{ "id": "0ffcd5a0-0983-45f4-9c4d-51fb595f7a6e", "created_at": "2026-04-06T00:11:12.100795Z", "updated_at": "2026-04-10T03:35:43.376259Z", "deleted_at": null, "sha1_hash": "0d773d76268cb60539d1e9b290fdbef4af1eed71", "title": "What’s up with Emotet?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 790062, "plain_text": "What’s up with Emotet?\r\nBy Jakub Kaloč\r\nArchived: 2026-04-05 20:48:47 UTC\r\nEmotet is a malware family active since 2014, operated by a cybercrime group known as Mealybug or TA542.\r\nAlthough it started as a banking trojan, it later evolved into a botnet that became one of the most prevalent threats\r\nworldwide. Emotet spreads via spam emails; it can exfiltrate information from, and deliver third-party malware to,\r\ncompromised computers. Emotet operators are not very picky about their targets, installing their malware on\r\nsystems belonging to individuals as well as companies and bigger organizations.\r\nIn January 2021, Emotet was the target of a takedown as a result of an international, collaborative effort of eight\r\ncountries coordinated by Eurojust and Europol. However, despite this operation, Emotet came back to life in\r\nNovember 2021.\r\nKey points of this blogpost:\r\nEmotet launched multiple spam campaigns since it re-appeared after its takedown.\r\nSince then, Mealybug created multiple new modules and multiple times updated and improved\r\nall existing modules.\r\nEmotet operators subsequently have put a lot of effort into avoiding monitoring and tracking of\r\nthe botnet since it came back.\r\nCurrently Emotet is silent and inactive, most probably due to failing to find an effective, new\r\nattack vector.\r\nhttps://www.welivesecurity.com/2023/07/06/whats-up-with-emotet/\r\nPage 1 of 18\n\nFigure 1. Timeline of interesting Emotet events since its return\r\nhttps://www.welivesecurity.com/2023/07/06/whats-up-with-emotet/\r\nPage 2 of 18\n\nSpam campaigns\r\nAfter the comeback followed by multiple spam campaigns at the end of 2021, the beginning of 2022 continued\r\nwith these trends and we registered multiple spam campaigns launched by Emotet operators. During this time\r\nEmotet was spreading mainly via malicious Microsoft Word and Microsoft Excel documents with embedded VBA\r\nmacros.\r\nIn July 2022, Microsoft changed the game for all the malware families like Emotet and Qbot – which had used\r\nphishing emails with malicious document as the method of spreading – by disabling VBA macros in documents\r\nobtained from the Internet. This change was announced by Microsoft at the beginning of the year and deployed\r\noriginally in early April, but the update was rolled back due to user feedback. The final rollout came at the end of\r\nJuly 2022 and, as can be seen in Figure 2, the update resulted in a significant drop in Emotet compromises; we did\r\nnot observe any significant activity during the summer of 2022.\r\nFigure 2. Emotet detection trend, seven-day moving average\r\nDisabling Emotet’s main attack vector made its operators look for new ways to compromise their targets.\r\nMealybug started experimenting with malicious LNK and XLL files, but when the year 2022 was ending, Emotet\r\noperators struggled to find a new attack vector that would be as effective as VBA macros had been. In 2023, they\r\nran three distinctive malspam campaigns, each testing a slightly different intrusion avenue and social engineering\r\ntechnique. However, the shrinking size of the attacks and constant changes in the approach may suggest\r\ndissatisfaction with the outcomes.\r\nThe first of those three campaigns happened around March 8th, 2023, when the Emotet botnet started distributing\r\nWord documents, masked as invoices, with embedded malicious VBA macros. This was quite odd because VBA\r\nmacros were disabled by Microsoft by default, so victims couldn’t run embedded malicious code.