{ "id": "1e07ad22-1de4-410c-859e-921471d50cd1", "created_at": "2026-04-06T00:15:20.173865Z", "updated_at": "2026-04-10T03:20:07.020609Z", "deleted_at": null, "sha1_hash": "2900b089877d8ce3ad0fd2e4be814ec1a201cc70", "title": "Emotet malware is back and rebuilding its botnet via TrickBot", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1043353, "plain_text": "Emotet malware is back and rebuilding its botnet via TrickBot\r\nBy Lawrence Abrams\r\nPublished: 2021-11-15 · Archived: 2026-04-05 17:24:05 UTC\r\nThe Emotet malware was considered the most widely spread malware in the past, using spam campaigns and malicious\r\nattachments to distribute the malware.\r\nEmotet would then use infected devices to perform other spam campaigns and install other payloads, such as the QakBot\r\n(Qbot) and Trickbot malware. These payloads would then be used to provide initial access to threat actors to deploy\r\nransomware, including Ryuk, Conti, ProLock, Egregor, and many others.\r\nAt the beginning of the year, an international law enforcement action coordinated by Europol and Eurojust took over the\r\nEmotet infrastructure and arrested two individuals.\r\nhttps://www.bleepingcomputer.com/news/security/emotet-malware-is-back-and-rebuilding-its-botnet-via-trickbot/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/emotet-malware-is-back-and-rebuilding-its-botnet-via-trickbot/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nGerman law enforcement used the infrastructure to deliver an Emotet module that uninstalled the malware from infected\r\ndevices on April 25th, 2021.\r\nEmotet returns after law enforcement operation\r\nToday, Emotet research group Cryptolaemus, GData, and Advanced Intel have begun to see the TrickBot malware dropping\r\na loader for Emotet on infected devices.\r\nWhile in the past Emotet installed TrickBot, the threat actors are now using a method that the Cryptolaemus group calls\r\n\"Operation Reacharound,\" which rebuilds the botnet using TrickBot's existing infrastructure\r\nEmotet expert and Cryptolaemus researcher Joseph Roosen told BleepingComputer that they had not seen any signs of the\r\nEmotet botnet performing spamming activity or found any malicious documents dropping the malware.\r\nThis lack of spamming activity is likely due to the rebuilding of the Emotet infrastructure from scratch and new reply-chain\r\nemails being stolen from victims in future spam campaigns.\r\nCryptolaemus has begun analyzing the new Emotet loader and told BleepingComputer that it includes new changes\r\ncompared to the previous variants.\r\n\"So far we can definitely confirm that the command buffer has changed. There's now 7 commands instead of 3-4. Seems to\r\nbe various execution options for downloaded binaries (since its not just dlls),\" Cryptolaemus researchers told\r\nBleepingComputer.\r\nAdvanced Intel's Vitali Kremez has also analyzed the new Emotet dropper and warned that the rebirth of the malware botnet\r\nwould likely lead to a surge in ransomware infections.\r\n\"It is an early sign of the possible impending Emotet malware activity fueling major ransomware operations globally given\r\nthe shortage of the commodity loader ecosystem,\" Kremez told BleepingComputer in a conversation.\r\n\"It also tells us that the Emotet takedown did not prevent the adversaries from obtainging the malware builder and setting up\r\nthe backend system bringing it back to life.\"\r\nSamples of the Emotet loader dropped by TrickBot can be found at Urlhaus.\r\nKremez told BleepingComputer that the current Emotet loader DLL has a compilation timestamp of \"6191769A (Sun Nov\r\n14 20:50:34 2021).\"\r\nDefending against the new Emotet botnet\r\nMalware tracking non-profit organization Abuse.ch has released a list of command and control servers utilized by the new\r\nEmotet botnet and strongly suggests network admins block the associated IP addresses.\r\nUnfortunately, the new Emotet infrastructure is growing rapidly, with over 246 infected devices already acting as command\r\nand control servers.\r\nNetwork administrators are strongly advised to block all associated IP addresses to prevent their devices from being\r\nrecruited into the newly reformed Emotet botnet.\r\nUpdate 11/16/21: Updated to include source of Operation RA.\r\nhttps://www.bleepingcomputer.com/news/security/emotet-malware-is-back-and-rebuilding-its-botnet-via-trickbot/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/emotet-malware-is-back-and-rebuilding-its-botnet-via-trickbot/\r\nhttps://www.bleepingcomputer.com/news/security/emotet-malware-is-back-and-rebuilding-its-botnet-via-trickbot/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.bleepingcomputer.com/news/security/emotet-malware-is-back-and-rebuilding-its-botnet-via-trickbot/" ], "report_names": [ "emotet-malware-is-back-and-rebuilding-its-botnet-via-trickbot" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434520, "ts_updated_at": 1775791207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2900b089877d8ce3ad0fd2e4be814ec1a201cc70.pdf", "text": "https://archive.orkl.eu/2900b089877d8ce3ad0fd2e4be814ec1a201cc70.txt", "img": "https://archive.orkl.eu/2900b089877d8ce3ad0fd2e4be814ec1a201cc70.jpg" } }