{
	"id": "dc6405a5-d480-4922-b1a5-c31843641ef3",
	"created_at": "2026-04-06T00:19:06.657506Z",
	"updated_at": "2026-04-10T03:23:52.365094Z",
	"deleted_at": null,
	"sha1_hash": "0c2329365178a2d4bd62d41d2018ab3e10d484dd",
	"title": "Emotet re-emerges after the holidays",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 442461,
	"plain_text": "Emotet re-emerges after the holidays\r\nBy Edmund Brumaghin\r\nPublished: 2019-01-15 · Archived: 2026-04-05 17:25:39 UTC\r\nTuesday, January 15, 2019 16:14\r\nWhile Emotet has been around for many years and is one of the most well-known pieces of malware in the wild,\r\nthat doesn't mean attackers don't try to freshen it up. Cisco Talos recently discovered several new campaigns\r\ndistributing the infamous banking trojan via email. These new campaigns have been observed following a period\r\nof relatively low Emotet distribution activity, corresponding with the observance of Orthodox Christmas in certain\r\ngeographic regions. These new malicious efforts involve sending victims malicious Microsoft Word attachments\r\nwith embedded macros that download Emotet.\r\nThis latest strain has also gained the ability to check if the infected IP where the malicious email is being sent\r\nfrom is already blocklisted on a spam list. This could allow attackers to deliver more emails to users' inboxes\r\nwithout any pushback from spam filters.\r\nEmotet Overview\r\nEmotet is one of the most widely distributed and actively developed malware families on the\r\ncrimeware landscape today. It is a highly modular threat with a variety of payloads being\r\ndelivered. Emotet began purely as a banking trojan, but over the years, has continued to evolve\r\nand more recently, has been associated with some larger-scale targeted Ryuk ransomware\r\ninfections. The primary infection vector remains malicious emails sent as part of widespread\r\nspam campaigns. Emotet is commonly delivered via both macro-laden office documents, as well as\r\nURL-based spam messages that lead to an eventual infection. These campaigns change and evolve\r\nhttps://blog.talosintelligence.com/2019/01/return-of-emotet.html\r\nPage 1 of 6\n\ndaily, and the supporting infrastructure also changes on a near constant basis. It's not uncommon\r\nto see Emotet reuse of some of the command and control (C2) servers over more extended periods.\r\nThe goal of Emotet, as is the case with crimeware-based threats, is monetary. Attackers use Emotet to deliver\r\nmodular payloads it can use to monetize infections. Those payloads can include threats like banking trojans,\r\nstealers, self-propagation, email harvesters and ransomware. The modules the attackers deploy are likely chosen\r\nbased on the way they can best monetize infected systems and the environments in which those systems reside.\r\nCurrent Campaign Details\r\nThere are multiple active campaigns currently delivering Emotet. These campaigns are occurring\r\nin two different varieties. The first is a simple email with a Word document attached. An example\r\nof one of these emails is shown below.\r\nOne thing that Emotet typically does reasonably well is mutating the subject lines so that a large number of emails\r\nwith identical subject lines are rarely seen during distribution. These campaigns are no exception — we have seen\r\nvarious subject lines focusing primarily around invoices and package deliveries. The emails also use different\r\nlanguages. Below you can see an example of one of the German language campaigns that are ongoing. This\r\nexample also shows the second type of campaign, leveraging a direct URL download instead of Office documents\r\nwith macros that fetch the malware.\r\nhttps://blog.talosintelligence.com/2019/01/return-of-emotet.html\r\nPage 2 of 6\n\nOnce a user opens the email message and opens the attachment or clicks the link, malware is downloaded to the\r\nsystem using either code embedded in the attachment or directly from the website in the case of URL-based\r\nemails.\r\nMalicious code embedded in the malicious attachment functions as a downloader for the Emotet malware. When\r\nthis code is executed, PowerShell is invoked, which reaches out to the Emotet malware distribution server,\r\ndownloads the malicious payload, and executes it, thus infecting the system.