{
	"id": "8f9eeaec-3835-4f5e-beb1-f84dc5e57bfb",
	"created_at": "2026-04-06T01:30:48.075755Z",
	"updated_at": "2026-04-10T03:22:01.003158Z",
	"deleted_at": null,
	"sha1_hash": "434c91a3e08e87f95639d68dcec1c63df603ecc4",
	"title": "Emotet Malware | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 127680,
	"plain_text": "Emotet Malware | CISA\r\nPublished: 2020-10-24 · Archived: 2026-04-06 01:08:10 UTC\r\nSummary\r\nThis Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT\u0026CK®) framework.\r\nSee the ATT\u0026CK for Enterprise framework for all referenced threat actor techniques.\r\nThis product was written by the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State\r\nInformation Sharing \u0026 Analysis Center (MS-ISAC).\r\nEmotet—a sophisticated Trojan commonly functioning as a downloader or dropper of other malware—resurged in\r\nJuly 2020, after a dormant period that began in February. Since August, CISA and MS-ISAC have seen a\r\nsignificant increase in malicious cyber actors targeting state and local governments with Emotet phishing emails.\r\nThis increase has rendered Emotet one of the most prevalent ongoing threats.\r\nTo secure against Emotet, CISA and MS-ISAC recommend implementing the mitigation measures described in\r\nthis Alert, which include applying protocols that block suspicious attachments, using antivirus software, and\r\nblocking suspicious IPs.\r\nTechnical Details\r\nEmotet is an advanced Trojan primarily spread via phishing email attachments and links that, once clicked, launch\r\nthe payload (Phishing: Spearphishing Attachment [T1566.001 ], Phishing: Spearphishing Link [T1566.002\r\n]).The malware then attempts to proliferate within a network by brute forcing user credentials and writing to\r\nshared drives (Brute Force: Password Guessing [T1110.001 ], Valid Accounts: Local Accounts [T1078.003 ],\r\nRemote Services: SMB/Windows Admin Shares [T1021.002 ]).\r\nEmotet is difficult to combat because of its “worm-like” features that enable network-wide infections.\r\nAdditionally, Emotet uses modular Dynamic Link Libraries to continuously evolve and update its capabilities.\r\nSince July 2020, CISA has seen increased activity involving Emotet-associated indicators. During that time,\r\nCISA’s EINSTEIN Intrusion Detection System, which protects federal, civilian executive branch networks, has\r\ndetected roughly 16,000 alerts related to Emotet activity. CISA observed Emotet being executed in phases during\r\npossible targeted campaigns. Emotet used compromised Word documents (.doc) attached to phishing emails as\r\ninitial insertion vectors. Possible command and control network traffic involved HTTP POST requests to Uniform\r\nResource Identifiers consisting of nonsensical random length alphabetical directories to known Emotet-related\r\ndomains or IPs with the following user agent string (Application Layer Protocol: Web Protocols [T1071.001 ]).\r\nMozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727;\r\n.NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-280a\r\nPage 1 of 8\n\nTraffic to known Emotet-related domains or IPs occurred most commonly over ports 80, 8080, and 443. In one\r\ninstance, traffic from an Emotet-related IP attempted to connect to a suspected compromised site over port 445,\r\npossibly indicating the use of Server Message Block exploitation frameworks along with Emotet (Exploitation of\r\nRemote Services [T1210 ]). Figure 1 lays out Emotet’s use of enterprise techniques.\r\nFigure 1: MITRE ATT\u0026CK enterprise techniques used by Emotet\r\nTimeline of Activity\r\nThe following timeline identifies key Emotet activity observed in 2020.\r\nFebruary: Cybercriminals targeted non-U.S. countries using COVID-19-themed phishing emails to lure\r\nvictims to download Emotet.[1 ]\r\nJuly: Researchers spotted emails with previously used Emotet URLs, particularly those used in the\r\nFebruary campaign, targeting U.S. businesses with COVID-19-themed lures.[2 ]\r\nAugust:\r\nSecurity researchers observed a 1,000 percent increase in downloads of the Emotet loader.\r\nFollowing this change, antivirus software firms adjusted their detection heuristics to compensate,\r\nleading to decreases in observed loader downloads.