{ "id": "3142e5b3-1159-408c-b949-779d22c9698c", "created_at": "2026-04-06T00:21:41.024954Z", "updated_at": "2026-04-10T03:24:23.791689Z", "deleted_at": null, "sha1_hash": "1d1787f0e05bb6ef3a5cf5151728f12add1d0d3d", "title": "Emotet Analysis: New LNKs in the Infection Chain- The Monitor, Issue 20", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2743431, "plain_text": "Emotet Analysis: New LNKs in the Infection Chain- The Monitor,\r\nIssue 20\r\nBy George Glass, Elio Biasiotto\r\nPublished: 2022-05-27 · Archived: 2026-04-05 15:44:24 UTC\r\nKroll has been tracking Emotet since it was first identified in 2014, especially during its transition from a banking\r\nTrojan designed to primarily steal credentials and sensitive information to a multi-threat polymorphic\r\ndownloader for more destructive malware. Today, Emotet operators stand as one of the most prominent initial\r\naccess brokers, providing cybercriminals with access to organizations for a fee. For example, the partnership\r\nbetween the Emotet group and Conti ransomware operators is well known in the cybersecurity community.\r\nKroll frequently encounters Emotet in our incident response work and monitors Emotet activity closely in order to\r\nmaintain robust detection and mitigation guidance for clients. In recent weeks, Kroll has observed three significant\r\nchanges in the way that Emotet is delivered, architected and operated once an initial infection is successful:\r\nEmotet binary switched from 32-bit to 64-bit architecture\r\nEmotet developers experimenting with new delivery method using .LNK files\r\nEmotet dropping Cobalt Strike beacons immediately after infection\r\nKroll is pleased to share the research we have conducted with the greater information security community. Our\r\ngoal is to encourage further investigation that can better equip security professionals in preventing, detecting,\r\nmitigating and responding to cyberattacks.\r\nEmotet Malware Analysis\r\nEmotet operates as a botnet, with each infected device able to coordinate new malspam campaigns to continue the\r\nspread of the malware to more victims in different organizations. Kroll observed that as of April 22, 2022, the\r\nEmotet operators deployed a change to one of their most active botnet subgroups (tracked as Epoch4), affecting\r\nthe delivery mechanism of the loader part of the malware.\r\nHistorically, Emotet is commonly introduced into a network through a malicious document (maldoc), such as a\r\nWord or Excel file, that contains a malicious payload within it. Recently, Kroll has observed a shift in Emotet’s\r\nmethod of distribution. The malware now leverages emails with password-protected .zip archive attachments that\r\ncontain .LNK files instead of malicious documents.\r\nLNK files are shortcut files that link to an application or file commonly found on a user’s desktop or throughout a\r\nsystem and end with an .LNK extension. LNK files can be created by the user or automatically by the Windows\r\noperating system. The .LNK files delivered by Emotet act as shortcuts that run embedded scripts when executed,\r\nas detailed below.\r\nhttps://www.kroll.com/en/insights/publications/cyber/monitor/emotet-analysis-new-lnk-in-the-infection-chain\r\nPage 1 of 13\n\nWhile packaging malicious PowerShell or VBScript in a .LNK file is not a new technique, it is the first time\r\nEmotet has been observed doing so. This could indicate that the developers are exploring other avenues of\r\ninfection to bypass current security controls and training, which tend to focus on detection and interception of\r\nmalicious documents.\r\n.LNK delivery keeps documents out of the attack chain:\r\nMethod 1: .ZIP -\u003e .LNK -\u003e CMD findstr -\u003e VBS -\u003e WScript -\u003e regsvr32\r\nMethod 2: .ZIP -\u003e .LNK -\u003e PowerShell -\u003e regsvr32\r\n \r\nComponent Breakdown\r\nEmotet Dropper\r\nThe latest initial infection vector used by Emotet comes in the form of a .zip file attached to an email. The .zip\r\narchive contains a shortcut (.LNK), which has the same name as the original .zip file. To date, the observed LNK\r\nfiles are consistently around 4KB in size. Since the early stages of this campaign, Kroll has already seen changes\r\nand updates to the malware delivery mechanics. At the beginning of the campaign, the LNK files initiated an\r\nembedded VBScript to download and execute the final Emotet payload. For example, the malware authors\r\nembedded the following command-line to run when the LNK file was clicked to find and execute the VBScript\r\ninside the LNK file:\r\ncmd.exe /v:on /c findstr \"rSIPPswjwCtKoZy.