{
	"id": "0a6478ec-634e-4345-9362-6510d96b1034",
	"created_at": "2026-04-06T00:13:42.966332Z",
	"updated_at": "2026-04-10T03:35:43.346851Z",
	"deleted_at": null,
	"sha1_hash": "170b4718f4aaf158520bf6cb6e6bec40a5cc2203",
	"title": "Emotet Makes Timely Adoption of Political and Elections Lures | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 122776,
	"plain_text": "Emotet Makes Timely Adoption of Political and Elections Lures |\r\nProofpoint US\r\nBy October 01, 2020 Axel F. and the Proofpoint Threat Research Team\r\nPublished: 2020-10-01 · Archived: 2026-04-05 16:27:38 UTC\r\nDuring the 76 days since Emotet’s return, researchers have observed activity reminiscent of past Emotet\r\ncampaigns, like high message volumes and global distribution. \r\nEmotet uses a variety of lure themes, some of which occasionally leverage current events or news items,\r\nlike COVID-19 or Greta Thunberg. While TA542, the actor behind Emotet, has sent messages to local, state, and\r\nother government recipients, historically they have not directly leveraged political themes in their messaging. \r\nOn October 1, 2020, we observed thousands of Emotet email messages with the subject “Team Blue Take\r\nAction” sent to hundreds of organizations in the US. The message body is taken directly from a page on the\r\nDemocratic National Committee's website, with the addition of a line requesting that the recipient open the\r\nattached document.  \r\nAttached is a malicious Word document, “Team Blue Take Action.” The Word doc contains macros which, if\r\nenabled by the intended recipient, will download and install Emotet. The current second stage payload we’ve\r\nobserved following Emotet is Qbot \"partner01\" and The Trick \"morXXX\" (e.g., \"mor125\").\r\nhttps://www.proofpoint.com/us/blog/threat-insight/emotet-makes-timely-adoption-political-and-elections-lures\r\nPage 1 of 3\n\nFigure 1: ”Team Blue Take Action” lure containing malicious Word doc attachment \r\nSample of additional related subjects observed includes: \r\nValanters 2020 \r\nDetailed information \r\nList of works \r\nVolunteer \r\nInformation \r\nSample of additional related filenames observed includes: \r\nTeam Blue Take Action.doc \r\nList of works.doc \r\nValanters 2020.doc \r\nDetailed information.doc \r\nhttps://www.proofpoint.com/us/blog/threat-insight/emotet-makes-timely-adoption-political-and-elections-lures\r\nPage 2 of 3\n\nVolunteer.doc \r\n \r\nThe shift to using politically themed lures comes days after the first of several 2020 US Presidential debates. The\r\ndebate received widespread media coverage, and as Election Day draws nearer, many voters are likely feeling\r\ncompelled to volunteer for political causes or for the election in some way. However, it’s unlikely that this shift is\r\ndriven by any specific political ideology. Like earlier use of COVID-19 or Greta Thunberg lure themes, TA542 is\r\nattempting to reach as many intended recipients as possible by capitalizing on a popular topic.  \r\n \r\n\"Team Blue Take Action.doc\" document SHA256:\r\n21cda873bff60530ae094d7906219b5c0cc5d98e808f8608962886683fc37504\r\nSubscribe to the Proofpoint Blog\r\nSource: https://www.proofpoint.com/us/blog/threat-insight/emotet-makes-timely-adoption-political-and-elections-lures\r\nhttps://www.proofpoint.com/us/blog/threat-insight/emotet-makes-timely-adoption-political-and-elections-lures\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.proofpoint.com/us/blog/threat-insight/emotet-makes-timely-adoption-political-and-elections-lures"
	],
	"report_names": [
		"emotet-makes-timely-adoption-political-and-elections-lures"
	],
	"threat_actors": [
		{
			"id": "e8e18067-f64b-4e54-9493-6d450b7d40df",
			"created_at": "2022-10-25T16:07:24.515213Z",
			"updated_at": "2026-04-10T02:00:05.018868Z",
			"deleted_at": null,
			"main_name": "Mummy Spider",
			"aliases": [
				"ATK 104",
				"Gold Crestwood",
				"Mummy Spider",
				"TA542"
			],
			"source_name": "ETDA:Mummy Spider",
			"tools": [
				"Emotet",
				"Geodo",
				"Heodo"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "506404b2-82fb-4b7e-b40d-57c2e9b59f40",
			"created_at": "2023-01-06T13:46:38.870883Z",
			"updated_at": "2026-04-10T02:00:03.128317Z",
			"deleted_at": null,
			"main_name": "MUMMY SPIDER",
			"aliases": [
				"TA542",
				"GOLD CRESTWOOD"
			],
			"source_name": "MISPGALAXY:MUMMY SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2ac83159-1d9d-4db4-a176-97be6b7b07c9",
			"created_at": "2024-06-19T02:03:08.024653Z",
			"updated_at": "2026-04-10T02:00:03.672512Z",
			"deleted_at": null,
			"main_name": "GOLD CRESTWOOD",
			"aliases": [
				"Mummy Spider ",
				"TA542 "
			],
			"source_name": "Secureworks:GOLD CRESTWOOD",
			"tools": [
				"Emotet"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434422,
	"ts_updated_at": 1775792143,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/170b4718f4aaf158520bf6cb6e6bec40a5cc2203.pdf",
		"text": "https://archive.orkl.eu/170b4718f4aaf158520bf6cb6e6bec40a5cc2203.txt",
		"img": "https://archive.orkl.eu/170b4718f4aaf158520bf6cb6e6bec40a5cc2203.jpg"
	}
}