{ "id": "aa15a975-8d7c-4fb9-9b7f-a14328b0a597", "created_at": "2026-04-06T00:10:34.377378Z", "updated_at": "2026-04-10T03:36:48.029538Z", "deleted_at": null, "sha1_hash": "3943cc4ef4fac2cda4620a4a393b9c1d4c3dc683", "title": "MS Office Files Involved Again in Recent Emotet Trojan Campaign – Part II | FortiGuard Labs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 903037, "plain_text": "MS Office Files Involved Again in Recent Emotet Trojan\r\nCampaign – Part II | FortiGuard Labs\r\nBy Xiaopeng Zhang\r\nPublished: 2022-03-23 · Archived: 2026-04-05 13:42:10 UTC\r\nFortinet’s FortiGuard Labs recently captured more than 500 Microsoft Excel files involved in a campaign to\r\ndeliver a fresh Emotet Trojan onto the victim’s device.\r\nEmotet, known as a modular Trojan, was first discovered in the middle of 2014. Since then, it has become very\r\nactive, continually updating itself. It has also been highlighted in cybersecurity news from time to time. Emotet\r\nuses social engineering, like email, to lure recipients into opening attached document files (including Word, Excel,\r\nPDF, etc.) or to click links within the content of the email that downloads the latest Emotet variant onto the\r\nvictim’s device and then executes it.\r\nIn Part I of this post, I explained how this variant of Emotet is spread by malicious VBA code in Excel documents,\r\nhow the downloaded Emotet malware runs within a Rundll32 program, what kind of anti-analysis techniques this\r\nvariant uses., how it encrypts and submits its victim’s data to its C2 server., what Emotet does when it receives\r\nresponse data from the C2 server, and what Emotet does to enable persistence on the victim’s device.\r\nIn this post, you will learn what the data in response packets with malicious modules look like, what modules have\r\nbeen received from the C2 server for the current Emotet campaign, and how they are deployed in the victim’s\r\ndevice. You will also discover what sensitive data those modules steal from a victim’s device.\r\nAffected platforms: Microsoft Windows\r\nImpacted parties: 64-bit Windows Users\r\nImpact: Controls a victim’s device and collects sensitive information\r\nSeverity level: Critical\r\nWhen X.dll Receives a Response with a Module\r\nOnce the C2 server has processed and detected the first submitted packet that includes critical data—such as the\r\nvictim’s device system version, Windows architecture, etc.—it replies with malicious modules for Emotet to\r\nexecute in the victim’s device. All the received modules are fileless. That is, they only exist in memory and are\r\nprocessed by the X.dll (the core of Emotet) running in Rundll32.exe.\r\nhttps://www.fortinet.com/blog/threat-research/ms-office-files-involved-again-in-recent-emotet-trojan-campaign-part-ii\r\nPage 1 of 11\n\nFigure 1.1 – A decrypted module in the packet\r\nFigure 1.1 is a screenshot of X.dll’s code and memory. The bottom is a C2’s response packet, just decrypted in\r\nmemory by calling a function of 10012371. Referring to Figure 5.3 in part I of this series will help you understand\r\nthe structure of the packet.\r\nThe box marked in red is the verification data (99 DE … DD A5), a signed hash of the rest data of the packet. The\r\nfollowing dword, 0x00000000, marked in yellow, is a flag that tells Emotet how to run the replied module. 0x00\r\ntells it to execute the module in a newly-created thread. The binary block in blue is the module. It starts with the\r\nmodule size, 0x79400 in this example, and the rest part is the module binary data (4D 5A 90 00 …).\r\nEmotet has to verify the decrypted data, as shown in Figure 1.1, using the 40H verification data.\r\nIt then deploys the received module into memory and prepares to execute it. It then calls its entry point in a newly\r\ncreated thread. This post will refer to this module as a “thread-module.” Its primary purposes are to extract and\r\nexecute the final functional module that steals sensitive data from the victim’s device and to submit the stolen data\r\nto its C2 server, which will be discussed later in this analysis. Figure 1.2 shows where the thread function ASM\r\ncode calls the entry point of the deployed thread-module.\r\nhttps://www.fortinet.com/blog/threat-research/ms-office-files-involved-again-in-recent-emotet-trojan-campaign-part-ii\r\nPage 2 of 11\n\nFigure 1.2 – Emotet thread function to call the thread-module’s entry point\r\nThread-Module — Performs Process Hollowing\r\nThe thread-module proceeds to decrypt a PE file, the final functional module, from its .text section into memory.