\r\nIn their second campaign between March 13th and March 18th, the attackers seemingly acknowledged these flaws,\r\nand apart from using the reply chain approach, they also switched from VBA macros to OneNote files (ONE) with\r\nhttps://www.welivesecurity.com/2023/07/06/whats-up-with-emotet/\r\nPage 3 of 18\n\nembedded VBScripts. If the victims opened the file, they were greeted by what looked like a protected OneNote\r\npage, asking them to click a View button to see the content. Behind this graphic element was a hidden VBScript,\r\nset to download the Emotet DLL.\r\nDespite a OneNote warning that this action might lead to malicious content, people tend to click at similar\r\nprompts by habit and thus can potentially allow the attackers to compromise their devices.\r\nThe last campaign observed in ESET telemetry was launched on March 20th, taking advantage of the upcoming\r\nincome tax due date in the United States. The malicious emails sent by the botnet pretended to come from the US\r\ntax office Internal Revenue Service (IRS) and carried an attached archive file named W-9 form.zip. The included\r\nZIP file contained a Word document with an embedded malicious VBA macro that the intended victim probably\r\nhad to enable. Apart from this campaign, targeted specifically to the USA, we also observed another campaign\r\nusing embedded VBScripts and OneNote approach that was underway at the same time.\r\nAs can be seen in Figure 3, most of the attacks detected by ESET were aimed at Japan (43%), Italy (13%),\r\nalthough these numbers may be biased by the strong ESET user base in these regions. After removing those top\r\ntwo countries (in order to focus on the rest of the world), in Figure 4 it can be seen that the rest of the world was\r\nalso hit, with Spain (5%) in third place followed by Mexico (5%) and South Africa (4%).\r\nFigure 3. Emotet detections Jan 2022 – Jun 2023\r\nhttps://www.welivesecurity.com/2023/07/06/whats-up-with-emotet/\r\nPage 4 of 18\n\nFigure 4. Emotet detections Jan 2022 – Jun 2023 (JP and IT excluded)\r\nEnhanced protection and obfuscations\r\nAfter its reappearance, Emotet got multiple upgrades. The first notable feature is that the botnet switched its\r\ncryptographic scheme. Before the takedown, Emotet used RSA as their primary asymmetric scheme and after the\r\nreappearance, the botnet started to use Elliptic curve cryptography. Currently every Downloader module (also\r\ncalled Main module) comes with two embedded public keys. One is used for the Elliptic curve Diffie Hellman key\r\nexchange protocol and the other is used for a signature verification – Digital signature algorithm.\r\nApart from updating Emotet malware to 64-bit architecture, Mealybug has also implemented multiple new\r\nobfuscations to protect their modules. First notable obfuscation is control flow flattening which can significantly\r\nslow down analysis and locating interesting parts of code in Emotet’s modules.\r\nMealybug also implemented and improved its implementation of many randomization techniques, of which the\r\nmost notable are the randomization of order of structure members and the randomization of instructions that\r\ncalculate constants (constants are masked).\r\nOne more update that is worth mentioning happened during the last quarter of 2022, when modules started using\r\ntimer queues. With those, the main function of modules and the communication part of modules were set as a\r\ncallback function, which is invoked by multiple threads and all of this is combined with the control flow\r\nflattening, where the state value that manages which block of code is to be invoked is shared among the threads.