{
	"id": "bbf52f63-f1c0-4e61-8cc0-49aa367c9afb",
	"created_at": "2026-04-06T00:22:16.951954Z",
	"updated_at": "2026-04-10T03:24:29.71945Z",
	"deleted_at": null,
	"sha1_hash": "186b144386a331f520ebaa91736ab93a8690ec68",
	"title": "Emotet",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 64773,
	"plain_text": "Emotet\r\nPublished: 2026-04-02 · Archived: 2026-04-05 20:46:02 UTC\r\nJump to:\r\nKey takeaways\r\nWhat is Emotet?\r\nHow does Emotet spread?\r\nWhat is the history of Emotet?\r\nWho does Emotet target?\r\nhttps://www.malwarebytes.com/emotet/\r\nPage 1 of 5\n\nHow can I protect myself from Emotet?\r\nHow can I remove Emotet?\r\nRelated articles\r\nKey takeaways\r\nEmotet is a Trojan malware first identified in 2014 that was originally designed to steal financial and\r\nbanking information from infected systems.\r\nOver time, Emotet evolved from a banking Trojan into a malware delivery platform used to spread other\r\nmalicious software, including additional banking Trojans and ransomware.\r\nEmotet is primarily distributed through spam emails containing malicious attachments or links, often\r\ndisguised as legitimate messages such as invoices, payment details, or shipping notifications.\r\nThe malware uses advanced evasion techniques, including detecting virtual machines and sandbox\r\nenvironments, allowing it to remain dormant to avoid analysis and detection.\r\nEmotet has worm‑like capabilities that allow it to spread across networks and communicate with\r\ncommand‑and‑control servers to receive updates, install additional malware, and exfiltrate stolen data\r\nWhat is Emotet?\r\nThe Emotet banking Trojan was first identified by security researchers in 2014. Emotet was originally designed as\r\na banking malware that attempted to sneak onto your computer and steal sensitive and private information. Later\r\nversions of the software saw the addition of spamming and malware delivery services—including other banking\r\nTrojans.\r\nEmotet uses functionality that helps the software evade detection by some anti-malware products. Emotet uses\r\nworm-like capabilities to help spread to other connected computers. This helps in distribution of the malware. This\r\nfunctionality has led the Department of Homeland Security to conclude that Emotet is one of the most costly and\r\ndestructive malware, affecting government and private sectors, individuals and organizations, and costing upwards\r\nof $1M per incident to clean up.\r\nEmotet is a Trojan that is primarily spread through spam emails (malspam). The infection may arrive either via\r\nmalicious script, macro-enabled document files, or malicious link. Emotet emails may contain familiar branding\r\ndesigned to look like a legitimate email. Emotet may try to persuade users to click the malicious files by using\r\ntempting language about “Your Invoice,” “Payment Details,” or possibly an upcoming shipment from well-known\r\nparcel companies.\r\nEmotet has gone through a few iterations. Early versions arrived as a malicious JavaScript file. Later versions\r\nevolved to use macro-enabled documents to retrieve the virus payload from command and control (C\u0026C) servers\r\nrun by the attackers. \r\nEmotet uses a number of tricks to try and prevent detection and analysis. Notably, Emotet knows if it’s running\r\ninside a virtual machine (VM) and will lay dormant if it detects a sandbox environment, which is a tool\r\ncybersecurity researchers use to observe malware within a safe, controlled space.\r\nhttps://www.malwarebytes.com/emotet/\r\nPage 2 of 5\n\nEmotet also uses C\u0026C servers to receive updates. This works in the same way as the operating system updates on\r\nyour PC and can happen seamlessly and without any outward signs. This allows the attackers to install updated\r\nversions of the software, install additional malware such as other banking Trojans, or to act as a dumping ground\r\nfor stolen information such as financial credentials, usernames and passwords, and email addresses.\r\nHow does Emotet spread?\r\nThe primary distribution method for Emotet is through malspam. Emotet ransacks your contacts list and sends\r\nitself to your friends, family, coworkers and clients. Since these emails are coming from your hijacked email\r\naccount, the emails look less like spam and the recipients, feeling safe, are more inclined to click bad URLs and\r\ndownload infected files.\r\nIf a connected network is present, Emotet spreads using a list of common passwords, guessing its way onto other\r\nconnected systems in a brute-force attack. If the password to the all-important human resources server is simply\r\n“password” then it’s likely Emotet will find its way there.\r\nResearchers initially thought Emotet also spread using the EternalBlue/DoublePulsar vulnerabilities, which were\r\nresponsible for the WannaCry and NotPetya attacks. We know now that this isn’t the case. What led researchers to\r\nthis conclusion was the fact that TrickBot, a Trojan often spread by Emotet, makes use of the EternalBlue exploit\r\nto spread itself across a given network. It was TrickBot, not Emotet, taking advantage of the\r\nEternalBlue/DoublePulsar vulnerabilities.\r\nWhat is the history of Emotet?