\r\nGTA (Global Threat Alerts) detects Emotet as a High-risk threat. The threat description includes the MITRE\r\nsoftware code and the techniques used by Emotet.\r\nFigure 2. Detail of Emotet description in GTA\r\nThe threat detail (see Figure 3) contains also extra information regarding the files that could have been modified,\r\ndeleted, or created by a particular threat. This information is enriched with the analysis of Emotet samples in\r\nCisco Threat Grid [16].  The patterns of the files that could have been modified by Emotet, the probability of the\r\nmalware behaviour, and the severity level for each one of the events are provided. This extra information helps\r\nnetwork administrators and security teams to mitigate the threat not only in the network, but also in the devices.\r\nhttps://blogs.cisco.com/security/emotet-is-back\r\nPage 3 of 6\n\nFigure 3. Information regarding the behaviour of Emotet in endpoints, based on samples from\r\nEmotet. Includes probability of the event occurrence and severity level.\r\nFigures 4, 5, and 6, show different asset details from Emotet Alerts. It is possible to observe there the traffic from\r\nthe infected device to malicious IPs, hosts, and domains that are known to be related to Emotet. In the first case,\r\nthe asset established communication with the hostnames 201.213.32[.]59, 45.55.82[.]2 and 89.32.150[.]160\r\n(Figure 4). In the second example, the asset communicated with the hostnames robertmchilespe[.]com and\r\nvbaint[.]com (Figure 5). In the third example, the detection found communication to the domain 104.131.148[.]38\r\n(Figure 6).\r\nFigure 4. Communication from the asset to hostnames 201.213.32[.]59, 45.55.82[.]2 and\r\n89.32.150[.]160 related to Emotet\r\nFigure 5. Communication from the asset to hostnames robertmchilespe[.]com and vbaint[.]com,\r\nrelated to Emotet\r\nFigure 6. Communication from the asset to the domain 104.131.148[.]38, related to Emotet\r\nhttps://blogs.cisco.com/security/emotet-is-back\r\nPage 4 of 6\n\nTo verify if Emotet was detected in your environment, click Emotet Threat detail.\r\nEmotet mitigation\r\nTo prevent Emotet, we suggest the following measures:\r\nBlock emails with any attachment files that are suspicious\r\nScan suspicious files before opening them\r\nIsolate the infected devices from the rest of the network to avoid spreading\r\nRestrict the use of PowerShell and remote tools if possible\r\nReset all the user’s passwords in the infected devices\r\nConsider use 2FA (such as Cisco DUO)\r\nConclusions\r\nWe conducted research to find not only new IOCs (IPs, domains and samples) but also URL patters related to this\r\nnew Emotet wave to keep our customers up to date on the latest threats evolutions. The processed IOCs are also\r\nseeds to machine learning GTA algorithms which help to further enrich the detections. GTA users of Secure\r\nEndpoint and Secure Network Analytics can detect Emotet in their systems, execute mitigation actions and stay\r\nsafe from the evolution of this threat.\r\nReferences\r\n1. Back from the dead: Emotet re-emerges, begins rebuilding to wrap up 2021. Talos report, November 2021.\r\n2. Emotet Return. Published: 2021-11-16. Brad Duncan\r\n3. How to Respond to Apache Log4j using Cisco Secure Analytics. Robert Harris\r\n4. Emotet epoch 5 IOCs list, Brad Duncan. 2022\r\n5. New Emotet Infection Method. By Saqib Khanzada, Tyler Halfpop, Micah Yates and Brad Duncan.\r\nFebruary 15, 2022\r\n6. Cybersecurity Threat Spotlight: Emotet, RedLine Stealer, and Magnat Backdoor. By Artsiom Holub.\r\nFebruary 3, 2022\r\n7. Emotet description. Malpedia. Fraunhofer Institut. Germany\r\n8. Emotet description, Wikipedia\r\n9. Back from vacation: Analyzing Emotet’s activity in 2020. November 2020. Cisco Talos.\r\nhttps://blog.talosintelligence.com/2020/11/emotet-2020.htmlhttps://blog.talosintelligence.com/2020/11/emotet-2020.htmlhttps://blog.talosintelligence.com/2020/11/emotet-2020.html\r\n10. Detecting Emotet Malware with Cognitive Intelligence\r\n11. Corporate Loader “Emotet”: History of “X” Project Return for Ransomware. By Yelisey Boguslavskiy \u0026\r\nVitali Kremez. December 2021\r\n12. World’s most dangerous malware EMOTET disrupted through global action. January 2021. Europol\r\n13. Emotet Software description. MITRE\r\n14. The Commoditization of Multistage Malware Attacks. Chris Gerritz. DarkReading, July 2019.\r\nhttps://blogs.cisco.com/security/emotet-is-back\r\nPage 5 of 6\n\n15. Emotet growing slowly but steadily since November resurgence. Bill Toulas. Bleeping computer. March\r\n2022\r\n16. Cisco Secure Malware Analytics (Threat Grid)\r\nWe’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on\r\nsocial!\r\nCisco Secure Social Channels\r\nInstagram\r\nFacebook\r\nTwitter\r\nLinkedIn\r\nSource: https://blogs.cisco.com/security/emotet-is-back\r\nhttps://blogs.cisco.com/security/emotet-is-back\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://blogs.cisco.com/security/emotet-is-back"
	],
	"report_names": [
		"emotet-is-back"
	],
	"threat_actors": [],
	"ts_created_at": 1775434252,
	"ts_updated_at": 1775791216,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/008559dbb0abdb2908725a5580b213071e29e705.pdf",
		"text": "https://archive.orkl.eu/008559dbb0abdb2908725a5580b213071e29e705.txt",
		"img": "https://archive.orkl.eu/008559dbb0abdb2908725a5580b213071e29e705.jpg"
	}
}