*\" Password2.doc.lnk \u003e \"%tmp%\\VEuIqlISMa.vbs\" \u0026\r\n\"%tmp%\\VEuIqlISMa.vbs\"cmd.exe /v:on /c findstr \"rSIPPswjwCtKoZy.*\" Password2.doc.lnk \u003e\r\n\"%tmp%\\VEuIqlISMa.vbs\" \u0026 \"%tmp%\\VEuIqlISMa.vbs\"\r\nDue to an error in the LNK name contained in the command-line (Password2.doc.lnk), these did not work and\r\nwere quickly updated by Emotet’s operators.\r\nThis rapid release of an updated version in the wild indicates the operators are closely tracking the campaign for\r\ncourse correction. The new, working LNKs reference the PowerShell executables with malicious arguments, as\r\nshown in Kroll’s analysis of one of the malicious samples. Figure 1 shows the arguments contained in the output\r\nof Eric Zimmerman’s LECmd tool, used to analyze Emotet’s LNKs.\r\nhttps://www.kroll.com/en/insights/publications/cyber/monitor/emotet-analysis-new-lnk-in-the-infection-chain\r\nPage 2 of 13\n\nFigure 1 – LECmd.exe output for Emotet’s malicious LNK\r\nThrough the use of LECmd.exe, Kroll identified a piece of metadata left by the creation of the file. Figure 2 shows\r\na SID (S-1-5-21-1499925678-132529631-3571256938-1001) contained in the LNK extra blocks.\r\nFigure 2 – SID contained in the metadata of the malicious LNK\r\nUsing this as a correlating data point, an open-source intelligence search for files containing this string yielded\r\ndozens of .zip and LNK files associated with this campaign. Kroll assesses with high confidence that any\r\nattachment containing this string is associated with this most recent Emotet campaign.\r\nThe successful LNK execution will result in the download of a file from one of six URLs, which will be saved to a\r\ntemp folder on the victim’s system and executed via regsvr32.exe. Figure 3 shows the decoded PowerShell script.\r\nFigure 3 – Decoded PowerShell downloader used by Emotet\r\nThe LNK execution will temporarily write the decoded script to the temp folder and execute it from there. The\r\nsame technique is used with the execution of the file downloaded from Emotet’s URLs, which has a random name\r\nand extension and is saved in the temp folder.\r\nhttps://www.kroll.com/en/insights/publications/cyber/monitor/emotet-analysis-new-lnk-in-the-infection-chain\r\nPage 3 of 13\n\nLoader\r\nIn reviewing one of the downloaded files, Kroll noted it is a Visual C++, 64-bit DLL compiled on April 25, 2022,\r\nat 22:02:11 (UTC) (0x62670C53). Embedded within this DLL is the Emotet loader, whose purpose is to extract,\r\ndecrypt, and execute the final payload. Interestingly, Kroll parsed out a rich header from the executable that\r\nindicates it was compiled with Visual Studio 2005 8.0.\r\nThe first notable activity performed by the DLL is to allocate an area of memory with\r\nPAGE_EXECUTE_READWRITE protection, where the contents of another region of memory are decrypted and\r\ncopied. Figure 4 shows the decryption routine from the debugger which, in this case, used the key\r\nsfdvkc9(akuGGHIoLP. Finally, execution is passed to this area.\r\nFigure 4 – Decryption routine for the data written in the first VirtualAlloc\r\nDumping this area of memory revealed executable code that can be decompiled into ASM and statically analyzed.\r\nIts function is to load a specific resource of the DLL, decrypt it and pass the execution to it. This decrypted data is\r\nEmotet’s final DLL.\r\nFigures 5 and 6 show parts of the decompiled dumped code, where the names of Windows APIs are being passed\r\nas arguments to a function. This behavior is typically associated with API hashing, a technique used by Emotet to\r\nobfuscate the imported libraries.