\r\nFirst identified in 2014, Emotet continues to infect systems and hurt users to this day, which is why we’re still\r\ntalking about it, unlike other trends from 2014 (Ice Bucket Challenge anyone?).\r\nVersion one of Emotet was designed to steal bank account details by intercepting internet traffic. A short time\r\nafter, a new version of the software was detected. This version, dubbed Emotet version two, came packaged with\r\nseveral modules, including a money transfer system, malspam module, and a banking module that targeted\r\nGerman and Austrian banks.\r\n“Current versions of the Emotet Trojan include the ability to install other malware to\r\ninfected machines. This malware may include other banking Trojans or malspam delivery\r\nservices.”\r\nBy January of 2015, a new version of Emotet appeared on the scene. Version three contained stealth modifications\r\ndesigned to keep the malware flying under the radar and added new Swiss banking targets.\r\nFast forward to 2018—new versions of the Emotet Trojan include the ability to install other malware to infected\r\nmachines. This malware may include other Trojans and ransomware. Case in point, a July 2019 Emotet strike on\r\nLake City, Florida cost the town $460,000 in ransomware payouts, according to Gizmodo. An analysis of the strike\r\nfound Emotet served only as the initial infection vector. Once infected, Emotet downloaded another banking\r\nTrojan known as TrickBot and the Ryuk ransomware.\r\nhttps://www.malwarebytes.com/emotet/\r\nPage 3 of 5\n\nAfter going relatively quiet for most of 2019, Emotet came back strong. In September of 2019, Malwarebytes\r\nLabs reported on a botnet-driven spam campaign targeting German, Polish, Italian, and English victims with\r\ncraftily worded subject lines like “Payment Remittance Advice” and “Overdue invoice.” Opening the infected\r\nMicrosoft Word document initiates a macro, which in turn downloads Emotet from compromised WordPress sites.\r\nWho does Emotet target?\r\nEveryone is a target for Emotet. To date, Emotet has hit individuals, companies, and government entities across\r\nthe United States and Europe, stealing banking logins, financial data, and even Bitcoin wallets.\r\nOne noteworthy Emotet attack on the City of Allentown, PA, required direct help from Microsoft’s incident\r\nresponse team to clean up and reportedly cost the city upwards of $1M to fix.\r\nNow that Emotet is being used to download and deliver other banking Trojans, the list of targets is potentially\r\neven broader. Early versions of Emotet were used to attack banking customers in Germany. Later versions of\r\nEmotet targeted organizations in Canada, the United Kingdom, and the United States.\r\n“One noteworthy Emotet attack on the City of Allentown, PA required direct help from\r\nMicrosoft’s incident response team to clean up and reportedly cost the city upwards of\r\n$1M to fix.”\r\nHow can I protect myself from Emotet?\r\nYou’re already taking the first step towards protecting yourself and your users from Emotet by learning how\r\nEmotet works. Here’s a few additional steps you can take:\r\n1. Keep your computer/endpoints up-to-date with the latest patches for Microsoft Windows. TrickBot is often\r\ndelivered as a secondary Emotet payload, and we know TrickBot relies on the Windows EternalBlue\r\nvulnerability to do its dirty work, so patch that vulnerability before the cybercriminals can take advantage\r\nof it.\r\n2. Don’t download suspicious attachments or click a shady-looking link. Emotet can’t get that initial foothold\r\non your system or network if you avoid those suspect emails. Take the time to educate your users on how\r\nto spot malspam.\r\n3. Educate yourself and your users on creating a strong password. While you’re at it, start using two-factor\r\nauthentication.\r\n4. You can protect yourself and your users from Emotet with a robust cybersecurity program that includes\r\nmulti-layered protection. Malwarebytes business and premium consumer products detect and block Emotet\r\nin real-time.  \r\nHow can I remove Emotet?\r\nIf you suspect you’ve already been infected by Emotet, don’t freak out. If your computer is connected to a\r\nnetwork—isolate it immediately. Once isolated, proceed to patch and clean the infected system. But you’re not\r\ndone yet. Because of the way Emotet spreads across your network, a clean computer can be re-infected when\r\nplugged back into an infected network. Clean each computer on your network one-by-one. It’s a tedious process,\r\nhttps://www.malwarebytes.com/emotet/\r\nPage 4 of 5\n\nbut Malwarebytes business solutions can make it easier, isolating and remediating infected endpoints and offering\r\nproactive protection against future Emotet infections.\r\nRelated articles\r\nTrojan\r\n2FA\r\nAI in cybersecurity\r\nWhat is social engineering?\r\nSource: https://www.malwarebytes.com/emotet/\r\nhttps://www.malwarebytes.com/emotet/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.malwarebytes.com/emotet/"
	],
	"report_names": [
		"emotet"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434936,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/186b144386a331f520ebaa91736ab93a8690ec68.pdf",
		"text": "https://archive.orkl.eu/186b144386a331f520ebaa91736ab93a8690ec68.txt",
		"img": "https://archive.orkl.eu/186b144386a331f520ebaa91736ab93a8690ec68.jpg"
	}
}