{
	"id": "57cbad36-7142-478a-85a9-9d7962b16a51",
	"created_at": "2026-04-06T00:09:27.084556Z",
	"updated_at": "2026-04-10T13:12:46.005181Z",
	"deleted_at": null,
	"sha1_hash": "2927b96671b43c44e64d097a49cf3a415e211c55",
	"title": "A vigilante is sabotaging the Emotet botnet by replacing malware payloads with GIFs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1364453,
	"plain_text": "A vigilante is sabotaging the Emotet botnet by replacing malware\r\npayloads with GIFs\r\nBy Written by Catalin Cimpanu, ContributorContributor July 24, 2020 at 9:41 a.m. PT\r\nArchived: 2026-04-05 19:44:42 UTC\r\nImage: Snapshot from Kung Fury movie\r\nExecutive guide\r\nAn unknown vigilante hacker has been sabotaging the operations of the recently-revived Emotet botnet by\r\nreplacing Emotet payloads with animated GIFs, effectively preventing victims from getting infected.\r\nThe sabotage, which started three days ago, on July 21, has grown from a simple joke to a serious issue impacting\r\na large portion of the Emotet operation.\r\nAccording to Cryptolaemus, a group of white-hat security researchers tracking the Emotet botnet, the vigilante is\r\nnow poisoning around a quarter of all Emotet's payload downloads.\r\nWhat's actually happening -- the simplified version\r\nEmotet is a complex and multi-component machinery. For readers to understand what's really happening here, a\r\nquick intro into Emotet's internal structure and distribution mechanism is needed.\r\nThe botnet works by spamming targets with emails perpetrating to be business-related communications. These\r\nemails either contain a malicious Office document, or a link to a malicious Office file that users are told to\r\ndownload on their PCs.\r\nhttps://www.zdnet.com/article/a-vigilante-is-sabotaging-the-emotet-botnet-by-replacing-malware-payloads-with-gifs/\r\nPage 1 of 3\n\nWhen users open one of these files and they press links inside the file or enable the \"Enable Editing\" feature to\r\nallow macros (automated scripts) to execute, the automated scripts download the Emotet malware and various of\r\nits components from the internet.\r\nBy \"the internet\" we actually mean \"hacked WordPress sites\" where the Emotet gang temporarily stores their\r\nmalware's components (or \"payloads\" in infosec jargon).\r\nThese temporary hosting locations are also Emotet's Achilles' heel.\r\nThe Emotet gang controls these hacked sites via web shells -- a type of malware installed on hacked servers to let\r\nintruders manipulate the server.\r\nBut the Emotet gang isn't using the best web shells available on the market. As it was pointed out last year, the\r\nEmotet gang uses open-source scripts and also employs the same password for all of its web shells, exposing its\r\ninfrastructure to easy hijacks if anyone can guess the web shell's password.\r\nThe Emotet payload distribution method is super insecure, they deploy an open source\r\nwebshell off Github into the Wordpress sites they hack, all with the same password, so\r\nanybody can change the payloads infected PCs are receiving.\r\n— Kevin Beaumont (@GossiTheDog) December 27, 2019\r\nThe Emotet sabotage\r\nEmotet, considered today's most dangerous malware strain/botnet, was recently silent for more than five months\r\nand came back to life last week.\r\nSince Tuesday, an unknown vigilante appears to have discovered this common password and has been abusing this\r\nweakness botnet to sabotage Emotet's comeback.\r\nThe unknown intruder has been replacing Emotet payloads on some of the hacked WordPress sites with animated\r\nGIFs -- which means that when Emotet victims open the malicious Office files, they won't get infected as the\r\nEmotet malware won't get downloaded and executed on their systems.