\r\nTo execute this module, it performs process hollowing. It does this by copying a Windows file, “certutil.exe”,\r\nfrom either “%Windir%\\SysWOW64\\certutil.exe” or “%Windir%\\system32\\certutil.exe” into the “%temp%”\r\nfolder. It then renames it to a random file name, like “uvbubqj.exe”. Next, the thread-module creates a suspended\r\nprocess with this file.\r\nhttps://www.fortinet.com/blog/threat-research/ms-office-files-involved-again-in-recent-emotet-trojan-campaign-part-ii\r\nPage 3 of 11\n\nFigure 2.1 – Call API CreateProcessW() to create a suspended process\r\nAs you may see in the command line string in Figure 2.1, “uvbubqj.exe” is the copied “certutil.exe”, “/scomma”\r\nand the subsequent temporary file —“C:\\Users\\Bobs\\AppData\\Local\\Temp\\60B2.tmp” — are the parameters for\r\nthe process. The temporary file name is generated by calling the API GetTempFileNameW(). The path of the\r\ntemporary file “60B2.tmp” is read by the functional module and used to save stolen information. The sixth\r\nargument to CreateProcessW() is 0x00000004, which is a creation flag indicating “CREATE_SUSPENDED” with\r\nwhich CreateProcessW() creates a process and enters suspended status.\r\nIt then calls a group of APIs, like GetThreadContext(), VirtualAllocEx(), ReadProcessMemory(),\r\nWriteProcessMemory(), and so on, to inject the final functional module into the new process’  memory. The API\r\nSetThreadContext() is called later to set the new process EIP register pointing to the entry point of the functional\r\nmodule, which is invoked after calling the API ResumeThread().\r\nAfterward, the thread-module starts to monitor the temporary file in a loop until it is created with the stolen\r\ninformation from the victim’s device.\r\nLooking at the Functional Modules\r\nIn the above analysis, I explained how a C2 module is loaded and executed in the victim’s device.\r\nThe C2 server can return many modules, each going through the same process as described above. They will have\r\na thread-module, run in their thread, and perform their own process hollowing.\r\nI received three C2 modules. I will elaborate on how they work on the victim’s device in the following sections.\r\nModule1 - Stealing Credentials from a Victim’s Browsers\r\nA Self-Extracting packer protects this module. It decrypts a PE file when it runs, overrides the existing code of\r\n“certutil.exe”, and then gets it executed.\r\nThe unpacked PE file is a freeware called “WebBrowserPassView” developed by NirSoft. It was designed as a\r\npassword recovery tool but has been abused by malicious actors to steal the victim’s credentials. A user interface\r\nhttps://www.fortinet.com/blog/threat-research/ms-office-files-involved-again-in-recent-emotet-trojan-campaign-part-ii\r\nPage 4 of 11\n\ndisplays the saved credentials stored within several web browsers.\r\nFigure 3.1 – Open the WebBrowserPassView module\r\nFigure 3.1 shows what this module looks like when I open it in my test environment. This Emotet variant uses\r\nWebBrowserPassView v2.06.\r\nIts thread-module passes command line parameters like “/scomma\r\nC:\\Users\\Bobs\\AppData\\Local\\Temp\\7B3C.tmp” to the process, which can switch WebBrowserPassView to a No-Window mode and save the retrieved credentials to a given temporary file.\r\nFrom its code, I learned it could collect the credentials from a variety of web browsers:\r\nMicrosoft IE, Microsoft Edge, Google Chrome, Mozilla Firefox, Opera, Apple Safari, SeaMonkey, Yandex,\r\nVivaldi, Waterfox, and all other Chromium-based browsers.\r\nThe stolen credentials contain the following information:\r\n• URL: The URLs that credentials are saved for\r\n• Web Browser: The browser name that holds the credentials\r\n• User Name, Password: The credentials\r\n• Password Strength: Strong or weak\r\n• User Name Field: The control name type into the user name field\r\n• Password Field: The string entered in the password field\r\n• Created Time: When it was saved\r\n• Modified Time: Time when credentials were updated\r\n• Filename: What file it has stolen the credentials from\r\nAll the credentials are saved in a temporary file.\r\nModule2 - Stealing Email Contact Information\r\nThis module steals its victim’s email contacts from their email folders inside Microsoft Outlook by going through\r\nthe victim’s emails one by one. It keeps the gathered contact information in a doubly-linked chain structure.\r\nhttps://www.fortinet.com/blog/threat-research/ms-office-files-involved-again-in-recent-emotet-trojan-campaign-part-ii\r\nPage 5 of 11\n\nFigure 4.1 shows one email contact obtained from an email within my test Outlook account that was then added\r\ninto the doubly-linked chain, as shown at the bottom. The collected data shows the Person name and Email\r\naddress of the email sender. In this example, it collected “Outlook” and “outlook@email2.office.com” from the\r\ndisplayed email message.