\r\nThis obfuscation adds up to another obstacle in analysis and makes following of the execution flow even more\r\ndifficult.\r\nhttps://www.welivesecurity.com/2023/07/06/whats-up-with-emotet/\r\nPage 5 of 18\n\nNew modules\r\nTo remain profitable and prevalent malware, Mealybug implemented multiple new modules, shown in yellow in\r\nFigure 5. Some of them were created as a defensive mechanism for the botnet, others for more efficient spreading\r\nof the malware, and last but not least, a module that steals information that can be used to steal the victim’s\r\nmoney.\r\nFigure 5. Emotet’s most frequently used modules. Red existed before the takedown; yellow appeared after the\r\ncomeback\r\nThunderbird Email Stealer and Thunderbird Contact Stealer\r\nEmotet is spread via spam emails and people often trust those emails, because Emotet successfully uses an email\r\nthread hijacking technique. Before the takedown, Emotet used modules we call Outlook Contact Stealer and\r\nOutlook Email Stealer, that were capable of stealing emails and contact information from Outlook. But because\r\nnot everyone uses Outlook, after the takedown Emotet focused also on a free alternative email application –\r\nThunderbird.\r\nEmotet may deploy a Thunderbird Email Stealer module to the compromised computer, which (as the name\r\nsuggests) is capable of stealing emails. The module searches through the Thunderbird files containing received\r\nhttps://www.welivesecurity.com/2023/07/06/whats-up-with-emotet/\r\nPage 6 of 18\n\nmessages (in MBOX format) and steals data from multiple fields including sender, recipients, subject, date, and\r\ncontents of the message.  All stolen information is then sent to a C\u0026C server for further processing.\r\nTogether with Thunderbird Email Stealer, Emotet also deploys a Thunderbird Contact Stealer, which is capable of\r\nstealing contact information from Thunderbird. This module also searches through the Thunderbird files, this time\r\nlooking for both received and sent messages. The difference is that this module just extracts information from the\r\nFrom:, To:, CC: and Cc: fields and creates an internal graph of who communicated with whom, where nodes are\r\npeople, and there is an edge between two people if they communicated with each other. In the next step, the\r\nmodule orders the stolen contacts – starting with the most interconnected people – and sends this information to a\r\nC\u0026C server.\r\nAll this effort is complemented by two additional modules (that existed already before the takedown) - the\r\nMailPassView Stealer module and the Spammer module. MailPassView Stealer abuses a legitimate NirSoft tool\r\nfor password recovery and steals credentials from email applications. When stolen emails, credentials, and\r\ninformation about who is in contact with whom gets processed, Mealybug creates malicious emails that look like a\r\nreply to previously stolen conversations and sends those emails together with the stolen credentials to a Spammer\r\nmodule that uses those credentials to send malicious replies to previous email conversations via SMTP.\r\nGoogle Chrome Credit Card Stealer\r\nAs the name suggests, Google Chrome Credit Card Stealer steals information about credit cards stored in the\r\nGoogle Chrome browser. To achieve this, the module uses a statically linked SQLite3 library for accessing the\r\nWeb Data database file usually located in %LOCALAPPDATA%\\Google\\Chrome\\User Data\\Default\\Web Data.