{
	"id": "4aa35806-44e6-419a-8270-fbfc9cac7d50",
	"created_at": "2026-04-06T00:12:29.014214Z",
	"updated_at": "2026-04-10T03:35:43.395039Z",
	"deleted_at": null,
	"sha1_hash": "3fc24212fa546cddebc74311fe12e1b5e31f2f4e",
	"title": "Emotet malware now steals credit cards from Google Chrome users",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1191788,
	"plain_text": "Emotet malware now steals credit cards from Google Chrome users\r\nBy Sergiu Gatlan\r\nPublished: 2022-06-08 · Archived: 2026-04-05 17:26:29 UTC\r\nThe Emotet botnet is now attempting to infect potential victims with a credit card stealer module designed to harvest credit\r\ncard information stored in Google Chrome user profiles.\r\nAfter stealing the credit card info (i.e., name, expiration month and year, card numbers), the malware will send it to\r\ncommand-and-control (C2) servers different than the ones the Emotet card stealer module uses.\r\n\"On June 6th, Proofpoint observed a new Emotet module being dropped by the E4 botnet,\" the Proofpoint Threat Insights\r\nteam said.\r\nhttps://www.bleepingcomputer.com/news/security/emotet-malware-now-steals-credit-cards-from-google-chrome-users/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/emotet-malware-now-steals-credit-cards-from-google-chrome-users/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\n\"To our surprise it was a credit card stealer that was solely targeting the Chrome browser. Once card details were collected\r\nthey were exfiltrated to different C2 servers than the module loader.\"\r\nThis behavior change comes after increasing activity during April and a switch to 64-bit modules, as the Cryptolaemus\r\nsecurity research group spotted.\r\nOne week later, Emotet started using Windows shortcut files (.LNK) to execute PowerShell commands to infect victims'\r\ndevices, moving away from Microsoft Office macros now disabled by default starting with early April 2022.\r\nImage: Proofpoint\r\nEmotet's revival\r\nThe Emotet malware was developed and deployed in attacks as a banking trojan in 2014. It has evolved into a botnet the\r\nTA542 threat group (aka Mummy Spider) uses to deliver second-stage payloads.\r\nIt also allows its operators to steal user data, perform reconnaissance on breached networks, and move laterally to vulnerable\r\ndevices.\r\nEmotet is known for dropping Qbot and Trickbot malware trojan payloads on victims' compromised computers, which are\r\nused to deploy additional malware, including Cobalt Strike beacons and ransomware such as Ryuk and Conti.\r\nAt the beginning of 2021, Emotet's infrastructure was taken down in an international law enforcement action that also led to\r\nthe arrest of two individuals.\r\nGerman law enforcement used Emotet's own infrastructure against the botnet, delivering a module that uninstalled the\r\nmalware from infected devices on April 25th, 2021.\r\nThe botnet came back in November 2021 using TrickBot's already existing infrastructure when Emotet research group\r\nCryptolaemus, computer security firm GData, and cybersecurity firm Advanced Intel all detected the TrickBot malware\r\nbeing used to push an Emotet loader.\r\nAs ESET revealed on Tuesday, Emotet has seen a massive increase in activity since the start of the year, \"with its activity\r\ngrowing more than 100-fold vs T3 2021.\"\r\nhttps://www.bleepingcomputer.com/news/security/emotet-malware-now-steals-credit-cards-from-google-chrome-users/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/emotet-malware-now-steals-credit-cards-from-google-chrome-users/\r\nhttps://www.bleepingcomputer.com/news/security/emotet-malware-now-steals-credit-cards-from-google-chrome-users/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/emotet-malware-now-steals-credit-cards-from-google-chrome-users/"
	],
	"report_names": [
		"emotet-malware-now-steals-credit-cards-from-google-chrome-users"
	],
	"threat_actors": [
		{
			"id": "e8e18067-f64b-4e54-9493-6d450b7d40df",
			"created_at": "2022-10-25T16:07:24.515213Z",
			"updated_at": "2026-04-10T02:00:05.018868Z",
			"deleted_at": null,
			"main_name": "Mummy Spider",
			"aliases": [
				"ATK 104",
				"Gold Crestwood",
				"Mummy Spider",
				"TA542"
			],
			"source_name": "ETDA:Mummy Spider",
			"tools": [
				"Emotet",
				"Geodo",
				"Heodo"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "506404b2-82fb-4b7e-b40d-57c2e9b59f40",
			"created_at": "2023-01-06T13:46:38.870883Z",
			"updated_at": "2026-04-10T02:00:03.128317Z",
			"deleted_at": null,
			"main_name": "MUMMY SPIDER",
			"aliases": [
				"TA542",
				"GOLD CRESTWOOD"
			],
			"source_name": "MISPGALAXY:MUMMY SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2ac83159-1d9d-4db4-a176-97be6b7b07c9",
			"created_at": "2024-06-19T02:03:08.024653Z",
			"updated_at": "2026-04-10T02:00:03.672512Z",
			"deleted_at": null,
			"main_name": "GOLD CRESTWOOD",
			"aliases": [
				"Mummy Spider ",
				"TA542 "
			],
			"source_name": "Secureworks:GOLD CRESTWOOD",
			"tools": [
				"Emotet"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434349,
	"ts_updated_at": 1775792143,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3fc24212fa546cddebc74311fe12e1b5e31f2f4e.pdf",
		"text": "https://archive.orkl.eu/3fc24212fa546cddebc74311fe12e1b5e31f2f4e.txt",
		"img": "https://archive.orkl.eu/3fc24212fa546cddebc74311fe12e1b5e31f2f4e.jpg"
	}
}