\r\nhttps://www.kroll.com/en/insights/publications/cyber/monitor/emotet-analysis-new-lnk-in-the-infection-chain\r\nPage 4 of 13\n\nFigures 5 and 6 – API hashing used by the executable code in the first VirtualAlloc\r\nThe code will allocate a second region of memory with PAGE_EXECUTE_READWRITE permissions, where the\r\ndecrypted contents of a DLL’s resource are copied after being decrypted. Figure 7 shows some of the DLL’s\r\nresources. Highlighted is the resource used by the code, which stands out for two reasons: first, its size is\r\nunusually high (amounting to almost one-third of the total file size), and second, its high entropy (7.76) suggests\r\nthat it may be encrypted.\r\nFigure 7 – DLL’s resource: highlightedis the encrypted resource copied by the loader\r\nThe decryption routine of the last stage DLL is shown in Figure 8, along with a view of the memory dump where\r\nthe MZ header is being written.\r\nhttps://www.kroll.com/en/insights/publications/cyber/monitor/emotet-analysis-new-lnk-in-the-infection-chain\r\nPage 5 of 13\n\nFigure 8 – Emotet’s final stage being decrypted and written in memory\r\nThis memory area is Emotet’s final payload, a DLL. Through a third call to VirtualAlloc, its sections will be\r\nmapped to another region of memory to fix relocations, and then executed.\r\nEmotet’s payload is a 64-bit DLL compiled on April 19, 2022, at 15:25:49 (UTC) (0x625ED47E). The original\r\nfilename, as is typical with the recent Emotet version, is Y.dll. It contains many encrypted strings, which will be\r\ndecrypted at runtime. Some of them are Emotet’s configuration (mainly, the network encryption keys) and a list of\r\ncommand-and-control (C2) IP addresses and ports, usually stored in the .data section.\r\nTo further hinder static analysis, the malware authors used control flow obfuscation techniques. Figure 9 shows an\r\nexample of this in the disassembler.\r\nhttps://www.kroll.com/en/insights/publications/cyber/monitor/emotet-analysis-new-lnk-in-the-infection-chain\r\nPage 6 of 13\n\nhttps://www.kroll.com/en/insights/publications/cyber/monitor/emotet-analysis-new-lnk-in-the-infection-chain\r\nPage 7 of 13\n\nFigure 9 – Example of control flow obfuscation iused by the loader\r\nEmotet establishes and maintains persistence on the compromised system by creating a key in\r\nHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run. It instructs the system on startup to run a\r\nrandomly named copy of the loader that it has placed in the temp folder (Figure 10).\r\nFigure 10 – Registry key created for persistence\r\nIf the loader is executed with administrative privileges, it creates a new service that executes a copy of the\r\nmalware (Figure 11).\r\nFigure 11 – Service created when emotet is run with administrative privileges\r\nEmotet’s successful installation will register the compromised host to a C2 server. An initial AES-encrypted HTTP\r\nPOST request containing information about the host is made to the C2 which, in turn, will respond with a\r\ncommand to execute. Commands can be divided into four main categories (Table 1).\r\nCommand\r\nDo nothing (sleep)\r\nUpdate or remove the binary\r\nLoad a module\r\nDownload and execute an EXE or a DLL\r\nTable 1 – Command execution categories from C2 server\r\nModules are one of the key aspects of Emotet’s core functionality. They allow for greater control of the\r\ncompromised host without the need to add malicious functionality to the loader. In fact, they are received by the\r\nhttps://www.kroll.com/en/insights/publications/cyber/monitor/emotet-analysis-new-lnk-in-the-infection-chain\r\nPage 8 of 13\n\nC2 and are executed in-memory, leaving no trace on disk. Modules evolve continuously, with new ones being\r\nadded regularly by the authors, and more notorious ones being used more often (Table 2).\r\nFeature\r\nCredentials stealing for various email clients and browsers\r\nSpam and reply-chain malspam\r\nNetwork traffic proxying\r\nMoving laterally through SMB\r\nTable 2 – Representative Features of Modules\r\nCountermeasures\r\nBelow is some guidance on the detection and prevention of Emotet infections. It is important to note that Emotet\r\nis an endpoint threat spread via email, therefore endpoint detection and response (EDR) and antivirus tooling is\r\nimperative to disrupting this threat. Many of these recommendations can also be applied to other forms of email-borne malware.