{
	"id": "2967ffa9-5c0c-487e-a388-b078e3bb77a0",
	"created_at": "2026-04-06T00:07:55.788988Z",
	"updated_at": "2026-04-10T13:11:50.488385Z",
	"deleted_at": null,
	"sha1_hash": "179ff4ef33425dd3c88f811d0841824a56d11294",
	"title": "Emotet now spreads via fake Adobe Windows App Installer packages",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1995176,
	"plain_text": "Emotet now spreads via fake Adobe Windows App Installer packages\r\nBy Lawrence Abrams\r\nPublished: 2021-12-01 · Archived: 2026-04-05 16:52:12 UTC\r\nThe Emotet malware is now distributed through malicious Windows App Installer packages that pretend to be Adobe PDF\r\nsoftware.\r\nEmotet is a notorious malware infection that spreads through phishing emails and malicious attachments. Once installed, it\r\nwill steal victims' emails for other spam campaigns and deploy malware, such as TrickBot and Qbot, which commonly lead\r\nto ransomware attacks.\r\nThe threat actors behind Emotet are now infecting systems by installing malicious packages using a built-in feature of\r\nWindows 10 and Windows 11 called App Installer.\r\nhttps://www.bleepingcomputer.com/news/security/emotet-now-spreads-via-fake-adobe-windows-app-installer-packages/\r\nPage 1 of 7\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/emotet-now-spreads-via-fake-adobe-windows-app-installer-packages/\r\nPage 2 of 7\n\nVisit Advertiser websiteGO TO PAGE\r\nResearchers previously saw this same method being used to distribute the BazarLoader malware where it installed malicious\r\npackages hosted on Microsoft Azure.\r\nAbusing Windows App Installer\r\nUsing URLs and email samples shared by the Emotet tracking group Cryptolaemus, BleepingComputer demonstrates below\r\nthe attack flow of the new phishing email campaign.\r\nThis new Emotet campaign starts with stolen reply-chain emails that appear as a reply to an existing conversation.\r\nThese replies simply tell the recipient to \"Please see attached\" and contain a link to an alleged PDF related to the email\r\nconversation.\r\nWhen the link is clicked, the user will be brought to a fake Google Drive page that prompts them to click a button to\r\npreview the PDF document.\r\nPhishing landing page prompting you to preview the PDF\r\nSource: BleepingComputer\r\nThis 'Preview PDF' button is an ms-appinstaller URL that attempts to open an appinstaller file hosted on Microsoft Azure\r\nusing URLs at *.web.core.windows.net.\r\nFor example, the above link would open an appinstaller package at the following example URL: ms-appinstaller:?\r\nsource=https://xxx.z13.web.core.windows.net/abcdefghi.appinstaller.\r\nAn appinstaller file is simply an XML file containing information about the signed publisher and the URL to the appbundle\r\nthat will be installed.\r\nhttps://www.bleepingcomputer.com/news/security/emotet-now-spreads-via-fake-adobe-windows-app-installer-packages/\r\nPage 3 of 7\n\nAn Emotet appinstaller XML file\r\nSource: BleepingComputer\r\nWhen attempting to open an .appinstaller file, the Windows browser will prompt if you wish to open the Windows App\r\nInstaller program to proceed.\r\nOnce you agree, you will be shown an App Installer window prompting you to install the 'Adobe PDF Component.'\r\nApp Installer prompting to install the Fake Adobe PDF Component\r\nSource: BleepingComputer\r\nThe malicious package looks like a legitimate Adobe application, as it has a legitimate Adobe PDF icon, a valid certificate\r\nthat marks it as a 'Trusted App', and fake publisher information. This type of validation from Windows is more than enough\r\nfor many users to trust the application and install it.\r\nOnce a user clicks on the 'Install' button, App Installer will download and install the malicious appxbundle hosted on\r\nMicrosoft Azure. This appxbundle will install a DLL in the %Temp% folder and execute it with rundll32.exe, as shown\r\nbelow.\r\nhttps://www.bleepingcomputer.com/news/security/emotet-now-spreads-via-fake-adobe-windows-app-installer-packages/\r\nPage 4 of 7\n\nInstalling the Emotet infection\r\nSource: BleepingComputer\r\nThis process will also copy the DLL as a randomly named file and folder in %LocalAppData%, as shown below.\r\nEmotet saved under a random file name\r\nSource: BleepingComputer\r\nFinally, an autorun will be created under HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run to automatically\r\nlaunch the DLL when a user logs into Windows.\r\nhttps://www.bleepingcomputer.com/news/security/emotet-now-spreads-via-fake-adobe-windows-app-installer-packages/\r\nPage 5 of 7\n\nRegistry autorun to start Emotet when Windows starts\r\nSource: BleepingComputer\r\nEmotet was the most highly distributed malware in the past until a law enforcement operation shut down and seized the\r\nbotnet's infrastructure. Ten months later, Emotet was resurrected as it started to rebuild with the help of the TrickBot trojan.\r\nA day later, Emotet spam campaigns began, with emails hitting users' mailboxes with various lures and malicious documents\r\nthat installed the malware.\r\nThese campaigns have allowed Emotet to build its presence rapidly, and once again, perform large-scale phishing campaigns\r\nthat install TrickBot and Qbot.\r\nEmotet campaigns commonly lead to ransomware attacks. Windows admins must stay on top of the malware distribution\r\nmethods and train employees to spot Emotet campaigns.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nhttps://www.bleepingcomputer.com/news/security/emotet-now-spreads-via-fake-adobe-windows-app-installer-packages/\r\nPage 6 of 7\n\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/emotet-now-spreads-via-fake-adobe-windows-app-installer-packages/\r\nhttps://www.bleepingcomputer.com/news/security/emotet-now-spreads-via-fake-adobe-windows-app-installer-packages/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/emotet-now-spreads-via-fake-adobe-windows-app-installer-packages/"
	],
	"report_names": [
		"emotet-now-spreads-via-fake-adobe-windows-app-installer-packages"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434075,
	"ts_updated_at": 1775826710,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/179ff4ef33425dd3c88f811d0841824a56d11294.pdf",
		"text": "https://archive.orkl.eu/179ff4ef33425dd3c88f811d0841824a56d11294.txt",
		"img": "https://archive.orkl.eu/179ff4ef33425dd3c88f811d0841824a56d11294.jpg"
	}
}