\r\nThe module queries the table credit_cards for name_of_card, expiration_month, expiration_year, and\r\ncard_number_encrypted, containing information about credit cards saved in the default Google Chrome profile. In\r\nthe last step, the card_number_encrypted value is decrypted using the key stored in the\r\n%LOCALAPPDATA%\\Google\\Chrome\\User Data\\Local State file and all information is sent to a C\u0026C server.\r\nSysteminfo and Hardwareinfo modules\r\nShortly after the return of Emotet, in November 2021 a new module we call Systeminfo appeared. This module\r\ncollects information about a compromised system and sends it to the C\u0026C server. Information collected consists\r\nof:\r\nOutput of the systeminfo command\r\nOutput of the ipconfig /all command\r\nOutput of the nltest /dclist: command (removed in Oct. 2022)\r\nProcess list\r\nUptime (obtained via GetTickCount) in seconds (removed in Oct 2022)\r\nIn October 2022 Emotet’s operators released another new module we call Hardwareinfo. Even though it doesn’t\r\nsteal exclusively information about the hardware of a compromised machine, it serves as a complementary source\r\nof information to the Systeminfo module. This module collects the following data from the compromised\r\nmachine:\r\nhttps://www.welivesecurity.com/2023/07/06/whats-up-with-emotet/\r\nPage 7 of 18\n\nComputer name\r\nUsername\r\nOS version information, including major and minor version numbers\r\nSession ID\r\nCPU brand string\r\nInformation about RAM size and usage\r\nBoth modules have one primary purpose – verify whether the communication comes from legitimately\r\ncompromised victim or not. Emotet was, especially after its comeback, a really hot topic in the computer security\r\nindustry and among researchers, so Mealybug went to great lengths to protect themselves from tracking and\r\nmonitoring of their activities. Thanks to the information collected by these two modules that not only collect data,\r\nbut also contain anti-tracking and anti-analysis tricks, Mealybug’s capabilities to tell apart real victims from\r\nmalware researchers’ activities or sandboxes were significantly improved.\r\nWhat’s next?\r\nAccording to ESET research and telemetry, both Epochs of the botnet have been quiet since the beginning of the\r\nApril 2023. Currently it remains unclear if this is yet another vacation time for the authors, if they struggle to find\r\nnew effective infection vector, or if there is someone new operating the botnet.\r\nEven though we cannot confirm the rumors that one or both Epochs of the botnet were sold to somebody in\r\nJanuary 2023, we noticed an unusual activity on one of the Epochs. The newest update of the downloader module\r\ncontained a new functionality, which logs the inner states of the module and tracks its execution to a file\r\nC:\\JSmith\\Loader (Figure 6, Figure 7). Because this file has to be existing to actually log something, this\r\nfunctionality looks like a debugging output for someone who doesn’t completely understand what the module\r\ndoes and how it works. Furthermore, at that time the botnet was also widely spreading Spammer modules, which\r\nare considered to be more precious for Mealybug because historically they used these modules only on machines\r\nthat were considered by them to be safe.\r\nFigure 6. Logging of behavior of the downloader module\r\nFigure 7. Logging of behavior of the downloader module\r\nWhichever explanation of why the botnet is quiet now is true, Emotet has been known for its effectiveness and its\r\noperators made an effort to rebuild and maintain the botnet and even add some improvements, so keep track with\r\nour blog to see what the future will bring us.\r\nFor any inquiries about our research published on WeLiveSecurity, please contact us\r\nat threatintel@eset.com.