{
	"id": "e5190d51-bb4b-4d6d-90f9-c2d15d0b527b",
	"created_at": "2026-04-06T00:07:18.595903Z",
	"updated_at": "2026-04-10T03:21:29.721137Z",
	"deleted_at": null,
	"sha1_hash": "02ccdf398f979e3ec7dc7edfb819e2d84d38fd9d",
	"title": "Emotet botnet starts blasting malware again after 4 month break",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2197854,
	"plain_text": "Emotet botnet starts blasting malware again after 4 month break\r\nBy Lawrence Abrams\r\nPublished: 2022-11-02 · Archived: 2026-04-05 21:27:04 UTC\r\nThe Emotet malware operation is again spamming malicious emails after almost a four-month \"vacation\" that saw little\r\nactivity from the notorious cybercrime operation.\r\nEmotet is a malware infection distributed through phishing campaigns containing malicious Excel or Word documents.\r\nWhen users open these documents and enable macros, the Emotet DLL will be downloaded and loaded into memory.\r\nOnce loaded, the malware will search for and steal emails to use in future spam campaigns and drop additional payloads\r\nsuch as Cobalt Strike or other malware that commonly leads to ransomware attacks.\r\nhttps://www.bleepingcomputer.com/news/security/emotet-botnet-starts-blasting-malware-again-after-4-month-break/\r\nPage 1 of 7\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/emotet-botnet-starts-blasting-malware-again-after-4-month-break/\r\nPage 2 of 7\n\nVisit Advertiser websiteGO TO PAGE\r\nWhile Emotet was considered the most distributed malware in the past, it suddenly stopped spamming on July 13th, 2022. \r\nEmotet returns\r\nResearchers from the Emotet research group Cryptolaemus reported that at approximately 4:00 AM ET on November 2nd,\r\nthe Emotet operation suddenly came alive again, spamming email addresses worldwide.\r\nProofpoint threat researcher, and Cryptolaemus member, Tommy Madjar, told BleepingComputer that today's Emotet email\r\ncampaigns are using stolen email reply chains to distribute malicious Excel attachments.\r\nFrom samples uploaded to VirusTotal, BleepingComputer has seen attachments targeted at users worldwide under various\r\nlanguages and file names, pretending to be invoices, scans, electronic forms, and other lures.\r\nA partial listing of example file names can be seen below:\r\nScan_20220211_77219.xls\r\nfattura novembre 2022.xls\r\nBFE-011122 XNIZ-021122.xls\r\nFH-1612 report.xls\r\n2022-11-02_1739.xls\r\nFattura 2022 - IT 00225.xls\r\nRHU-011122 OOON-021122.xls\r\nElectronic form.xls\r\nRechnungs-Details.xls\r\nGmail_2022-02-11_1621.xls\r\ngescanntes-Dokument 2022.02.11_1028.xls\r\nRechnungs-Details.xls\r\nDETALLES-0211.xls\r\nDokumente-vom-Notar 02.11.2022.xls\r\nINVOICE0000004678.xls\r\nSCAN594_00088.xls\r\nCopia Fattura.xls\r\nForm.xls\r\nForm - 02 Nov, 2022.xls\r\nNuovo documento 2022.11.02.xls\r\nhttps://www.bleepingcomputer.com/news/security/emotet-botnet-starts-blasting-malware-again-after-4-month-break/\r\nPage 3 of 7\n\nInvoice Copies 2022-11-02_1008, USA.xls\r\npayments 2022-11-02_1011, USA.xls\r\nToday's Emotet campaign also introduces a new Excel attachment template that contains instructions to bypass Microsoft's\r\nProtected View.\r\nMalicious Emotet Excel document\r\nSource: BleepingComputer\r\nWhen a file is downloaded from the Internet, including as an email attachment, Microsoft will add a special Mark-of-the-Web (MoTW) flag to the file.\r\nWhen a user opens a Microsoft Office document containing a MoTW flag, Microsoft Office will open it in Protected View,\r\npreventing macros that install malware from being executed.\r\nHowever, in the new Emotet Excel attachment, you can see that the threat actors are instructing users to copy the file into the\r\ntrusted 'Templates' folders, as doing this will bypass Microsoft Office's Protected View, even for files containing a MoTW\r\nflag.