[3 ]  \r\nProofpoint researchers noted mostly minimal changes in most tactics and tools previously used with\r\nEmotet. Significant changes included:\r\nEmotet delivering Qbot affiliate partner01 as the primary payload and\r\nThe Emotet mail sending module’s ability to deliver benign and malicious attachments.[4 ]\r\nCISA and MS-ISAC observed increased attacks in the United States, particularly cyber actors using\r\nEmotet to target state and local governments.\r\nSeptember:\r\nCyber agencies and researchers alerted the public of surges of Emotet, including compromises in\r\nCanada, France, Japan, New Zealand, Italy, and the Netherlands. Emotet botnets were observed\r\ndropping Trickbot to deliver ransomware payloads against some victims and Qakbot Trojans to steal\r\nbanking credentials and data from other targets.[5 ],[6 ],[7 ],[8 ]\r\nSecurity researchers from Microsoft identified a pivot in tactics from the Emotet campaign. The\r\nnew tactics include attaching password-protected archive files (e.g., Zip files) to emails to bypass\r\nemail security gateways. These email messages purport to deliver documents created on mobile\r\ndevices to lure targeted users into enabling macros to “view” the documents—an action which\r\nactually enables the delivery of malware.[9 ]\r\nPalo Alto Networks reported cyber actors using thread hijacking to spread Emotet. This attack\r\ntechnique involves stealing an existing email chain from an infected host to reply to the chain—\r\nusing a spoofed identity—and attaching a malicious document to trick recipients into opening the\r\nfile.[10 ]\r\nMITRE ATT\u0026CK Techniques\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-280a\r\nPage 2 of 8\n\nAccording to MITRE, Emotet uses the ATT\u0026CK techniques listed in table 1.\r\nTable 1: Common exploit tools\r\nTechnique Use\r\nOS Credential\r\nDumping: LSASS\r\nMemory [T1003.001\r\n]\r\nEmotet has been observed dropping password grabber modules including\r\nMimikatz.\r\nRemote Services:\r\nSMB/Windows Admin\r\nShares [T1021.002 ]\r\nEmotet leverages the Admin$ share for lateral movement once the local admin\r\npassword has been brute forced.\r\nObfuscated Files or\r\nInformation [T1027 ]\r\nEmotet has obfuscated macros within malicious documents to hide the URLs\r\nhosting the malware, cmd.exe arguments, and PowerShell scripts.\r\nObfuscated Files or\r\nInformation: Software\r\nPacking [T1027.002\r\n]\r\nEmotet has used custom packers to protect its payloads.\r\nNetwork Sniffing\r\n[T1040 ]\r\nEmotet has been observed to hook network APIs to monitor network traffic.\r\nExfiltration Over C2\r\nChannel [T1041 ]\r\nEmotet has been seen exfiltrating system information stored within cookies sent\r\nwithin a HTTP GET request back to its command and control (C2) servers.\r\nWindows Management\r\nInstrumentation\r\n[T1047 ]\r\nEmotet has used WMI to execute powershell.exe .\r\nProcess Injection:\r\nDynamic-link Library\r\nInjection [T1055.001\r\n]\r\nEmotet has been observed injecting in to Explorer.exe and other processes.\r\nProcess Discovery\r\n[T1057 ]\r\nEmotet has been observed enumerating local processes.\r\nCommand and\r\nScripting Interpreter:\r\nPowerShell\r\n[T1059.001 ]\r\nEmotet has used Powershell to retrieve the malicious payload and download\r\nadditional resources like Mimikatz.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-280a\r\nPage 3 of 8\n\nTechnique Use\r\nCommand and\r\nScripting Interpreter:\r\nWindows Command\r\nShell [T1059.003 ]\r\nEmotet has used cmd.exe to run a PowerShell script.\r\nCommand and\r\nScripting Interpreter:\r\nVisual Basic\r\n[T1059.005 ]\r\nEmotet has sent Microsoft Word documents with embedded macros that will\r\ninvoke scripts to download additional payloads.\r\nValid Accounts: Local\r\nAccounts [T1078.003\r\n]\r\nEmotet can brute force a local admin password, then use it to facilitate lateral\r\nmovement.\r\nAccount Discovery:\r\nEmail Account\r\n[T1087.003 ]\r\nEmotet has been observed leveraging a module that can scrape email addresses\r\nfrom Outlook.\r\nBrute Force: Password\r\nGuessing [T1110.001\r\n]\r\nEmotet has been observed using a hard-coded list of passwords to brute force user\r\naccounts.\r\nEmail Collection:\r\nLocal Email Collection\r\n[T1114.001 ]\r\nEmotet has been observed leveraging a module that scrapes email data from\r\nOutlook.