\r\nESET Research offers private APT intelligence reports and data feeds. For any inquiries about this\r\nservice, visit the ESET Threat Intelligence page.\r\nhttps://www.welivesecurity.com/2023/07/06/whats-up-with-emotet/\r\nPage 8 of 18\n\nIoCs\r\nFiles\r\nSHA-1 Filename\r\nESET detection\r\nname\r\nDescription\r\nD5FDE4A0DF9E416DE02AE51D07EFA8D7B99B11F2 N/A Win64/Emotet.AL\r\nEmotet\r\nSysteminfo\r\nmodule.\r\n1B6CFE35EF42EB9C6E19BCBD5A3829458C856DBC N/A Win64/Emotet.AL\r\nEmotet\r\nHardwareinfo\r\nmodule.\r\nD938849F4C9D7892CD1558C8EDA634DADFAD2F5A N/A Win64/Emotet.AO\r\nEmotet\r\nGoogle\r\nChrome\r\nCredit Card\r\nStealer\r\nmodule.\r\n1DF4561C73BD35E30B31EEE62554DD7157AA26F2 N/A Win64/Emotet.AL\r\nEmotet\r\nThunderbird\r\nEmail Stealer\r\nmodule.\r\n05EEB597B3A0F0C7A9E2E24867A797DF053AD860 N/A Win64/Emotet.AL\r\nEmotet\r\nThunderbird\r\nContact\r\nStealer\r\nmodule.\r\n0CEB10940CE40D1C26FC117BC2D599C491657AEB N/A Win64/Emotet.AQ\r\nEmotet\r\nDownloader\r\nmodule,\r\nversion with\r\ntimer queue\r\nobfuscation.\r\n8852B81566E8331ED43AB3C5648F8D13012C8A3B N/A Win64/Emotet.AL\r\nEmotet\r\nDownloader\r\nmodule, x64\r\nversion.\r\nhttps://www.welivesecurity.com/2023/07/06/whats-up-with-emotet/\r\nPage 9 of 18\n\nSHA-1 Filename\r\nESET detection\r\nname\r\nDescription\r\nF2E79EC201160912AB48849A5B5558343000042E N/A Win64/Emotet.AQ\r\nEmotet\r\nDownloader\r\nmodule,\r\nversion with\r\ndebug\r\nstrings.\r\nCECC5BBA6193D744837E689E68BC25C43EDA7235 N/A Win32/Emotet.DG\r\nEmotet\r\nDownloader\r\nmodule, x86\r\nversion.\r\nNetwork\r\nIP Domain Hosting provider First seen Details\r\n1.234.2[.]232 N/A SK Broadband Co Ltd N/A N/A\r\n1.234.21[.]73 N/A SK Broadband Co Ltd N/A N/A\r\n5.9.116[.]246 N/A Hetzner Online GmbH N/A N/A\r\n5.135.159[.]50 N/A OVH SAS N/A N/A\r\n27.254.65[.]114 N/A CS LOXINFO Public Company Limited. N/A N/A\r\n37.44.244[.]177 N/A Hostinger International Limited N/A N/A\r\n37.59.209[.]141 N/A Abuse-C Role N/A N/A\r\n37.187.115[.]122 N/A OVH SAS N/A N/A\r\n45.71.195[.]104 N/A\r\nNET ALTERNATIVA PROVEDOR DE\r\nINTERNET LTDA - ME\r\nN/A N/A\r\n45.79.80[.]198 N/A Linode N/A N/A\r\n45.118.115[.]99 N/A Asep Bambang Gunawan N/A N/A\r\n45.176.232[.]124 N/A\r\nCABLE Y TELECOMUNICACIONES DE\r\nCOLOMBIA S.A.S (CABLETELCO)\r\nN/A N/A\r\n45.235.8[.]30 N/A WIKINET TELECOMUNICAÇÕES N/A N/A\r\n46.55.222[.]11 N/A DCC N/A N/A\r\nhttps://www.welivesecurity.com/2023/07/06/whats-up-with-emotet/\r\nPage 10 of 18\n\nIP Domain Hosting provider First seen Details\r\n51.91.76[.]89 N/A OVH SAS N/A N/A\r\n51.161.73[.]194 N/A OVH SAS N/A N/A\r\n51.254.140[.]238 N/A Abuse-C Role N/A N/A\r\n54.37.106[.]167 N/A OVH SAS N/A N/A\r\n54.37.228[.]122 N/A OVH SAS N/A N/A\r\n54.38.242[.]185 N/A OVH SAS N/A N/A\r\n59.148.253[.]194 N/A CTINETS HOSTMASTER N/A N/A\r\n61.7.231[.]226 N/A IP-network CAT Telecom N/A N/A\r\n61.7.231[.]229 N/A The Communication Authoity of Thailand, CAT N/A N/A\r\n62.171.178[.]147 N/A Contabo GmbH N/A N/A\r\n66.42.57[.]149 N/A The Constant Company, LLC N/A N/A\r\n66.228.32[.]31 N/A Linode N/A N/A\r\n68.183.93[.]250 N/A DigitalOcean, LLC N/A N/A\r\n72.15.201[.]15 N/A Flexential Colorado Corp. N/A N/A\r\n78.46.73[.]125 N/A\r\nHetzner Online GmbH - Contact Role, ORG-HOA1-RIPE\r\nN/A N/A\r\n78.47.204[.]80 N/A Hetzner Online GmbH N/A N/A\r\n79.137.35[.]198 N/A OVH SAS N/A N/A\r\n82.165.152[.]127 N/A 1\u00261 IONOS SE N/A N/A\r\n82.223.21[.]224 N/A IONOS SE N/A N/A\r\n85.214.67[.]203 N/A Strato AG N/A N/A\r\n87.106.97[.]83 N/A IONOS SE N/A N/A\r\n91.121.146[.]47 N/A OVH SAS N/A N/A\r\n91.207.28[.]33 N/A Optima Telecom Ltd. N/A N/A\r\n93.104.209[.]107 N/A MNET N/A N/A\r\n94.23.45[.]86 N/A OVH SAS N/A N/A\r\nhttps://www.welivesecurity.com/2023/07/06/whats-up-with-emotet/\r\nPage 11 of 18\n\nIP Domain Hosting provider First seen Details\r\n95.217.221[.]146 