\r\n\"RELAUNCH REQUIRED In accordance with the requirements of your security policy, to display the contents of the document,\r\nfor Microsoft Office 2013 x32 and earlier - C:\\Program Files\\Microsoft Office (x86)\\Templates\r\nfor Microsoft Office 2013 x64 and earlier - C:\\Program Files\\Microsoft Office\\Templates\r\nfor Microsoft Office 2016 x32 and later - C:\\Program Files (x86)\\Microsoft Office\\root\\Templates\r\nfor Microsoft Office 2016 x64 and later - C:\\Program Files\\Microsoft Office\\root\\Templates\"\r\nWhile Windows will warn users that copying a file into the 'Templates' folder requires 'administrators' permissions, the fact\r\nthat a user is attempting to copy the file indicates that there is a good chance they will also press the 'Continue' button.\r\nhttps://www.bleepingcomputer.com/news/security/emotet-botnet-starts-blasting-malware-again-after-4-month-break/\r\nPage 4 of 7\n\nRequesting administrator permissions\r\nSource: BleepingComputer\r\nWhen the attachment is launched from the 'Templates' folder, it will simply open and immediately execute macros that\r\ndownload the Emotet malware.\r\nBypassing Microsoft Office Protected View\r\nSource: BleepingComputer\r\nThe Emotet malware is downloaded as a DLL into multiple random-named folders under %UserProfile%\\AppData\\Local, as\r\nshown below.\r\nEmotet stored in a random folder in %LocalAppData%\r\nSource: BleepingComputer\r\nThe macros will then launch the DLL using the legitimate regsvr32.exe command.\r\nhttps://www.bleepingcomputer.com/news/security/emotet-botnet-starts-blasting-malware-again-after-4-month-break/\r\nPage 5 of 7\n\nEmotet DLL running via Regsvr32.exe\r\nSource: BleepingComputer\r\nOnce downloaded, the malware will quietly run in the background while connecting to the Command and Control server for\r\nfurther instructions or to install additional payloads.\r\nMadjar told BleepingComputer that today's Emotet infections have not begun dropping additional malware payloads on\r\ninfected devices.\r\nHowever, in the past, Emotet was known for installing the TrickBot malware and, more recently, Cobalt Strike beacons.\r\nThese Cobalt Strike beacons are then used for initial access by ransomware gangs who spread laterally on the network, steal\r\ndata, and ultimately encrypt devices.\r\nEmotet infections were used in the past to give Ryuk and Conti ransomware gangs initial access to corporate networks.\r\nSince Conti's shutdown in June, Emotet was seen partnering with the BlackCat and Quantum ransomware operations for\r\ninitial access on already infected devices.\r\nUpdate 11/3/22: This article originally said spamming stopped on June 13th. Correct date is July 13th. \r\nhttps://www.bleepingcomputer.com/news/security/emotet-botnet-starts-blasting-malware-again-after-4-month-break/\r\nPage 6 of 7\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/emotet-botnet-starts-blasting-malware-again-after-4-month-break/\r\nhttps://www.bleepingcomputer.com/news/security/emotet-botnet-starts-blasting-malware-again-after-4-month-break/\r\nPage 7 of 7\n\nSince Conti's shutdown initial access on already in June, Emotet was infected devices. seen partnering with the BlackCat and Quantum ransomware operations for\nUpdate 11/3/22: This article originally said spamming stopped on June 13th. Correct date is July 13th.\n  Page 6 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/emotet-botnet-starts-blasting-malware-again-after-4-month-break/"
	],
	"report_names": [
		"emotet-botnet-starts-blasting-malware-again-after-4-month-break"
	],
	"threat_actors": [],
	"ts_created_at": 1775434038,
	"ts_updated_at": 1775791289,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/02ccdf398f979e3ec7dc7edfb819e2d84d38fd9d.pdf",
		"text": "https://archive.orkl.eu/02ccdf398f979e3ec7dc7edfb819e2d84d38fd9d.txt",
		"img": "https://archive.orkl.eu/02ccdf398f979e3ec7dc7edfb819e2d84d38fd9d.jpg"
	}
}