\r\nUser Execution:\r\nMalicious Link\r\n[T1204.001 ]\r\nEmotet has relied upon users clicking on a malicious link delivered through\r\nspearphishing.\r\nUser Execution:\r\nMalicious File\r\n[T1204.002 ]\r\nEmotet has relied upon users clicking on a malicious attachment delivered through\r\nspearphishing.\r\nExploitation of Remote\r\nServices [T1210 ]\r\nEmotet has been seen exploiting SMB via a vulnerability exploit like\r\nETERNALBLUE (MS17-010 ) to achieve lateral movement and propagation.\r\nCreate or Modify\r\nSystem Process:\r\nWindows Service\r\n[T1543.003 ]\r\nEmotet has been observed creating new services to maintain persistence.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-280a\r\nPage 4 of 8\n\nTechnique Use\r\nBoot or Logon\r\nAutostart Execution:\r\nRegistry Run Keys /\r\nStartup Folder\r\n[T1547.001 ]\r\nEmotet has been observed adding the downloaded payload to the\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run key to\r\nmaintain persistence.\r\nScheduled Task/Job:\r\nScheduled Task\r\n[T1053.005 ]\r\nEmotet has maintained persistence through a scheduled task.\r\nUnsecured Credentials:\r\nCredentials In Files\r\n[T1552.001 ]\r\nEmotet has been observed leveraging a module that retrieves passwords stored on\r\na system for the current logged-on user.\r\nCredentials from\r\nPassword Stores:\r\nCredentials from Web\r\nBrowsers [T1555.003\r\n]\r\nEmotet has been observed dropping browser password grabber modules.\r\nArchive Collected Data\r\n[T1560 ]\r\nEmotet has been observed encrypting the data it collects before sending it to the\r\nC2 server.\r\nPhishing:\r\nSpearphishing\r\nAttachment [T1566.001\r\n]\r\nEmotet has been delivered by phishing emails containing attachments.\r\nPhishing:\r\nSpearphishing Link\r\n[T1566.002 ]\r\nEmotet has been delivered by phishing emails containing links.\r\nNon-Standard Port\r\n[T1571 ]\r\nEmotet has used HTTP over ports such as 20, 22, 7080, and 50000, in addition to\r\nusing ports commonly associated with HTTP/Hypertext Transfer Protocol Secure.\r\nEncrypted Channel:\r\nAsymmetric\r\nCryptography\r\n[T1573.002 ]\r\nEmotet is known to use RSA keys for encrypting C2 traffic.\r\nDetection\r\nSignatures\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-280a\r\nPage 5 of 8\n\nMS-ISAC developed the following Snort signature for use in detecting network activity associated with Emotet\r\nactivity.\r\nalert tcp $HOME_NET any -\u003e $EXTERNAL_NET 443 (msg:\"[CIS] Emotet C2 Traffic Using Form Data to Send\r\nPasswords\"; content:\"POST\"; http_method; content:\"Content-Type|3a 20|multipart/form-data|3b\r\n20|boundary=\"; http_header; fast_pattern; content:\"Content-Disposition|3a 20|form-data|3b\r\n20|name=|22|\"; http_client_body; content:!\"------WebKitFormBoundary\"; http_client_body;\r\ncontent:!\"Cookie|3a|\"; pcre:\"/:?(chrome|firefox|safari|opera|ie|edge) passwords/i\";\r\nreference:url,cofense.com/flash-bulletin-emotet-epoch-1-changes-c2-communication/; sid:1; rev:2;)\r\nCISA developed the following Snort signatures for use in detecting network activity associated with Emotet\r\nactivity. Note: Uniform Resource Identifiers should contain a random length alphabetical multiple directory\r\nstring, and activity will likely be over ports 80, 8080, or 443.\r\nalert tcp any any -\u003e any $HTTP_PORTS (msg:\"EMOTET:HTTP URI GET contains '/wp-content/###/'\";\r\nsid:00000000; rev:1; flow:established,to_server; content:\"/wp-content/\"; http_uri; content:\"/\";\r\nhttp_uri; distance:0; within:4; content:\"GET\"; nocase; http_method; urilen:\u003c17; classtype:http-uri;\r\ncontent:\"Connection|3a 20|Keep-Alive|0d 0a|\"; http_header; metadata:service http;)\r\nalert tcp any any -\u003e any $HTTP_PORTS (msg:\"EMOTET:HTTP URI GET contains '/wp-admin/###/'\";\r\nsid:00000000; rev:1; flow:established,to_server; content:\"/wp-admin/\"; http_uri; content:\"/\";\r\nhttp_uri; distance:0; within:4; content:\"GET\"; nocase; http_method; urilen:\u003c15; content:\"Connection|3a\r\n20|Keep-Alive|0d 0a|\"; http_header; classtype:http-uri; metadata:service http;)\r\nMitigations\r\nCISA and MS-ISAC recommend that network defenders—in federal, state, local, tribal, territorial governments,\r\nand the private sector—consider applying the following best practices to strengthen the security posture of their\r\norganization's systems. System owners and administrators should review any configuration changes prior to\r\nimplementation to avoid unwanted impacts.