{
	"id": "506643b8-4c7c-4999-86bb-661e0f2cdeb9",
	"created_at": "2026-04-06T00:20:10.935739Z",
	"updated_at": "2026-04-10T03:21:20.227794Z",
	"deleted_at": null,
	"sha1_hash": "37ad33b60e132a3ca0fa09e9288f32c998d6c503",
	"title": "Emotet Activity Identified",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 276090,
	"plain_text": "Emotet Activity Identified\r\nArchived: 2026-04-05 17:18:34 UTC\r\nTHE THREAT\r\nAs of November 15th, 2021, multiple sources [1] [2] have observed activity associated with the Emotet malware.\r\nThis activity includes malware delivery through email and existing infections.\r\nSuccessful Emotet payload execution has not been observed across customers at this time. The Threat Intelligence\r\nteam assesses with medium confidence current campaigns are focused on re-establishing botnet infrastructure\r\nfollowing law enforcement's action to take down the botnet in January 2021[3]. Email delivery techniques and\r\npayload execution remain consistent or similar to past Emotet infections. The eSentire Threat Intelligence team\r\nassesses, with medium confidence, Emotet’s email campaigns will continue.\r\nWhat we’re doing about it\r\neSentire MDR for Network and Endpoint have rules in place to detect Emotet.\r\nIP addresses associated with Emotet have been blocked via MDR for Network.\r\nThreat hunting has been performed for all eSentire MDR for Endpoint customers.\r\neSentire security teams are tracking this threat for additional detection and prevention opportunities.\r\nWhat you should do about it\r\nEmploy email filtering and protection measures\r\nBlock or quarantine email attachments such as EXEs, Password Protected Zip archives, JavaScript, Visual\r\nBasic scripts.\r\nImplement anti-spoofing measures such as DMARC and SPF.\r\nEmploy an MFA solution to reduce impact of compromised credentials.\r\nTrain users to identify and report suspicious emails, including from trusted contacts.\r\nProtect endpoints against malware\r\nEnsure antivirus signatures are up-to-date.\r\nUse a Next-Gen AV (NGAV) or Endpoint Detection and Response (EDR) product to detect and contain\r\nthreats.\r\nLimit or disable macros across the organization. See UK's National Cyber Centre guidance on Macro\r\nSecurity\r\nAdditional information\r\nhttps://www.esentire.com/security-advisories/emotet-activity-identified\r\nPage 1 of 3\n\nEmotet is an information stealer malware that is also used for initial access by multiple threats such as Qakbot and\r\nTrickbot. Emotet has been previously observed leading to Ryuk, Conti, ProLock, and Egregor ransomware threats.\r\nAs of this writing, follow-on malware has not been observed in these latest campaigns. Emotet activity halted in\r\nearly 2021, after law-enforcement acted against the Emotet threat and seized malicious infrastructure. Recent\r\nactivity is believed to be focused on re-establishing botnet hosts.\r\nOverview of November 15th to 17th 2021 Emotet Activity\r\nDistribution\r\nExisting Trickbot Infections.\r\nMass email delivery.\r\nEmotet Email Content\r\nSpoofed replies to stolen email threads (email thread hijacking).\r\nExcel (.xlsm) attachments.\r\nWord (.docm) attachments.\r\nPassword protected Zip archives containing malicious office documents.\r\nLinks to malicious office documents.\r\nMalicious Office Documents\r\nUse of standard lures to entice recipients to enable macros (see images below).\r\nSuccessful macros execution results in PowerShell commands to retrieve and execute payloads via\r\nrundll32.exe.\r\nNo secondary payloads have been observed as of time of writing.\r\nFigure 1: Malicious Word Document\r\nhttps://www.esentire.com/security-advisories/emotet-activity-identified\r\nPage 2 of 3\n\nFigure 2: Malicious Excel Document\r\nA detailed breakdown of current infection scheme can be found here:\r\nhttps://isc.sans.edu/forums/diary/Emotet+Returns/28044/\r\nReferences:\r\n[1] https://isc.sans.edu/forums/diary/Emotet+Returns/28044/\r\n[2] https://twitter.com/Cryptolaemus1/status/1460302706954981385\r\n[3] https://www.europol.europa.eu/newsroom/news/world%E2%80%99s-most-dangerous-malware-emotet-disrupted-through-global-action\r\n Back to Security Advisories\r\nSpeak With A Security Expert Now\r\nTALK TO AN EXPERT\r\nin this Advisory\r\nTHE THREATWhat we’re doing about itWhat you should do about itAdditional informationReferences:\r\nSource: https://www.esentire.com/security-advisories/emotet-activity-identified\r\nhttps://www.esentire.com/security-advisories/emotet-activity-identified\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.esentire.com/security-advisories/emotet-activity-identified"
	],
	"report_names": [
		"emotet-activity-identified"
	],
	"threat_actors": [],
	"ts_created_at": 1775434810,
	"ts_updated_at": 1775791280,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/37ad33b60e132a3ca0fa09e9288f32c998d6c503.pdf",
		"text": "https://archive.orkl.eu/37ad33b60e132a3ca0fa09e9288f32c998d6c503.txt",
		"img": "https://archive.orkl.eu/37ad33b60e132a3ca0fa09e9288f32c998d6c503.jpg"
	}
}