N/A Hetzner Online GmbH N/A N/A\r\n101.50.0[.]91 N/A PT. Beon Intermedia N/A N/A\r\n103.41.204[.]169 N/A PT Infinys System Indonesia N/A N/A\r\n103.43.75[.]120 N/A Choopa LLC administrator N/A N/A\r\n103.63.109[.]9 N/A Nguyen Nhu Thanh N/A N/A\r\n103.70.28[.]102 N/A Nguyen Thi Oanh N/A N/A\r\n103.75.201[.]2 N/A IRT-CDNPLUSCOLTD-TH N/A N/A\r\n103.132.242[.]26 N/A Ishan's Network N/A N/A\r\n104.131.62[.]48 N/A DigitalOcean, LLC N/A N/A\r\n104.168.155[.]143 N/A Hostwinds LLC. N/A N/A\r\n104.248.155[.]133 N/A DigitalOcean, LLC N/A N/A\r\n107.170.39[.]149 N/A DigitalOcean, LLC N/A N/A\r\n110.232.117[.]186 N/A RackCorp N/A N/A\r\n115.68.227[.]76 N/A SMILESERV N/A N/A\r\n116.124.128[.]206 N/A IRT-KRNIC-KR N/A N/A\r\n116.125.120[.]88 N/A IRT-KRNIC-KR N/A N/A\r\n118.98.72[.]86 N/A\r\nPT Telkom Indonesia APNIC Resources\r\nManagement\r\nN/A N/A\r\n119.59.103[.]152 N/A 453 Ladplacout Jorakhaebua N/A N/A\r\n119.193.124[.]41 N/A IP Manager N/A N/A\r\n128.199.24[.]148 N/A DigitalOcean, LLC N/A N/A\r\n128.199.93[.]156 N/A DigitalOcean, LLC N/A N/A\r\n128.199.192[.]135 N/A DigitalOcean, LLC N/A N/A\r\n129.232.188[.]93 N/A Xneelo (Pty) Ltd N/A N/A\r\n131.100.24[.]231 N/A EVEO S.A. N/A N/A\r\n134.122.66[.]193 N/A DigitalOcean, LLC N/A N/A\r\nhttps://www.welivesecurity.com/2023/07/06/whats-up-with-emotet/\r\nPage 12 of 18\n\nIP Domain Hosting provider First seen Details\r\n139.59.56[.]73 N/A DigitalOcean, LLC N/A N/A\r\n139.59.126[.]41 N/A Digital Ocean Inc administrator N/A N/A\r\n139.196.72[.]155 N/A Hangzhou Alibaba Advertising Co.,Ltd. N/A N/A\r\n142.93.76[.]76 N/A DigitalOcean, LLC N/A N/A\r\n146.59.151[.]250 N/A OVH SAS N/A N/A\r\n146.59.226[.]45 N/A OVH SAS N/A N/A\r\n147.139.166[.]154 N/A Alibaba (US) Technology Co., Ltd. N/A N/A\r\n149.56.131[.]28 N/A OVH SAS N/A N/A\r\n150.95.66[.]124 N/A GMO Internet Inc administrator N/A N/A\r\n151.106.112[.]196 N/A Hostinger International Limited N/A N/A\r\n153.92.5[.]27 N/A Hostinger International Limited N/A N/A\r\n153.126.146[.]25 N/A IRT-JPNIC-JP N/A N/A\r\n159.65.3[.]147 N/A DigitalOcean, LLC N/A N/A\r\n159.65.88[.]10 N/A DigitalOcean, LLC N/A N/A\r\n159.65.140[.]115 N/A DigitalOcean, LLC N/A N/A\r\n159.69.237[.]188 N/A\r\nHetzner Online GmbH - Contact Role, ORG-HOA1-RIPE\r\nN/A N/A\r\n159.89.202[.]34 N/A DigitalOcean, LLC N/A N/A\r\n160.16.142[.]56 N/A IRT-JPNIC-JP N/A N/A\r\n162.243.103[.]246 N/A DigitalOcean, LLC N/A N/A\r\n163.44.196[.]120 N/A GMO-Z com NetDesign Holdings Co., Ltd. N/A N/A\r\n164.68.99[.]3 N/A Contabo GmbH N/A N/A\r\n164.90.222[.]65 N/A DigitalOcean, LLC N/A N/A\r\n165.22.230[.]183 N/A DigitalOcean, LLC N/A N/A\r\n165.22.246[.]219 N/A DigitalOcean, LLC N/A N/A\r\n165.227.153[.]100 N/A DigitalOcean, LLC N/A N/A\r\nhttps://www.welivesecurity.com/2023/07/06/whats-up-with-emotet/\r\nPage 13 of 18\n\nIP Domain Hosting provider First seen Details\r\n165.227.166[.]238 N/A DigitalOcean, LLC N/A N/A\r\n165.227.211[.]222 N/A DigitalOcean, LLC N/A N/A\r\n167.172.199[.]165 N/A DigitalOcean, LLC N/A N/A\r\n167.172.248[.]70 N/A DigitalOcean, LLC N/A N/A\r\n167.172.253[.]162 N/A DigitalOcean, LLC N/A N/A\r\n168.197.250[.]14 N/A Omar Anselmo Ripoll (TDC NET) N/A N/A\r\n169.57.156[.]166 N/A SoftLayer N/A N/A\r\n172.104.251[.]154 N/A Akamai Connected Cloud N/A N/A\r\n172.105.226[.]75 N/A Akamai Connected Cloud N/A N/A\r\n173.212.193[.]249 N/A Contabo GmbH N/A N/A\r\n182.162.143[.]56 N/A IRT-KRNIC-KR N/A N/A\r\n183.111.227[.]137 N/A Korea Telecom N/A N/A\r\n185.4.135[.]165 N/A ENARTIA Single Member S.A. N/A N/A\r\n185.148.168[.]15 N/A Abuse-C Role N/A N/A\r\n185.148.168[.]220 N/A Abuse-C Role N/A N/A\r\n185.168.130[.]138 N/A GigaCloud NOC N/A N/A\r\n185.184.25[.]78 N/A\r\nMUV Bilisim ve Telekomunikasyon Hizmetleri\r\nLtd. Sti.