\r\nFigure 4.1 – One stolen contact in a doubly-linked chain\r\nThis module enumerates all collected emails and puts the unique email contact information into the doubly linked\r\nchain. To collect Outlook’s data, it has to call several APIs, including MAPIInitialize(), MAPILogonEx(), and\r\nMAPIFreeBuffer(), as well as create some COM objects by calling the API CoCreateInstance(), such as\r\nOlkAccountManager and OlkMail.\r\nFinally, it retrieves those email contacts from the linked chain one by one and saves them into the temporary file\r\nthat comes from the command line parameter. Figure 4.2 shows a screenshot of the temporary file,\r\n“%temp%\\6827.tmp” in this example, along with the collected email contacts.\r\nhttps://www.fortinet.com/blog/threat-research/ms-office-files-involved-again-in-recent-emotet-trojan-campaign-part-ii\r\nPage 6 of 11\n\nFigure 4.2 – The temporary file with stolen email contact information\r\nModule3 - Stealing Account Settings of Victim’s Email Clients\r\nThis functional module focuses on stealing its victim’s email account settings and the credentials from their email\r\nclients. It is also a packer-protected module, so it does the same thing as Module1 when its entry point is called.\r\nAccording to my analysis, the unpacked PE file is an EXE file that is another freeware from NirSoft called “Mail\r\nPassView”. It was originally designed as a small password recovery tool for email clients. Emotet is using the\r\nlatest version—v1.92. Figure 5.1 is a screenshot of this software running on my test environment.\r\nFigure 5.1 – Open Mail PassView in my test environment\r\nGoing through its code and constant strings, we learned it could obtain email account settings and credentials from\r\nthe following email clients or other clients that could save email credentials:\r\nhttps://www.fortinet.com/blog/threat-research/ms-office-files-involved-again-in-recent-emotet-trojan-campaign-part-ii\r\nPage 7 of 11\n\nMozilla Thunderbird, Eudora, Microsoft Outlook, Microsoft Outlook Express, Windows Mail,\r\nMSNMessenger, Windows Live Mail, Group Mail, IncrediMail, Yahoo! Mail, Yahoo! Messenger, Hotmail,\r\nGoogle Desktop, and Google Talk.\r\nIt collects the settings and credentials from both the system registry and the local configuration files of these email\r\nclients. Figure 5.2 is a segment of the ASM code from a common function that has predefined many value names.\r\nThe software repeatedly reads User Name, Server Address, Server Port, and similar information from the system\r\nregistry through these value-names under the subkeys \"HKCU\\Software\\Microsoft\\Internet Account\r\nManager\\Accounts\" and \"HKCU\\Software\\Microsoft\\Office\\Outlook\\OMI Account Manager\\Accounts\", which\r\nare the places to save the settings and credentials for Microsoft Outlook and Microsoft Outlook Express.\r\nFigure 5.2 – Defined value-names for reading from the system registry\r\nThis time, the command line parameter string to this software is \"/scomma\r\nC:\\Users\\Bobs\\AppData\\Local\\Temp\\8042.tmp\", where \"/scomma\" allows the process to run without a window\r\nand save the retrieved information to the temporary file followed.\r\nThread-Module – Submit Stolen Data\r\nWith the functional modules working to steal sensitive data, the thread-module keeps monitoring the temporary\r\nfile until it is created with the stolen information.\r\nIt then loads the stolen data from the temporary file to memory and then deletes the file. Before submitting the\r\nstolen data to the C2 server, it compresses the data and encrypts it.\r\nhttps://www.fortinet.com/blog/threat-research/ms-office-files-involved-again-in-recent-emotet-trojan-campaign-part-ii\r\nPage 8 of 11\n\nFigure 6.1 – Call BCryptEncrypt() to encrypt the stolen data\r\nThis example, shown in Figure 6.1, is where it was about to call the API BCryptEncrypt() to encrypt the packet,\r\nwhich begins from 4790E0. The section outlined in red is like the packet header. It contains the packet type\r\n(0x3EA) that tells the C2 server what kind of data is in the packet, a sha256 hash code (69 35 … 3C 4A) of the\r\ndata, a module ID (0x14), as well as the Victim’s ID. The subsequent data, marked in blue, starts with a data size\r\n(0x398) of the following data (from 10 55 52 4C … to the end), which are the compressed web browser\r\ncredentials.