{
	"id": "c34f2ecb-2f3f-4685-a022-8afada88cbb6",
	"created_at": "2026-04-06T00:14:09.106999Z",
	"updated_at": "2026-04-10T03:22:00.679777Z",
	"deleted_at": null,
	"sha1_hash": "17e71595e4b13aeac9c91af29d57572f0bc8a36b",
	"title": "Emotet Malware Returns in 2022 | Deep Instinct",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 43628,
	"plain_text": "Emotet Malware Returns in 2022 | Deep Instinct\r\nBy Chuck EveretteDirector, Cybersecurity Advocacy\r\nPublished: 2022-06-09 · Archived: 2026-04-05 13:30:31 UTC\r\nEmotet malware started from humble beginnings as a banking Trojan in 2014. The threat actors behind Emotet\r\nhave been credited as one of the first criminal groups to provide Malware-as-a-Service (MaaS). They successfully\r\nutilized their MaaS to create a massive botnet of infected systems and sold access to third parties, an enterprise\r\nthat proved so effective it was soon being used by criminal entities such as the Ryuk and Conti ransomware gangs.\r\nEmotet also has a history of collaborating with Trickbot, famous for their info-stealing trojan, and Qakbot, another\r\nwell-known banking trojan.\r\nEmotet Malware: Phishing for victims throughout the pandemic\r\nThe Emotet group was prolific throughout the pandemic. They wreaked chaos throughout 2019 and 2020 taking\r\nadvantage of hot topics as a ruse to convince unsuspecting victims to open malicious phishing emails. Topics\r\nincluded coronavirus information, political news, controversial issues, and supposed state and federal updates\r\naround mask mandates.\r\nThis all changed for Emotet in January 2021 when a joint task force took down the Emotet botnet infrastructure in\r\na global operation involving eight countries led by Europol, the Netherlands, and the U.S.\r\nIs Emotet malware back from the dead? New Emotet variants emerge\r\nRansomware gangs with millions in incentives to stay active are difficult to tamp down for long. As we’ve seen\r\nmultiple times in the past, ransomware gangs — or at a minimum their source code — never seem to expire\r\ncompletely.\r\nHistorically, members of gangs that have been shut down or disbanded tend to flock to other criminal\r\norganizations. Ransomware gangs are criminals at the core, and as such their sole purpose is to make money. The\r\nEmotet group is no different. Initial reports show that Emotet had reemerged in Q4 of 2021 and really started\r\nmaking waves with reports of massive phishing campaigns targeting Japanese businesses in February and March\r\nof 2022. We’ve now seen several massive new malicious phishing campaigns in April and May targeting new\r\nregions.\r\nIn an interesting development, the TrickBot gang has been observed helping its longtime partner Emotet deploy to\r\nalready infected machines in order to download the new Emotet variants. It has been that Emotet detections have\r\nspiked upwards of 2700% in Q1 of 2022 compared to Q4 of 2021.\r\nEmotet 2022: New tricks and threats\r\nhttps://www.deepinstinct.com/blog/emotet-malware-returns-in-2022\r\nPage 1 of 2\n\nLooking at the new threats coming from Emotet in 2022 we can see that there has been an almost 900% increase\r\nin the use of Microsoft Excel macros compared to what we observed in Q4 2021. The attacks we have seen hitting\r\nJapanese victims are using hijacked email threads and then using those accounts as a launch point to trick victims\r\ninto enabling macros of attached malicious office documents. One of the more troubling behaviors of this “new\r\nand improved” Emotet is its effectiveness in collecting and utilizing stolen credentials, which are then being\r\nweaponized to further distribute the Emotet binaries.\r\nKey Findings of Emotet’s Return in 2022\r\nThreat research teams, including Deep Instinct’s leading threat intel team, and HP’s Wolf Security, have identified\r\nthe following key findings:\r\n9% of threats are unknown, never-before-seen threats\r\n14% of the email malware has bypassed at least one email gateway security scanner before it was captured\r\n45% of the malware detected were utilizing some type of office attachment\r\nThe most common attachments used to deliver malware were spreadsheets (33%), executables and scripts\r\n(29%), archives (22%), and documents (11%)\r\nEmotet is now utilizing 64bit shell code, as well as more advanced PowerShell and active scripts\r\nAlmost 20% of all malicious samples were exploiting a 2017 Microsoft vulnerability (CVE-2017-11882)\r\nDeep Instinct’s Solution for Combatting Emotet Malware\r\nWhile Emotet has reemerged and is gaining strength, it still utilizes many of the same attack vectors it has\r\nexploited in the past. The issue is that these attacks are getting more sophisticated and are bypassing today’s\r\nstandard security tools for detecting and filtering out these types of attacks.\r\nBut here’s the news you’ve been waiting for: here at Deep Instinct, we have a long history of predicting and\r\npreventing these types of attacks. While some of the latest attack vectors are new and never-before-seen threats,\r\nDeep Instinct has a proven track record of preventing even the newest attacks from Emotet as well as other\r\nsophisticated threat groups with technology that was developed and deployed months (and in some cases even\r\nyears) before the threats were developed and deployed into the wild.\r\nDeep Instinct takes a prevention-first approach to stopping ransomware and other malware using the world’s first\r\npurpose-built, deep learning cybersecurity framework. We predict and prevent known, unknown, and zero-day\r\nthreats in \u003c20 milliseconds, 750X faster than the fastest ransomware can encrypt.\r\nFor more information, Contact Us or Request a Demo.\r\nSource: https://www.deepinstinct.com/blog/emotet-malware-returns-in-2022\r\nhttps://www.deepinstinct.com/blog/emotet-malware-returns-in-2022\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.deepinstinct.com/blog/emotet-malware-returns-in-2022"
	],
	"report_names": [
		"emotet-malware-returns-in-2022"
	],
	"threat_actors": [],
	"ts_created_at": 1775434449,
	"ts_updated_at": 1775791320,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/17e71595e4b13aeac9c91af29d57572f0bc8a36b.pdf",
		"text": "https://archive.orkl.eu/17e71595e4b13aeac9c91af29d57572f0bc8a36b.txt",
		"img": "https://archive.orkl.eu/17e71595e4b13aeac9c91af29d57572f0bc8a36b.jpg"
	}
}