\r\nN/A N/A\r\n185.244.166[.]137 N/A\r\nJan Philipp Waldecker trading as LUMASERV\r\nSystems\r\nN/A N/A\r\n186.194.240[.]217 N/A SEMPRE TELECOMUNICACOES LTDA N/A N/A\r\n187.63.160[.]88 N/A\r\nBITCOM PROVEDOR DE SERVICOS DE\r\nINTERNET LTDA\r\nN/A N/A\r\n188.44.20[.]25 N/A\r\nCompany for communications services A1\r\nMakedonija DOOEL Skopje\r\nN/A N/A\r\n190.90.233[.]66 N/A\r\nINTERNEXA Brasil Operadora de\r\nTelecomunicações S.A\r\nN/A N/A\r\nhttps://www.welivesecurity.com/2023/07/06/whats-up-with-emotet/\r\nPage 14 of 18\n\nIP Domain Hosting provider First seen Details\r\n191.252.103[.]16 N/A Locaweb Serviços de Internet S/A N/A N/A\r\n194.9.172[.]107 N/A Abuse-C Role N/A N/A\r\n195.77.239[.]39 N/A TELEFONICA DE ESPANA S.A.U. N/A N/A\r\n195.154.146[.]35 N/A Scaleway Abuse, ORG-ONLI1-RIPE N/A N/A\r\n196.218.30[.]83 N/A TE Data Contact Role N/A N/A\r\n197.242.150[.]244 N/A Afrihost (Pty) Ltd N/A N/A\r\n198.199.65[.]189 N/A DigitalOcean, LLC N/A N/A\r\n198.199.98[.]78 N/A DigitalOcean, LLC N/A N/A\r\n201.94.166[.]162 N/A Claro NXT Telecomunicacoes Ltda N/A N/A\r\n202.129.205[.]3 N/A NIPA TECHNOLOGY CO., LTD N/A N/A\r\n203.114.109[.]124 N/A IRT-TOT-TH N/A N/A\r\n203.153.216[.]46 N/A Iswadi Iswadi N/A N/A\r\n206.189.28[.]199 N/A DigitalOcean, LLC N/A N/A\r\n207.148.81[.]119 N/A The Constant Company, LLC N/A N/A\r\n207.180.241[.]186 N/A Contabo GmbH N/A N/A\r\n209.97.163[.]214 N/A DigitalOcean, LLC N/A N/A\r\n209.126.98[.]206 N/A GoDaddy.com, LLC N/A N/A\r\n210.57.209[.]142 N/A Andri Tamtrijanto N/A N/A\r\n212.24.98[.]99 N/A Interneto vizija N/A N/A\r\n213.239.212[.]5 N/A Hetzner Online GmbH N/A N/A\r\n213.241.20[.]155 N/A Netia Telekom S.A. Contact Role N/A N/A\r\n217.182.143[.]207 N/A OVH SAS N/A N/A\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 12 of the MITRE ATT\u0026CK enterprise techniques.\r\nhttps://www.welivesecurity.com/2023/07/06/whats-up-with-emotet/\r\nPage 15 of 18\n\nTactic ID Name Description\r\nReconnaissance\r\nT1592.001\r\nGather Victim Host\r\nInformation: Hardware\r\nEmotet gathers information about\r\nhardware of the compromised machine,\r\nsuch as CPU brand string.\r\nT1592.004\r\nGather Victim Host\r\nInformation: Client\r\nConfigurations\r\nEmotet gathers information about\r\nsystem configuration such as the\r\nipconfig /all and systeminfo commands.\r\nT1592.002\r\nGather Victim Host\r\nInformation: Software\r\nEmotet exfiltrates a list of running\r\nprocesses.\r\nT1589.001\r\nGather Victim Identity\r\nInformation: Credentials\r\nEmotet deploys modules that are able to\r\nsteal credentials from browsers and\r\nemail applications.\r\nT1589.002\r\nGather Victim Identity\r\nInformation: Email Addresses\r\nEmotet deploys modules that can extract\r\nemail addresses from email applications.\r\nResource\r\nDevelopment\r\nT1586.002\r\nCompromise Accounts: Email\r\nAccounts\r\nEmotet compromises email accounts and\r\nuses them for spreading malspam\r\nemails.\r\nT1584.005\r\nCompromise Infrastructure:\r\nBotnet\r\nEmotet compromises numerous third-party systems to form a botnet.\r\nT1587.001\r\nDevelop Capabilities:\r\nMalware\r\nEmotet consists of multiple unique\r\nmalware modules and components.\r\nT1588.002 Obtain Capabilities: Tool\r\nEmotet uses NirSoft tools to steal\r\ncredentials from infected machines.\r\nInitial Access\r\nT1566 Phishing\r\nEmotet sends phishing emails with\r\nmalicious attachments.\r\nT1566.001\r\nPhishing: Spearphishing\r\nAttachment\r\nEmotet sends spearphishing emails with\r\nmalicious attachments.\r\nExecution\r\nT1059.005\r\nCommand and Scripting\r\nInterpreter: Visual Basic\r\nEmotet has been seen using Microsoft\r\nWord documents containing malicious\r\nVBA macros.