\r\nDetection\r\nUnderstanding the initial infection vector is critical to detecting Emotet infections at the earliest opportunity.\r\nEmotet developers continue to experiment with methods of infection, and as such, it is important to test and\r\ndevelop detection methods as the threat changes. For example, consider using MITRE ATT\u0026CK mapping for\r\nEmotet malware (Table 3).\r\nMITRE Techniques\r\nT1552.001,Credentials In Files T1552.001,Credentials In Files\r\nT1021.002,SMB/Windows Admin Shares T1555.003,Credentials from Web Browsers\r\nhttps://www.kroll.com/en/insights/publications/cyber/monitor/emotet-analysis-new-lnk-in-the-infection-chain\r\nPage 9 of 13\n\nT1547.001,Registry Run Keys / Startup Folder T1065,Uncommonly Used Port\r\nT1114.001,Local Email Collection T1560,Archive Collected Data\r\nT1210,Exploitation of Remote Services T1003.001,LSASS Memory\r\nT1059.001,PowerShell T1087.003,Email Account\r\nT1566.002,Spearphishing Link T1566.001,Spearphishing Attachment\r\nT1055.001,Dynamic-link Library Injection T1053.005,Scheduled Task\r\nT1204.002,Malicious File T1057,Process Discovery\r\nT1027,Obfuscated Files or Information T1059.003,Windows Command Shell\r\nT1110.001,Password Guessing T1573.002,Asymmetric Cryptography\r\nT1047,Windows Management Instrumentation T1059.005,Visual Basic\r\nT1204.001,Malicious Link T1078.003,Local Accounts\r\nT1571,Non-Standard Port T1094,Custom Command and Control Protocol\r\nT1027.002,Software Packing T1041,Exfiltration Over C2 Channel\r\nT1043,Commonly Used Port T1040,Network Sniffing\r\nTable 3 – MITRE ATT\u0026CK mapping\r\nhttps://www.kroll.com/en/insights/publications/cyber/monitor/emotet-analysis-new-lnk-in-the-infection-chain\r\nPage 10 of 13\n\nEndpoint Detection\r\nSince malicious email delivery may not always be preventable, detection of Emotet at the earliest opportunity is\r\nkey for rapid containment and remediation. Below are some early detection opportunities:\r\nT1566.001 – Spear Phishing Attachment and Child Processes\r\nDetect execution of Excel 4.0 macros\r\nDetect Office spawning subprocesses such as CMD.exe, PowerShell*.exe, wscript.exe, cscript.exe,\r\nmshta.exe, wmic.exe, msbuild.exe\r\nEmotet has previously exploited CVE-2017-11882, a remote code execution flaw in the Microsoft\r\nEquation Editor. Detection network connections from eqnedt32.exe can be an indicator of exploit.\r\n \r\nT1059.005 – Visual Basic\r\nEmotet is still delivering malicious documents which use Excel 4.0 and VBA macros.\r\nDetect Visual Basic spawning child processes such as CMD.exe, PowerShell*.exe, wscript.exe,\r\ncscript.exe, mshta.exe, wmic.exe, msbuild.exe, certutil.exe\r\n \r\nT1059.001 – PowerShell Execution\r\nPowerShell executing encoded commands\r\nPowerShell obfuscation methods, detect scripts that include “.value.tostring”\r\nPowerShell connecting to the internet, specifically TCP client connections, and “iex” execution\r\n \r\nT1055.001 – Dynamic-link Library Injection:\r\nEmotet will use “living off the land” binaries (LOLBins) to perform DLL injection.\r\nDetect DLL proxy execution via calls to mavinject.exe and mavinject32.exe processes from\r\nappvcleint.exe\r\nDetect DLL proxy execution via calls to rundll32.exe\r\n \r\nPrevention\r\nConsider deploying endpoint detection and response (EDR) and next generation antivirus (NGAV) to all\r\ndevices within your environments to allow for early detection.\r\nReview inbound email policy and consider quarantining attachments from unknown or untrusted senders.\r\nBlock users from opening non-standard files such as the following:\r\n.iso, .dll, .jar, .js, .lib, .mst, .msp, .bat, .cmd, .com, .cpl, .msi, .msix.\r\nhttps://www.kroll.com/en/insights/publications/cyber/monitor/emotet-analysis-new-lnk-in-the-infection-chain\r\nPage 11 of 13\n\nRun awareness campaigns for this latest Emotet tactic. The download link phishing page may reference the\r\norganization and user by name, increasing the apparent legitimacy.