\r\nOver the past three days, the intruder has replaced the Emotet payloads with multiple popular GIFs.\r\nThe first, spotted on Tuesday, is this Blink 182 \"WTF\" GIF.\r\nOn the second day, the attackers moved to using a James Franco GIF.\r\nAfter that, we had the Hackerman GIF.\r\n国内の #Emotet 設置サイトの傾向に変化はありません。\r\nchoiphui[.]com\r\n133.130.109.0\r\n(PTR: v133-130-109-0[.]a038[.]g[.]tyo1[.]static[.]cnode[.]io.)\r\nlinhgiangcorp[.]com\r\n133.130.97.61\r\nhttps://www.zdnet.com/article/a-vigilante-is-sabotaging-the-emotet-botnet-by-replacing-malware-payloads-with-gifs/\r\nPage 2 of 3\n\n(PTR: v133-130-97-61[.]a026[.]g[.]tyo1[.]static[.]cnode[.io.)\r\nHACKERMAN のgifに置き換わっています。 pic.twitter.com/efxnbfaGfc\r\n— tike (@tiketiketikeke) July 24, 2020\r\nThe GIFs are usually taken either from Imgur or Giphy, two GIF-hosting services at random.\r\nDefacements are impacting Emotet activity\r\nThe current defacements started slow, but currently, around a quarter of all daily Emotet payload links are being\r\nreplaced with GIFs, causing serious operational losses to the Emotet gang.\r\nAccording to Cryptolaemus member Joseph Roosen, the Emotet gang is more than aware of this issue. In a\r\nconversation yesterday, Roosen told ZDNet the Emotet botnet has been down on Thursday, as the Emotet gang\r\napparently tried to root out the attacker from their web shells network.\r\nDespite Emotet's efforts, Roosen said that today, the vigilante was still present and replacing Emotet payloads with\r\nGIF files, albeit the Emotet gang was quicker than before at spotting the \"replacement\" and restoring the original\r\npayload.\r\nOverall, the defacements appear to have caused Emotet activity to seriously go down this week.\r\n\"Since Ivan [the Emotet admin] was having technical difficulties today, the hashes are way down and we barely\r\nsaw much of anything,\" Roosen wrote in a daily Emotet update.\r\nThe security researcher estimates that Emotet is now working at around a quarter of its normal capabilities, as\r\nIvan and the rest of the Emotet crew are still wrestling for control over their web shells.\r\nCurrently, the identity of the vigilante is unknown. Based on various theories expressed online, primary suspects\r\ninclude either a rival malware gang or a member of the cyber-security industry.\r\nThe 15 top malware threats facing you and your organisation\r\nSecurity\r\nSource: https://www.zdnet.com/article/a-vigilante-is-sabotaging-the-emotet-botnet-by-replacing-malware-payloads-with-gifs/\r\nhttps://www.zdnet.com/article/a-vigilante-is-sabotaging-the-emotet-botnet-by-replacing-malware-payloads-with-gifs/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.zdnet.com/article/a-vigilante-is-sabotaging-the-emotet-botnet-by-replacing-malware-payloads-with-gifs/"
	],
	"report_names": [
		"a-vigilante-is-sabotaging-the-emotet-botnet-by-replacing-malware-payloads-with-gifs"
	],
	"threat_actors": [
		{
			"id": "f276b8a6-73c9-494a-8ab2-13e2f1da4c53",
			"created_at": "2022-10-25T16:07:24.441133Z",
			"updated_at": "2026-04-10T02:00:04.993411Z",
			"deleted_at": null,
			"main_name": "Achilles",
			"aliases": [],
			"source_name": "ETDA:Achilles",
			"tools": [
				"RDP",
				"Remote Desktop Protocol"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434167,
	"ts_updated_at": 1775826766,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2927b96671b43c44e64d097a49cf3a415e211c55.pdf",
		"text": "https://archive.orkl.eu/2927b96671b43c44e64d097a49cf3a415e211c55.txt",
		"img": "https://archive.orkl.eu/2927b96671b43c44e64d097a49cf3a415e211c55.jpg"
	}
}