\r\nT1204.002\r\nUser Execution: Malicious\r\nFile\r\nEmotet has been relying on users\r\nopening malicious email attachments\r\nand executing embedded scripts.\r\nhttps://www.welivesecurity.com/2023/07/06/whats-up-with-emotet/\r\nPage 16 of 18\n\nTactic ID Name Description\r\nDefense Evasion\r\nT1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nEmotet modules use encrypted strings\r\nand masked checksums of API function\r\nnames.\r\nT1027.002\r\nObfuscated Files or\r\nInformation: Software\r\nPacking\r\nEmotet uses custom packers to protect\r\ntheir payloads.\r\nT1027.007\r\nObfuscated Files or\r\nInformation: Dynamic API\r\nResolution\r\nEmotet resolves API calls at runtime.\r\nCredential\r\nAccess\r\nT1555.003\r\nCredentials from Password\r\nStores: Credentials from Web\r\nBrowsers\r\nEmotet acquires credentials saved in\r\nweb browsers by abusing NirSoft’s\r\nWebBrowserPassView application.\r\nT1555\r\nCredentials from Password\r\nStores\r\nEmotet is capable of stealing passwords\r\nfrom email applications by abusing\r\nNirSoft’s MailPassView application.\r\nCollection T1114.001\r\nEmail Collection: Local\r\nEmail Collection\r\nEmotet steals emails from Outlook and\r\nThunderbird applications.\r\nCommand and\r\nControl\r\nT1071.003\r\nApplication Layer Protocol:\r\nMail Protocols\r\nEmotet can send malicious emails via\r\nSMTP.\r\nT1573.002\r\nEncrypted Channel:\r\nAsymmetric Cryptography\r\nEmotet is using ECDH keys to encrypt\r\nC\u0026C traffic.\r\nT1573.001\r\nEncrypted Channel:\r\nSymmetric Cryptography\r\nEmotet is using AES to encrypt C\u0026C\r\ntraffic.\r\nT1571 Non-Standard Port\r\nEmotet is known to communicate on\r\nnonstandard ports such as 7080.\r\nhttps://www.welivesecurity.com/2023/07/06/whats-up-with-emotet/\r\nPage 17 of 18\n\nSource: https://www.welivesecurity.com/2023/07/06/whats-up-with-emotet/\r\nhttps://www.welivesecurity.com/2023/07/06/whats-up-with-emotet/\r\nPage 18 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.welivesecurity.com/2023/07/06/whats-up-with-emotet/" ], "report_names": [ "whats-up-with-emotet" ], "threat_actors": [ { "id": "e8e18067-f64b-4e54-9493-6d450b7d40df", "created_at": "2022-10-25T16:07:24.515213Z", "updated_at": "2026-04-10T02:00:05.018868Z", "deleted_at": null, "main_name": "Mummy Spider", "aliases": [ "ATK 104", "Gold Crestwood", "Mummy Spider", "TA542" ], "source_name": "ETDA:Mummy Spider", "tools": [ "Emotet", "Geodo", "Heodo" ], "source_id": "ETDA", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "506404b2-82fb-4b7e-b40d-57c2e9b59f40", "created_at": "2023-01-06T13:46:38.870883Z", "updated_at": "2026-04-10T02:00:03.128317Z", "deleted_at": null, "main_name": "MUMMY SPIDER", "aliases": [ "TA542", "GOLD CRESTWOOD" ], "source_name": "MISPGALAXY:MUMMY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31", "created_at": "2023-01-06T13:46:38.376868Z", "updated_at": "2026-04-10T02:00:02.949077Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "G0003", "Operation Cleaver", "Op Cleaver", "Tarh Andishan", "Alibaba", "TG-2889", "Cobalt Gypsy" ], "source_name": "MISPGALAXY:Cleaver", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2ac83159-1d9d-4db4-a176-97be6b7b07c9", "created_at": "2024-06-19T02:03:08.024653Z", "updated_at": "2026-04-10T02:00:03.672512Z", "deleted_at": null, "main_name": "GOLD CRESTWOOD", "aliases": [ "Mummy Spider ", "TA542 " ], "source_name": "Secureworks:GOLD CRESTWOOD", "tools": [ "Emotet" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434272, "ts_updated_at": 1775792143, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0d773d76268cb60539d1e9b290fdbef4af1eed71.pdf", "text": "https://archive.orkl.eu/0d773d76268cb60539d1e9b290fdbef4af1eed71.txt", "img": "https://archive.orkl.eu/0d773d76268cb60539d1e9b290fdbef4af1eed71.jpg" } }