\r\nAdhere to the principle of least privilege, so you can significantly reduce the potential damage an attacker\r\ncan inflict.\r\n \r\nRemediation\r\nTreat any Emotet infection as a potential precursor to a ransomware event. Immediately initiate incident response\r\nplaybooks. Consider including the following steps to contain an Emotet infection:\r\nIsolate the affected endpoint.\r\nConsider all data, including emails, passwords, accounts, and documents on the affected endpoint as being\r\nat-risk, until verified with network logs or DFIR investigation of the endpoint.\r\nIdentify the email which delivered Emotet.\r\nSearch mail system for matching emails which were sent to other staff members and remove the emails\r\nfrom their inbox.\r\nBlock the sender.\r\nInspect logs for Emotet spreading via internal emails, SMB, WMIC, or PsExec.\r\n \r\nConclusion\r\nThe ongoing development of Emotet reflects a significant time investment by the developers. Emotet changed\r\nregularly before the takedown by law enforcement on April 25, 2021, but the cadence of updates and spam\r\ncampaigns has rapidly increased since its resurgence in November 2021.\r\nThe latest shift away from its reliance on malicious documents or Excel spreadsheets demonstrates that the\r\noperators believe they will see diminishing returns from using maldocs. This could be because they have seen\r\nreduced effectiveness in malware delivery or installation. They may also wish to preempt coming changes that\r\nMicrosoft has announced in the way Windows handles documents with the Mark of the Web (MOTW) by\r\nautomatically disabling execution of macros on files downloaded from the internet.\r\nWe have observed other actors exploring new ways of delivering malware to victims:\r\nUse of .ISO containers to remove MOTW from documents or to bypass inline email defenses, which has\r\nnotably been used by the IcedID malware\r\nContinued use of password-protected .zip attachments, as these are typically unable to be inspected by\r\ninline email security tooling\r\nAlthough undoubtedly bruised by last year’s disruption, Emotet is certainly not dead. We assess that the Emotet\r\ndevelopers will likely keep experimenting with new infection chains at this increased cadence. We also assess that\r\nhttps://www.kroll.com/en/insights/publications/cyber/monitor/emotet-analysis-new-lnk-in-the-infection-chain\r\nPage 12 of 13\n\nthe Emotet operators will move forward with large spam campaigns in order to rebuild the botnet, thus allowing\r\nthem to sell the initial access they have gained to realize their return on investment.\r\nThe article above was extracted from The Monitor newsletter, a monthly digest of Kroll’s global cyber risk case\r\nintake. The Monitor also includes an analysis of the month’s most popular threat types investigated by our cyber\r\nexperts. Subscription is available below.\r\nSource: https://www.kroll.com/en/insights/publications/cyber/monitor/emotet-analysis-new-lnk-in-the-infection-chain\r\nhttps://www.kroll.com/en/insights/publications/cyber/monitor/emotet-analysis-new-lnk-in-the-infection-chain\r\nPage 13 of 13\n\nT1204.001,Malicious T1571,Non-Standard Link Port T1078.003,Local T1094,Custom Accounts Command and Control Protocol\nT1027.002,Software Packing T1041,Exfiltration Over C2 Channel\nT1043,Commonly Used Port T1040,Network Sniffing\nTable 3-MITRE ATT\u0026CK mapping \n Page 10 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.kroll.com/en/insights/publications/cyber/monitor/emotet-analysis-new-lnk-in-the-infection-chain" ], "report_names": [ "emotet-analysis-new-lnk-in-the-infection-chain" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434901, "ts_updated_at": 1775791463, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1d1787f0e05bb6ef3a5cf5151728f12add1d0d3d.pdf", "text": "https://archive.orkl.eu/1d1787f0e05bb6ef3a5cf5151728f12add1d0d3d.txt", "img": "https://archive.orkl.eu/1d1787f0e05bb6ef3a5cf5151728f12add1d0d3d.jpg" } }