\r\nThis thread-module uses eleven C2 servers to receive data stolen from the victim’s device. The IP and Ports of\r\nthese C2 servers are encrypted in memory and get decrypted before submitting the stolen data. The three\r\ndownloaded modules have the same C2 server list, which can be found in the “IOC” section at the end of this\r\nanalysis.\r\nhttps://www.fortinet.com/blog/threat-research/ms-office-files-involved-again-in-recent-emotet-trojan-campaign-part-ii\r\nPage 9 of 11\n\nFigure 6.2 – Display of a captured packet to C2 server with encrypted data\r\nFigure 6.2 is a screenshot of a proxy tool showing how the packet with the stolen victim’s sensitive data is sent to\r\nits C2 server.\r\nIt uses the HTTP Post method with a randomized URL to submit the stolen data in the body, which consists of a\r\n40H-long exported key at the beginning with the encrypted data following, as shown in Figure 6.2. The C2 server\r\ncan decrypt the submitted data using the 40H exported key.\r\nConclusion\r\nIn Part II of this analysis, I started with a received module packet from a C2 server and explained the structure of\r\nthe packet. Next, I showed how the module (thread-module) is executed in a newly created thread. We then\r\nwalked through how the thread-module performs process hollowing to execute the functional modules.\r\nIn discussing the three received modules, I elaborated on what kind of data Emotet can steal from the victim’s\r\ndevice, such as email contact information from the victim’s email account, the email account’s settings, credentials\r\nfrom the victim’s email client, and credentials saved in a wide range of web browsers.\r\nFinally, going back to the thread-module, Emotet reads the stolen information from the given temporary files. It\r\nthen compresses and encrypts the data, which is ultimately submitted using the HTTP Post method to the C2\r\nserver.\r\nFortinet Protections\r\nFortinet customers are already protected from this malware by FortiGuard’s Web Filtering, AntiVirus, FortiMail,\r\nFortiClient, FortiEDR, and CDR (content disarm and reconstruction) services, as follows:\r\nThe malicious Macro inside the Excel sample mentioned in Part I of the post can be disarmed by the FortiGuard\r\nCDR (content disarm and reconstruction) service.\r\nAll relevant URLs have been rated as \"Malicious Websites\" by the FortiGuard Web Filtering service.\r\nhttps://www.fortinet.com/blog/threat-research/ms-office-files-involved-again-in-recent-emotet-trojan-campaign-part-ii\r\nPage 10 of 11\n\nThe captured Excel sample and the downloaded Emotet dll file are detected as \"VBA/Emotet.2826!tr.dldr \" and \"\r\nW32/Emotet.B185!tr\" and are blocked by the FortiGuard AntiVirus service.\r\nFortiEDR detects both the Excel file and Emotet dll file as malicious based on its behavior.\r\nIn addition to these protections, Fortinet also provides multiple solutions designed to help train users in detecting\r\nand understanding phishing threats:\r\nWe encourage organizations to have their end users take our FREE NSE Training: NSE 1 – Information Security\r\nAwareness. It includes a module on Internet threats designed to help end-users learn how to identify and protect\r\nthemselves from various types of phishing attacks.\r\nThis training can then be reinforced using our FortiPhish phishing simulation service. It uses real-world attack\r\nscenarios to train users, test awareness and vigilance, and reinforce proper practices for handling phishing\r\nincidents.\r\nIOCs\r\nC2 Server List in the three thread-modules:\r\n144[.]217[.]88[.]125:443\r\n67[.]205[.]162[.]68:8080\r\n54[.]36[.]98[.]59:7080\r\n45[.]184[.]36[.]10:8080\r\n47[.]110[.]149[.]223:8080\r\n159[.]65[.]1[.]71:8080\r\n51[.]178[.]186[.]134:443\r\n131[.]100[.]24[.]199:8080\r\n51[.]91[.]142[.]158:80\r\n51[.]79[.]205[.]117:8080\r\n176[.]31[.]163[.]17:8080\r\nLearn more about FortiGuard Labs global threat intelligence and research and the FortiGuard Security\r\nSubscriptions and Services portfolio.\r\nSource: https://www.fortinet.com/blog/threat-research/ms-office-files-involved-again-in-recent-emotet-trojan-campaign-part-ii\r\nhttps://www.fortinet.com/blog/threat-research/ms-office-files-involved-again-in-recent-emotet-trojan-campaign-part-ii\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.fortinet.com/blog/threat-research/ms-office-files-involved-again-in-recent-emotet-trojan-campaign-part-ii" ], "report_names": [ "ms-office-files-involved-again-in-recent-emotet-trojan-campaign-part-ii" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434234, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3943cc4ef4fac2cda4620a4a393b9c1d4c3dc683.pdf", "text": "https://archive.orkl.eu/3943cc4ef4fac2cda4620a4a393b9c1d4c3dc683.txt", "img": "https://archive.orkl.eu/3943cc4ef4fac2cda4620a4a393b9c1d4c3dc683.jpg" } }