{
	"id": "e0107a23-2e1c-4402-8669-9d1e2331997f",
	"created_at": "2026-04-06T00:13:41.818004Z",
	"updated_at": "2026-04-10T03:35:43.388255Z",
	"deleted_at": null,
	"sha1_hash": "55bd586adb0adaf1cd72dba31ae4ca70388c6686",
	"title": "A Comprehensive Look at Emotet’s Summer 2020 Return | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1271583,
	"plain_text": "A Comprehensive Look at Emotet’s Summer 2020 Return |\r\nProofpoint US\r\nBy August 28, 2020 Axel F. and the Proofpoint Threat Research Team\r\nPublished: 2020-08-27 · Archived: 2026-04-05 14:30:52 UTC\r\nTA542, an actor that distributes Emotet malware, took an extensive break from delivering malicious emails in\r\n2020. They were absent from the landscape for over five months, last seen on February 7 before returning on July\r\n17, 2020. While Emotet usually takes breaks throughout the year, this was the longest known vacation for the\r\ngroup. Despite this break, Emotet continues to be a dangerous threat and below we’ve detailed their delivery\r\nmethods, regional targeting, and an analysis into their use of Qbot.\r\nNow that they are back, TA542 email campaigns are once again the most prevalent by message volume by a large\r\nmargin, with only a few other actors coming close. Proofpoint has blocked hundreds of thousands of messages\r\n(sometimes coming close to one million) each day. There is no clear industry targeting among TA542 campaigns.\r\nWhile there are some innovations and incremental changes, Proofpoint researchers have noted surprisingly\r\nminimal change in TA542’s tactics or tooling, considering the long break. Many trends observed previously still\r\nremain relevant.\r\nSignificant new changes and innovations include:\r\nDistribution of Qbot affiliate “partner01” as the primary payload delivered by Emotet instead of The Trick.\r\nHowever, Emotet has previously delivered Qbot affiliate “hhhXX” on a few occasions such as in March\r\n2019.\r\nA change in the Emotet mail sending module that can now attach benign attachments along with malicious\r\nones.\r\nOnly small incremental changes were observed in:\r\nEmails: We continue to see a significant volume of thread hijacking and language localization in emails.\r\nThe actor continues to use generic as well as currently newsworthy lures such as COVID-19.\r\nAttachments / URLs: Similar to activity observed before their break, TA542 continues to use Word\r\nattachments with macros, PDF attachments, and URLs linking to Word files. \r\nCountry targeting: The actor continues to target a core set of countries including (listed by message\r\nvolume) Germany, Austria, Switzerland, United States, United Kingdom, and Canada, while at the same\r\ntime experimenting with targeting new geographies such as Indonesia, the Philippines, Sweden, and India.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-summer-2020-return\r\nPage 1 of 23\n\nFigure 1: Indexed volume of email messages containing Emotet (from April 19, 2017 to August 18, 2020)\r\nPrecursor Campaign\r\nBefore diving into the analysis, it’s important to mention that Proofpoint and other researchers were able to see\r\nwarnings that Emotet was about to return. Those watching active Emotet infections took notice that new email\r\nsending modules were received. It's also possible to watch for unusual (old) Emotet email in inboxes.\r\nOn July 14, 2020 Proofpoint researchers spotted emails with old Emotet URLs, specifically those that were\r\npreviously seen in the last known Emotet campaign on February 7, 2020. These emails came from many sender\r\nIPs, as if multiple emotet bots reactivated.\r\nDelivery\r\nEmotet malspam is very different from other malware email campaigns in that it starts early and lasts throughout\r\nthe whole day, making it hard to determine the end of one campaign and beginning of the next. However, in\r\ngeneral, campaigns start at night between 1:00am EST and 5:00am EST. There are exceptions to this as some\r\ncampaigns start much later in the day, for example at 3:00pm EST on August 5, 2020.\r\nEmotet campaigns can typically be seen Monday through Friday, and there is no significant sending on weekends.\r\nThere are some exceptions to this as the actor did not send malicious email on Friday, July 24, Monday, August 3,\r\nTuesday, August 4, or during the period of July 17, 2020 to August 18, 2020.