\r\nIn the screenshot above, you can see that the script is configured with multiple URLs that can be used to download\r\nthe PE32 executable associated with Emotet. This provides resiliency, as the downloader can iterate through the\r\nlist in the case that some of the URLs are no longer available due to takedown or compromised site cleanup.\r\nThe malware is overwhelmingly hosted on compromised websites. These sites are then leveraged as random\r\nhosting locations for the campaigns to leverage. One unusual thing we have observed recently is the use of HTTP\r\n301 redirects. The initial URL is requested with a connection keep-alive in the header. This initial HTTP request is\r\nmet with a 301 pointing back to the same URL. This second request results in the malware being delivered and the\r\nhttps://blog.talosintelligence.com/2019/01/return-of-emotet.html\r\nPage 3 of 6\n\nheader no longer includes the keep-alive. The reason for the 301 redirection and second request are currently\r\nunknown since browsing directly to the URL results in the malware being returned. Below is an example of the\r\nbehavior.\r\nAfter initial installation, the C2 capabilities begin. Emotet connects to C2 servers on various ports including, but\r\nnot limited to: 20, 80, 443, 7080, 8443, and 50000. Typically, this all occurs using HTTP traffic to hard-coded IP\r\naddresses similar to what is shown below:\r\nThe above example demonstrates HTTP running on port 20 to one of those hard-coded IP addresses. There have\r\nbeen some more recent behavior changes, specifically around the spamming module of Emotet. Talos has\r\nobserved recent runs of Emotet checking if the compromised system's IP address is currently found on many\r\nspam-related blocklists including those hosted by SpamCop, Spamhaus, and SORBS, among others. Below is a\r\nsnippet from a ThreatGrid report that demonstrates the email blocklist queries.\r\nhttps://blog.talosintelligence.com/2019/01/return-of-emotet.html\r\nPage 4 of 6\n\nThis is just the latest in a long line of near-constant improvements made to Emotet. It is still under constant\r\ndevelopment with new features being tested and rolled out on a continual basis. This development is one of the\r\nreasons why we see it being distributed so widely.\r\nConclusion\r\nThese modular malware families like Emotet are going to continue to increase in\r\npopularity as time goes on. Monetization is the name of the game when it comes to\r\ncrimeware and having a malware family that can deliver multiple, disparate\r\npayloads are going to be increasingly attractive for those looking for nefarious\r\nmonetary gain. As shown by the recent blocklist checking for the spamming\r\nmodule, Emotet is looking to maximize that financial gain whenever possible, and\r\nat the same time, minimize payloads that will have little return on investment. It's\r\nthese types of changes that will continue to keep Emotet near the top of the\r\ncrimeware landscape.\r\nCoverage\r\nAdditional ways our customers can detect and block this threat are listed below.\r\nhttps://blog.talosintelligence.com/2019/01/return-of-emotet.html\r\nPage 5 of 6\n\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors.\r\nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious\r\nwebsites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention\r\nSystem (NGIPS), andMeraki MX can detect malicious activity associated with this threat.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nIndicators of Compromise\r\nA list of Indicators of Compromise (IOCs) associated with these campaigns can be\r\nobtained here.\r\nSource: https://blog.talosintelligence.com/2019/01/return-of-emotet.html\r\nhttps://blog.talosintelligence.com/2019/01/return-of-emotet.html\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://blog.talosintelligence.com/2019/01/return-of-emotet.html"
	],
	"report_names": [
		"return-of-emotet.html"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434746,
	"ts_updated_at": 1775791432,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0c2329365178a2d4bd62d41d2018ab3e10d484dd.pdf",
		"text": "https://archive.orkl.eu/0c2329365178a2d4bd62d41d2018ab3e10d484dd.txt",
		"img": "https://archive.orkl.eu/0c2329365178a2d4bd62d41d2018ab3e10d484dd.jpg"
	}
}