\r\nBlock email attachments commonly associated with malware (e.g.,.dll and .exe).\r\nBlock email attachments that cannot be scanned by antivirus software (e.g., .zip files).\r\nImplement Group Policy Object and firewall rules.\r\nImplement an antivirus program and a formalized patch management process.\r\nImplement filters at the email gateway, and block suspicious IP addresses at the firewall.\r\nAdhere to the principle of least privilege.\r\nImplement a Domain-Based Message Authentication, Reporting \u0026 Conformance validation system.\r\nSegment and segregate networks and functions.\r\nLimit unnecessary lateral communications.\r\nDisable file and printer sharing services. If these services are required, use strong passwords or Active\r\nDirectory authentication.\r\nEnforce multi-factor authentication.\r\nExercise caution when opening email attachments, even if the attachment is expected and the sender\r\nappears to be known. See Using Caution with Email Attachments.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-280a\r\nPage 6 of 8\n\nEnable a firewall on agency workstations, configured to deny unsolicited connection requests.\r\nDisable unnecessary services on agency workstations and servers.\r\nScan for and remove suspicious email attachments; ensure the scanned attachment is its \"true file type\"\r\n(i.e., the extension matches the file header).\r\nMonitor users' web browsing habits; restrict access to suspicious or risky sites.\r\nExercise caution when using removable media (e.g., USB thumb drives, external drives, CDs).\r\nScan all software downloaded from the internet prior to executing.\r\nMaintain situational awareness of the latest threats and implement appropriate access control lists.\r\nVisit the MITRE ATT\u0026CK Techniques pages (linked in table 1 above) for additional mitigation and\r\ndetection strategies.\r\nSee CISA’s Alert on Technical Approaches to Uncovering and Remediating Malicious Activity for more\r\ninformation on addressing potential incidents and applying best practice incident response procedures.\r\nSee the joint CISA and MS-ISAC Ransomware Guide on how to be proactive and prevent ransomware\r\nattacks from happening and for a detailed approach on how to respond to an attack and best resolve the\r\ncyber incident.\r\nFor additional information on malware incident prevention and handling, see the National Institute of Standards\r\nand Technology Special Publication 800-83, Guide to Malware Incident Prevention and Handling for Desktops\r\nand Laptops.\r\nResources\r\nMS-ISAC Security Event Primer – Emotet\r\nCISA Alert TA18-201A – Emotet Malware\r\nMITRE ATT\u0026CK – Emotet\r\nMITRE ATT\u0026CK for Enterprise\r\nReferences\r\n[1] Bleeping Computer: Emotet Malware Strikes U.S. Businesses with COVID-19 Spam\r\n[2] IBID\r\n[3] Security Lab: Emotet Update Increases Downloads\r\n[4] Proofpoint: A Comprehensive Look at Emotet’s Summer 2020 Return\r\n[5] ZDNet: France, Japan, New Zealand Warn of Sudden Strike in Emotet Attacks\r\n[6] Bleeping Computer: France Warns of Emotet Attacking Companies, Administration\r\n[7] ESET: Emotet Strikes Quebec’s Department of Justice: An ESET Analysis\r\n[8] ZDNet: Microsoft, Italy, and the Netherlands Warn of Increased Emotet Activity\r\n[9] Bleeping Computer: Emotet Double Blunder: Fake ‘Windows 10 Mobile’ and Outdated Messages\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-280a\r\nPage 7 of 8\n\n[10] Palo Alto Networks: Case Study: Emotet Thread Hijacking, an Email Attack Technique\r\nRevisions\r\nOctober 6, 2020: Initial Version\r\nSource: https://us-cert.cisa.gov/ncas/alerts/aa20-280a\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-280a\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://us-cert.cisa.gov/ncas/alerts/aa20-280a"
	],
	"report_names": [
		"aa20-280a"
	],
	"threat_actors": [],
	"ts_created_at": 1775439048,
	"ts_updated_at": 1775791321,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/434c91a3e08e87f95639d68dcec1c63df603ecc4.pdf",
		"text": "https://archive.orkl.eu/434c91a3e08e87f95639d68dcec1c63df603ecc4.txt",
		"img": "https://archive.orkl.eu/434c91a3e08e87f95639d68dcec1c63df603ecc4.jpg"
	}
}