{
	"id": "0270393e-4c31-457f-a850-9829db3c38f4",
	"created_at": "2026-04-06T02:12:23.662247Z",
	"updated_at": "2026-04-10T03:24:29.218002Z",
	"deleted_at": null,
	"sha1_hash": "08990dc43ad877132866694c88f97a60dc1cd20e",
	"title": "Emotet malware strikes U.S. businesses with COVID-19 spam",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1913979,
	"plain_text": "Emotet malware strikes U.S. businesses with COVID-19 spam\r\nBy Lawrence Abrams\r\nPublished: 2020-08-14 · Archived: 2026-04-06 02:02:57 UTC\r\nThe Emotet malware has begun to spam COVID-19 related emails to U.S. businesses after not being active for most of the\r\nUSA pandemic.\r\nBefore going dark on Feb 7th, 2020, the Emotet malware was commonly spamming COVID-19 themed spam to distribute\r\nmalware in other countries already affected by the pandemic.\r\nAs the start of the USA's pandemic was around March, Emotet never had the chance to target U.S. businesses with COVID-19 related spam.\r\nhttps://www.bleepingcomputer.com/news/security/emotet-malware-strikes-us-businesses-with-covid-19-spam/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/emotet-malware-strikes-us-businesses-with-covid-19-spam/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nWith Emotet's back in full swing again after awakening on July 17th, 2020, Emotet has started spewing out COVID-19\r\nspam, and this time it's is now targeting users in the USA.\r\nCOVID-19 Emotet spam now targeting U.S. orgs\r\nIn a new spam email discovered by security researcher Fate112, Emotet has been sending out a stolen email that pretends to\r\nbe from the 'California Fire Mechanics' sending a 'May COVID-19 update'.\r\nCOVID-19 themed Emotet spam\r\nThis email is not a template created by the Emotet actors, but rather an email stolen from an existing victim and adopted into\r\nthe malware's spam campaigns.\r\nAttached to the email is a malicious attachment titled 'EG-8777 Medical report COVID-19.doc', which uses a generic\r\ndocument template used in previous campaigns.\r\nThis template pretends to be created from an iOS device and requires users to click on 'Enable Content' to view it properly.\r\nhttps://www.bleepingcomputer.com/news/security/emotet-malware-strikes-us-businesses-with-covid-19-spam/\r\nPage 3 of 6\n\nMalicious Emotet document\r\nOnce a user clicks on the 'Enable Content' button, a PowerShell command will be executed that downloads the Emotet\r\nmalware executable from one of three to four sites.\r\nIn this particular campaign, when downloaded, Emotet will be saved to the %UserProfile% folder and named as a three-digit\r\nnumber, such as 498.exe. \r\nMalicious PowerShell command\r\nhttps://www.bleepingcomputer.com/news/security/emotet-malware-strikes-us-businesses-with-covid-19-spam/\r\nPage 4 of 6\n\nOnce executed, a victim's computer will become part of the malware bot operation and spam out further malicious email.\r\nUltimately, Emotet will download and install other malware such as Qbot or TrickBot, which will be used to steal your data,\r\npasswords, and potentially lead to ransomware deployment.\r\nIn a conversation with Emotet expert Joseph Roosen, BleepingComputer was told that other COVID-19 campaigns have\r\nrecently been seen using reply-chain emails.\r\n\"So far we have only seen it as part of stolen reply chain emails. We have not seen it as a generic template yet but I am sure\r\nit is just around the corner hehe. There was one reply chain I saw yesterday that was sent to 100s of addresses that was\r\nreferring to the closing of an organization because of covid-19. I would not be surprised if Ivan is filtering some of those\r\nreply chains to focus on ones that are involving covid-19,\" Roosen told BleepingComputer.\r\nIvan is Roosen's nickname for the Russian Emotet-malware operators.\r\nEmail security firm Cofense also told BleepingComputer that they have been seeing COVID-19 related spam recently that\r\nuses attachments named \"COVID-19 report 08 12.doc\" and similar.\r\nCofense states that the document date will change to the day of the campaign.\r\nAs Emotet is such a dangerous malware that can lead to a variety of risks, all home and corporate users must be cautious\r\nabout opening documents that require you to 'Enable Content.'\r\nIf you receive these types of emails, first scan the attachment with an antivirus scanner to make sure it is safe to open. Even\r\nthen, you should proceed with caution.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nhttps://www.bleepingcomputer.com/news/security/emotet-malware-strikes-us-businesses-with-covid-19-spam/\r\nPage 5 of 6\n\nSource: https://www.bleepingcomputer.com/news/security/emotet-malware-strikes-us-businesses-with-covid-19-spam/\r\nhttps://www.bleepingcomputer.com/news/security/emotet-malware-strikes-us-businesses-with-covid-19-spam/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/emotet-malware-strikes-us-businesses-with-covid-19-spam/"
	],
	"report_names": [
		"emotet-malware-strikes-us-businesses-with-covid-19-spam"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775441543,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/08990dc43ad877132866694c88f97a60dc1cd20e.pdf",
		"text": "https://archive.orkl.eu/08990dc43ad877132866694c88f97a60dc1cd20e.txt",
		"img": "https://archive.orkl.eu/08990dc43ad877132866694c88f97a60dc1cd20e.jpg"
	}
}