{
	"id": "f2fff1dd-e33b-49f3-860c-2f04cb13a7bf",
	"created_at": "2026-04-06T01:31:06.05283Z",
	"updated_at": "2026-04-10T13:12:03.908432Z",
	"deleted_at": null,
	"sha1_hash": "0263b4b80f61efd25846484887f54271787d4e11",
	"title": "Netskope Threat Coverage: The Return of Emotet",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 170780,
	"plain_text": "Netskope Threat Coverage: The Return of Emotet\r\nBy Gustavo Palazolo\r\nPublished: 2021-11-18 · Archived: 2026-04-06 00:21:02 UTC\r\nCo-authored by Gustavo Palazolo and Ghanashyam Satpathy\r\nSummary\r\nAt the beginning of 2021, Emotet was considered to be the world’s most dangerous malware by Europol. The\r\nthreat was first discovered in 2014 when it was acting as a banking trojan. Over the years, the malware evolved\r\ninto one of the most relevant botnets in the threat landscape, often used to deliver other threats, such as Trickbot\r\nand Ryuk ransomware. Netskope detected Emotet during Oct 2020, using PowerShell and WMI to download and\r\nexecute its payload.\r\nAfter massive collaboration between law enforcement agencies around the world, Emotet was taken down in\r\nJanuary 2021, where the malware’s infrastructure was disrupted from the inside. This was extremely important, as\r\ninfected machines were redirected towards law enforcement-controlled infrastructure, preventing further actions\r\nfrom Emotet’s threat actors.\r\nAfter almost a year, Emotet (a.k.a. Geodo, Heodo) was spotted again in the wild, being delivered by Trickbot. This\r\nnew campaign is being tracked by MalwareBazaar / Feodo Tracker, where we can see an increase since November\r\n15, 2021.\r\nScreenshot of Emotet tracker from MalwareBazaar.\r\nIn this threat coverage, we will analyze a malicious Microsoft Office document from a set of files that are\r\ndelivering the new Emotet payload.\r\nhttps://www.netskope.com/blog/netskope-threat-coverage-the-return-of-emotet\r\nPage 1 of 12\n\nAnalysis\r\nOnce we open the document, we can see a fake message that lures the victim into enabling the macros, by clicking\r\nthe “Enable Editing” and “Enable Content” buttons.\r\nMalicious document that delivers Emotet.\r\nThe threat actors protected the VBA project with a password to prevent viewing the macro in the VBA editor,\r\nlikely to slow down analysis.\r\nhttps://www.netskope.com/blog/netskope-threat-coverage-the-return-of-emotet\r\nPage 2 of 12\n\nProtected VBA project.\r\nAfter bypassing this protection, we can see that the document contains an obfuscated macro code.\r\nhttps://www.netskope.com/blog/netskope-threat-coverage-the-return-of-emotet\r\nPage 3 of 12\n\nMacro code executed by the document.\r\nThere are a few functions that are not used at all, possibly added as decoys. The main code is triggered by the\r\n“ Document_Open() ” function.\r\nhttps://www.netskope.com/blog/netskope-threat-coverage-the-return-of-emotet\r\nPage 4 of 12\n\nFunction triggered once the document is opened.\r\nBy looking at the function called by this entry point, we can see the threat actors attempt to hide a PowerShell\r\nscript by using string concatenation and replace, which can all be easily removed.\r\nhttps://www.netskope.com/blog/netskope-threat-coverage-the-return-of-emotet\r\nPage 5 of 12\n\nThe VBA code goal is to execute a PowerShell script, that basically iterates over a URL list, and tries to download\r\nthe content into “ C:\\ProgramData\\ ”.\r\nhttps://www.netskope.com/blog/netskope-threat-coverage-the-return-of-emotet\r\nPage 6 of 12\n\nPrettyfied PowerShell script executed by the malicious document.\r\nOnce an online URL is found, Emotet’s DLL is written into the disk with a random name, for example:\r\n“ C:\\ProgramData\\1856230245.dll ”.\r\nAt the time of our analysis, three of the URLs were offline.\r\nhttps://www.netskope.com/blog/netskope-threat-coverage-the-return-of-emotet\r\nPage 7 of 12\n\nOnline and Offline URLs from Emotet’s document.\r\nThe downloaded file is a 32-bit DLL, and although this information is not 100% reliable, it looks like the file was\r\ncompiled on November 16, 2021.\r\nhttps://www.netskope.com/blog/netskope-threat-coverage-the-return-of-emotet\r\nPage 8 of 12\n\nEmotet’s payload downloaded by the malicious document.\r\nThe final payload is another DLL, which is unpacked and executed in memory by the downloaded file.\r\nhttps://www.netskope.com/blog/netskope-threat-coverage-the-return-of-emotet\r\nPage 9 of 12\n\nEmotet being unpacked in memory.\r\nOnce running, Emotet starts the communication with its C2 servers.\r\nhttps://www.netskope.com/blog/netskope-threat-coverage-the-return-of-emotet\r\nPage 10 of 12\n\nEmotet C2 communication.\r\nAt the moment of this analysis, there are 19 online servers linked to Emotet.\r\nProtection\r\nNetskope Threat Labs is actively monitoring this campaign and has ensured coverage for all known threat\r\nindicators and payloads. \r\nNetskope Threat Protection\r\nDocument-Word.Trojan.Emotet\r\nWin32.Trojan.Emotet\r\nNetskope Advanced Threat Protection provides proactive coverage against this threat.\r\nGen.Malware.Detect.By.StHeur indicates a sample that was detected using static analysis\r\nGen.Malware.Detect.By.Sandbox indicates a sample that was detected by our cloud sandbox\r\nIOCs\r\nhttps://www.netskope.com/blog/netskope-threat-coverage-the-return-of-emotet\r\nPage 11 of 12\n\nEmotet Document Hashes \r\nSHA256\r\n4938ef80579abd3efdb5caa81ccd37648e771dfcd8eb6fb59789faf5c29002d9\r\nfcdc52a70e95e9e1979db1a9145ca43135ad7b1497a6c62b606989734680cd5d\r\neeabaea8e1a978fb94bbb03a4dd20c9259c9a65bdaee42ab5a777ca1ccba27a0\r\n7ba276ef23853e8a1bc1b32b8fa67ff845d9fa78c2820aa68c4907aead76fd06\r\nMD5\r\n97b18705eb20d678681e39cc877b3d2a\r\n93288048b2d674437e5d8adcf13d1169\r\n7d987aac2dba9450640fb15d860be5dc\r\n356252e7a07ec1a807795cfb77629ea7\r\nThe full list of IOCs analyzed in this campaign can be found in our Git repository.\r\nSource: https://www.netskope.com/blog/netskope-threat-coverage-the-return-of-emotet\r\nhttps://www.netskope.com/blog/netskope-threat-coverage-the-return-of-emotet\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.netskope.com/blog/netskope-threat-coverage-the-return-of-emotet"
	],
	"report_names": [
		"netskope-threat-coverage-the-return-of-emotet"
	],
	"threat_actors": [],
	"ts_created_at": 1775439066,
	"ts_updated_at": 1775826723,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0263b4b80f61efd25846484887f54271787d4e11.pdf",
		"text": "https://archive.orkl.eu/0263b4b80f61efd25846484887f54271787d4e11.txt",
		"img": "https://archive.orkl.eu/0263b4b80f61efd25846484887f54271787d4e11.jpg"
	}
}