{
	"id": "fcd8964a-20df-4bf2-afb5-734c8cd6cd57",
	"created_at": "2026-04-06T03:37:35.537457Z",
	"updated_at": "2026-04-10T13:11:51.75001Z",
	"deleted_at": null,
	"sha1_hash": "542878ef5127e3376a33f9cdad516fe255d0e329",
	"title": "Emotet malware infects users again after fixing broken installer",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1475785,
	"plain_text": "Emotet malware infects users again after fixing broken installer\r\nBy Lawrence Abrams\r\nPublished: 2022-04-25 · Archived: 2026-04-06 03:13:02 UTC\r\nThe Emotet malware phishing campaign is up and running again after the threat actors fixed a bug preventing people from\r\nbecoming infected when they opened malicious email attachments.\r\nEmotet is a malware infection distributed through spam campaigns with malicious attachments. If a user opens the\r\nattachment, malicious macros or scripts will download the Emotet DLL and load it into memory.\r\nOnce loaded, the malware will search for and steal emails to use in future spam campaigns and drop additional payloads\r\nsuch as Cobalt Strike or other malware that commonly leads to ransomware attacks.\r\nhttps://www.bleepingcomputer.com/news/security/emotet-malware-infects-users-again-after-fixing-broken-installer/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/emotet-malware-infects-users-again-after-fixing-broken-installer/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nBuggy attachments broke the Emotet campaign\r\nLast Friday, the Emotet malware distributors launched a new email campaign that included password-protected ZIP file\r\nattachments containing Windows LNK (shortcut) files pretending to be Word documents.\r\nCurrent Emotet phishing email example\r\nSource: Cofense\r\nWhen a user double-clicked on the shortcut, it would execute a command that searches the shortcut file for a particular\r\nstring that contains Visual Basic Script code, appends the found code to a new VBS file, and executes that VBS file, as\r\nshown below.\r\nEmotet shortcut commands from Friday's campaign\r\nSource: BleepingComputer\r\nHowever, this command contained a bug as it used a static shortcut name of 'Password2.doc.lnk,' even though the actual\r\nname of the attached shortcut file is different, like 'INVOICE 2022-04-22_1033, USA.doc'.\r\nThis caused the command to fail, as the Password2.doc.lnk file did not exist, and thus the VBS file was not created, as\r\nexplained by the Emotet research group Cryptolaemus.\r\nCryptolaemus researcher Joseph Roosen told BleepingComputer that Emotet shut down the new email campaign at\r\napproximately 00:00 UTC on Friday after discovering that the bug was preventing users from becoming infected.\r\nUnfortunately, Emotet fixed the bug today and, once again, started spamming users with malicious emails containing\r\npassword-protected zip files and shortcut attachments.\r\nThese shortcuts now reference the correct filenames when the command is executed, allowing the VBS files to be created\r\ncorrectly and the Emotet malware to be downloaded and installed on victims' devices.\r\nFixed Emotet attachment command\r\nSource: BleepingComputer\r\nEmail security firm Cofense told BleepingComputer that the used attachment named used in today's Emotet campaigns are:\r\nhttps://www.bleepingcomputer.com/news/security/emotet-malware-infects-users-again-after-fixing-broken-installer/\r\nPage 3 of 4\n\nform.zip\r\nForm.zip\r\nElectronic form.zip\r\nPO 04252022.zip\r\nForm - Apr 25, 2022.zip\r\nPayment Status.zip\r\nBANK TRANSFER COPY.zip\r\nTransaction.zip\r\nACH form.zip\r\nACH payment info.zip\r\nIf you receive an email with similar password-protected attachments, it is strongly advised that you do not open them.\r\nInstead, you should contact your network or security admins and let them examine the attachment to determine if they are\r\nmalicious or not.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/emotet-malware-infects-users-again-after-fixing-broken-installer/\r\nhttps://www.bleepingcomputer.com/news/security/emotet-malware-infects-users-again-after-fixing-broken-installer/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/emotet-malware-infects-users-again-after-fixing-broken-installer/"
	],
	"report_names": [
		"emotet-malware-infects-users-again-after-fixing-broken-installer"
	],
	"threat_actors": [],
	"ts_created_at": 1775446655,
	"ts_updated_at": 1775826711,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/542878ef5127e3376a33f9cdad516fe255d0e329.pdf",
		"text": "https://archive.orkl.eu/542878ef5127e3376a33f9cdad516fe255d0e329.txt",
		"img": "https://archive.orkl.eu/542878ef5127e3376a33f9cdad516fe255d0e329.jpg"
	}
}