Emotet malware's new 'Red Dawn' attachment is just as dangerous
By Lawrence Abrams
Published: 2020-08-29 · Archived: 2026-04-05 17:13:51 UTC
The Emotet botnet has begun to use a new template for their malicious attachments, and it is just as dangerous as ever.
After a five-month "vacation," the Emotet malware returned in July 2020 and began to spew massive amounts of malicious
spam worldwide.
These spam campaigns pretend to be invoices, shipping information, COVID-19 information, resumes, financial documents,
or scanned documents, as shown below.
https://www.bleepingcomputer.com/news/security/emotet-malwares-new-red-dawn-attachment-is-just-as-dangerous/
Page 1 of 5

0:00
https://www.bleepingcomputer.com/news/security/emotet-malwares-new-red-dawn-attachment-is-just-as-dangerous/
Page 2 of 5

Visit Advertiser websiteGO TO PAGE
Example Emotet spam email
Attached to these spam emails are malicious Word (.doc) attachments or link to download one.
When opened, these attachments will prompt a user to 'Enable Content' so that malicious macros will run to install the
Emotet malware on a victim's computer.
To trick a user into enabling the macros, Emotet has been using a document template that tells uses that the document was
created on iOS and cannot be properly viewed unless the 'Enable Content' button is clicked.
Older Emotet iOS template
On August 25th, the botnet switched to a new template that Emotet expert Joseph Roosen has named 'Red Dawn' due to its
red accent colors. 
https://www.bleepingcomputer.com/news/security/emotet-malwares-new-red-dawn-attachment-is-just-as-dangerous/
Page 3 of 5

The Red Dawn template also moves away from its iOS theme and now states that "This document is protected" and that
previewing is not available.
It then prompts the user to click on 'Enable Editing' and 'Enable Content' to view the document.
New 'Red Dawn' Emotet attachment
Like the previous template, once enable content is clicked, malicious macros will be executed that download and install the
Emotet malware on a victim's computer.
Why it's essential to recognize Emotet attachments?
Emotet is considered the most widely spread malware targeting users today. It is also particularly harmful as it will install
other dangerous malware such as Trickbot and QBot onto a victim's computer.
While TrickBot and QBot can perform different malicious activities, they both will attempt to steal stored passwords,
cookies, banking information, and assorted other information from a victim's computer.
To make matters worse, both trojans are known to provide access to threat actors who install ransomware such as Conti
(TrickBot) or ProLock (QBot) throughout the network.
Due to this, it is vital to recognize the malicious document templates used by Emotet so that you do not accidentally become
infected. 
https://www.bleepingcomputer.com/news/security/emotet-malwares-new-red-dawn-attachment-is-just-as-dangerous/
Page 4 of 5

Automated Pentesting Covers Only 1 of 6 Surfaces.
Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the
other.
This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic
questions for any tool evaluation.
Source: https://www.bleepingcomputer.com/news/security/emotet-malwares-new-red-dawn-attachment-is-just-as-dangerous/
https://www.bleepingcomputer.com/news/security/emotet-malwares-new-red-dawn-attachment-is-just-as-dangerous/
Page 5 of 5