{
	"id": "b3599614-1eca-4973-aad2-148b720bd747",
	"created_at": "2026-04-06T00:08:20.870874Z",
	"updated_at": "2026-04-10T03:21:14.71864Z",
	"deleted_at": null,
	"sha1_hash": "2be26aa392f1443e6f65f2bd3bccb31669461a70",
	"title": "Emotet coming in hot",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 711730,
	"plain_text": "Emotet coming in hot\r\nBy Cisco Talos\r\nPublished: 2022-11-08 · Archived: 2026-04-05 18:24:16 UTC\r\nTuesday, November 8, 2022 11:38\r\nEmotet is a ubiquitous and well-known banking trojan that has evolved over the years to become a very successful\r\nmodular botnet capable of dropping a variety of other threats. Even after a global takedown campaign in early\r\n2021 disrupted the botnet, it reemerged later that year, rebuilding its infrastructure and becoming highly active in a\r\nshort time.\r\nEmotet is back again with a new campaign displaying many characteristics of older runs, including the use of\r\nAuto_Open macros inside XLS documents. Cisco Talos has observed an increased activity of spam distributing\r\nthis new strain beginning in early November 2022, and the volume of spam and Emotet infrastructure has been\r\nincreasing since then to target multiple geographies around the world.\r\nTechnical details\r\nFollowing Microsoft’s recent announcement that it would begin disabling macros by default in Office documents\r\ndownloaded from the internet, many malware families have begun migrating away from Office macros to other\r\ndelivery mechanisms like ISO and LNK files. Therefore, it is interesting to note that this new campaign of Emotet\r\nis using its old method of distributing malicious MS Office documents (maldocs) via email-based phishing.\r\nThe malware is delivered via email spam messages that contain a zip file with a XLS file inside, or the XLS\r\nattached directly to the email. Based on the samples Talos observed, the messages have minimal content in the\r\nemail body, typically only consisting of a filename and password. These emails might either be new emails\r\narriving in a victim’s inbox or can even pose as responses to an existing, hijacked thread:\r\nhttps://blog.talosintelligence.com/emotet-coming-in-hot/\r\nPage 1 of 7\n\nhttps://blog.talosintelligence.com/emotet-coming-in-hot/\r\nPage 2 of 7\n\nIn order to bypass Microsoft’s protection for macros downloaded from the internet, Emotet is using social\r\nengineering to convince victims to copy the maldoc to a whitelisted folder where the macro protection is not\r\nactivated:\r\nUpon opening the maldoc, a message is displayed asking the victim to copy the maldoc to a folder that does not\r\nhave macro protections activated. If the victim believes the fake security policy message above and does as it asks,\r\nthe document will be opened without any restriction on executing the macro. We can see that once the file is in the\r\nright place, there is no message about macros being blocked anymore:\r\nhttps://blog.talosintelligence.com/emotet-coming-in-hot/\r\nPage 3 of 7\n\nThe documents might look empty, but they contain hidden sheets with text in them, which is used by the VBA\r\nmacro to assemble the URL from where the Emotet malware is downloaded. By simply un-hiding the sheets and\r\ncopying the text to a text editor, we can see the content of these sheets:\r\nhttps://blog.talosintelligence.com/emotet-coming-in-hot/\r\nPage 4 of 7\n\nA request is made to one of the URLs listed above. This is a similar method used by other malware in the past,\r\nlike Qakbot, which used XLSB files to perform a similar trick. The content of the remote page is then dropped in\r\nthe C:\\Window\\System32 folder with one of the names also seen above.\r\nBased on their timestamp, most of these documents were created in early November. Sample subset of maldocs\r\nclustered by creation date/time stamps:\r\nhttps://blog.talosintelligence.com/emotet-coming-in-hot/\r\nPage 5 of 7\n\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.\r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in\r\nthese attacks.\r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat.\r\nhttps://blog.talosintelligence.com/emotet-coming-in-hot/\r\nPage 6 of 7\n\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products.\r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork.\r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org. Snort SIDs for this threat are: 43890-43892, 44559, 44560, 47616, 47617,\r\n48402, 49888, 49889, 51967-51971, 52029, 53108, 53353-53360, 53770, 53771, 54804, 54805, 54900, 54901,\r\n54924, 54925, 55253, 55254, 55591, 55592, 55781, 55782, 55787, 55788, 55869, 55870, 55873, 55874, 55929-\r\n55931, 56003, 56046, 56047, 56170, 56171, 56713, 56528, 56529, 56535, 56536, 56620, 56621, 56656, 56657,\r\n56714, 56906, 56907, 56924, 56925, 56969, 56970, 56983, 56984, 57901, 58943\r\nThe following ClamAV detections are also available for this threat:\r\nXls.Downloader.Emotet-b649c93692b4c9d9-9976616-0\r\nWin.Trojan.Botx-9976975-0\r\nWin.Trojan.Botx-9976976-0\r\nIndicators of Compromise\r\nThe IOC list is available in Talos' Github repo here.\r\nSource: https://blog.talosintelligence.com/emotet-coming-in-hot/\r\nhttps://blog.talosintelligence.com/emotet-coming-in-hot/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://blog.talosintelligence.com/emotet-coming-in-hot/"
	],
	"report_names": [
		"emotet-coming-in-hot"
	],
	"threat_actors": [],
	"ts_created_at": 1775434100,
	"ts_updated_at": 1775791274,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2be26aa392f1443e6f65f2bd3bccb31669461a70.pdf",
		"text": "https://archive.orkl.eu/2be26aa392f1443e6f65f2bd3bccb31669461a70.txt",
		"img": "https://archive.orkl.eu/2be26aa392f1443e6f65f2bd3bccb31669461a70.jpg"
	}
}