{
	"id": "daadb46d-922a-491d-8d83-1e227981ccb9",
	"created_at": "2026-04-06T00:17:38.770404Z",
	"updated_at": "2026-04-10T03:35:43.338253Z",
	"deleted_at": null,
	"sha1_hash": "0fe8afc8e224af5db9477edef35a20656faa1976",
	"title": "Emotet malware hits Lithuania's National Public Health Center",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1816818,
	"plain_text": "Emotet malware hits Lithuania's National Public Health Center\r\nBy Sergiu Gatlan\r\nPublished: 2020-12-30 · Archived: 2026-04-05 12:35:10 UTC\r\nThe internal networks of Lithuania's National Center for Public Health (NVSC) and several municipalities have been\r\ninfected with Emotet malware following a large campaign targeting the country's state institutions.\r\n\"When infected recipients opened infected messages, the virus entered the internal networks of the institutions,\" NVSC\r\nofficials said in a statement published today.\r\n\"Infected computers, after downloading additional files, began sending fake emails or engaging in other types of malicious\r\nactivity.\"\r\nhttps://www.bleepingcomputer.com/news/security/emotet-malware-hits-lithuanias-national-public-health-center/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/emotet-malware-hits-lithuanias-national-public-health-center/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nLithuanian government officials, ministry representatives, and epidemiological diagnostics experts that have previously been\r\ncontacted by NVSC specialists via email have all received Emotet-infected emails from infected systems.\r\nThe NVSC e-mail systems have been temporarily shut down on Tuesday to stop the further spread of the virus.\r\nNVSC information technology specialists, together with experts from the Central State Telecommunications Center and the\r\nNational Cyber Security Center currently working on cleaning affected systems of the Emotet infection, as well as on\r\nrecovering NVSC e-mails and restoring email access.\r\nEmails sent as replies to previous conversations\r\nRytis Rainys, Director of the Lithuanian National Cyber Security Center (NKSC), warned that the Emotet emails sent as\r\nreplies to previous conversations distributed malicious code using password-protected archives as attachments, with the\r\npassword shared in the email body.\r\nThis prevented anti-malware solutions from detecting the malicious emails which made it possible for the targeted\r\nindividuals to open the attachment and infect themselves.\r\nStealing reply-chain emails is a known Emotet tactic used to camouflage malicious emails as parts of existing conversations\r\nfor higher credibility and better infection rates in future spam campaigns.\r\nThe tactic is also being used by the Qbot trojan, and it was previously by the Gozi ISFB banking trojan and the URSNIF\r\ninformation-stealing trojan.\r\nThis is the second large Emotet campaign that has targeted Lithuania this year, with a previous one detected by the NKSC in\r\nOctober.\r\nThe NKSC published an advisory at the time recommending potential targets (including but not limited to state institutions\r\nand companies) to enable and properly configure Sender Policy Framework (SPF) email authentication.\r\nEmotet is back in business\r\nAfter a break of a month and a half, the Emotet botnet was revived on December 21st [1, 2], and Microsoft spotted an\r\nongoing campaign delivering \"a wide range of lures in massive volumes of emails, the use of fake replies or forwarded\r\nemails, password-protected archive attachments.\"\r\n\"The new Emotet campaign still uses documents that contain malicious macro that, when enabled, connects to seven\r\nmalicious domains to download the Emotet payload,\" Microsoft Security Intelligence tweeted.\r\nEmotet was first spotted in 2014 as a banking Trojan and has now evolved into a botnet used by the TA542 threat group (aka\r\nMummy Spider) to deploy second-stage malware payloads on infected systems.\r\nThe payloads Emotet drops on compromised computers include the QakBot and Trickbot (which also deploys both Ryuk\r\nand Conti ransomware) trojans.\r\nBefore going on a break, Emotet has targeted multiple US state and local governments in potentially targeted campaigns\r\naccording to an advisory published by DHS-CISA in October.\r\nhttps://www.bleepingcomputer.com/news/security/emotet-malware-hits-lithuanias-national-public-health-center/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/emotet-malware-hits-lithuanias-national-public-health-center/\r\nhttps://www.bleepingcomputer.com/news/security/emotet-malware-hits-lithuanias-national-public-health-center/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/emotet-malware-hits-lithuanias-national-public-health-center/"
	],
	"report_names": [
		"emotet-malware-hits-lithuanias-national-public-health-center"
	],
	"threat_actors": [
		{
			"id": "e8e18067-f64b-4e54-9493-6d450b7d40df",
			"created_at": "2022-10-25T16:07:24.515213Z",
			"updated_at": "2026-04-10T02:00:05.018868Z",
			"deleted_at": null,
			"main_name": "Mummy Spider",
			"aliases": [
				"ATK 104",
				"Gold Crestwood",
				"Mummy Spider",
				"TA542"
			],
			"source_name": "ETDA:Mummy Spider",
			"tools": [
				"Emotet",
				"Geodo",
				"Heodo"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "506404b2-82fb-4b7e-b40d-57c2e9b59f40",
			"created_at": "2023-01-06T13:46:38.870883Z",
			"updated_at": "2026-04-10T02:00:03.128317Z",
			"deleted_at": null,
			"main_name": "MUMMY SPIDER",
			"aliases": [
				"TA542",
				"GOLD CRESTWOOD"
			],
			"source_name": "MISPGALAXY:MUMMY SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2ac83159-1d9d-4db4-a176-97be6b7b07c9",
			"created_at": "2024-06-19T02:03:08.024653Z",
			"updated_at": "2026-04-10T02:00:03.672512Z",
			"deleted_at": null,
			"main_name": "GOLD CRESTWOOD",
			"aliases": [
				"Mummy Spider ",
				"TA542 "
			],
			"source_name": "Secureworks:GOLD CRESTWOOD",
			"tools": [
				"Emotet"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434658,
	"ts_updated_at": 1775792143,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0fe8afc8e224af5db9477edef35a20656faa1976.pdf",
		"text": "https://archive.orkl.eu/0fe8afc8e224af5db9477edef35a20656faa1976.txt",
		"img": "https://archive.orkl.eu/0fe8afc8e224af5db9477edef35a20656faa1976.jpg"
	}
}