\r\nTA542 continues to leverage social engineering mechanisms to increase infection rates. They compose emails in\r\nthe appropriate language for the targeted country. They use simple “call to action” emails.\r\nEmails\r\nhttps://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-summer-2020-return\r\nPage 2 of 23\n\nA large percentage of Emotet emails use thread hijacking (replies to previous conversations), and the subjects\r\nbegin with “Re: ” or “RE: “, such as:\r\nRe: [subject from stolen email]\r\nRE: [subject from stolen email]\r\nAnother noticeable trend is using the recipient’s name, job function, company name, or company domain in the\r\nsubject. The Friendly-From name of the sender address often contains the company name or domain. The email\r\nbody also often contains the company name, domain or recipient name in the greeting and signature.\r\nFormat Example\r\n[Firstname Lastname] John Doe\r\n[Firstname, Lastname] John, Doe\r\n[Companyname] Widgetsmaker\r\n[Companyname Recipientfunction] Widgetsmaker Payroll\r\nAgreement for [Companyname] Agreement for Widgetsmaker\r\nFiles for [Companyname] Files for John Doe\r\nINVOICE 1067935 from [Personname] INVOICE 1067935 from John Doe\r\nTable 1: Example subjects that use specific information related to recipient or their company\r\nBesides those notable trends, there is a large and varying number of subjects. Below are a few examples of other\r\nsubjects, though this list is not exhaustive:\r\nEstimate [Digits]\r\nFatura [Date]\r\nFinancement pour\r\nFind attached invoice INV-Y-35852\r\nINVOICE [Digits]\r\nNota fiscal\r\nhttps://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-summer-2020-return\r\nPage 3 of 23\n\nNovos dados 20/07/2020\r\nOpen Past Due Orders\r\nOpen invoices\r\nOrder Processing\r\nOur stay at the Weekend\r\nOutstanding Invoices\r\nPO 54203\r\nPaid Invoice \u0026 Credit Card Receipt\r\nPast Due Invoice\r\nPayroll 80606\r\nQuestion\r\nQuote 862639\r\nQuote RFQ-00012679\r\nQuote Request\r\nRenewals\r\nReno Update\r\nSales Invoice\r\nYour statement is available online\r\ndemande\r\nGeographical Targeting\r\nTA542 continues the trend of consistently targeting certain regions, while also adding new countries periodically.\r\nThe core regions that Emotet still targets include (listed by message volume): Germany, Austria, Switzerland,\r\nUnited States, United Kingdom, Japan, and Latin American countries. Other regions targeted recently but less\r\nconsistently include Indonesia, the Philippines, Sweden, and India. Each country is typically targeted with\r\nappropriate language in email bodies, subjects, filenames, and branding. Known targeted countries are listed\r\nbelow (Table 2).\r\nCountry Language Note\r\nGermany German Consistent targeting\r\nAustria German Consistent targeting\r\nSwitzerland German Consistent targeting\r\nUnited Kingdom English Consistent targeting\r\nhttps://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-summer-2020-return\r\nPage 4 of 23\n\nUnited States English Consistent targeting\r\nCanada English, French Consistent targeting\r\nUnited Arab\r\nEmirates\r\nEnglish Consistent targeting\r\nJapan Japanese Consistent targeting\r\nLatin America\r\nSpanish and\r\nPortuguese\r\nConsistent targeting of countries such as Brazil, Chile, Mexico,\r\nColombia, Ecuador\r\nIndia Hindi Occasional\r\nIndonesia Indonesian Occasional\r\nPhilippines Filipino Occasional\r\nSweden Swedish Occasional\r\nItaly Italian Occasional\r\nSpain Spanish Occasional\r\nNorway Norwegian Occasional\r\nNetherlands Dutch Occasional\r\nVietnam Vietnamese Occasional\r\nhttps://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-summer-2020-return\r\nPage 5 of 23\n\nTable 2: Description of the countries with observed Emotet email campaigns since July 17, 2020. Note that this\r\nlist is not considered exhaustive.\r\nMistakes\r\nThere are often mistakes in the way that Emotet malicious emails are created, where placeholders or macros are\r\nnot filled in. These may be due to bugs in the code of the Emotet mail sending capability that generates these\r\nemails. For example, we have seen attachments with names such as those listed below. Placeholders like\r\n“{rcpt.domain}” are meant to be completed in the domain.\r\nestimate ui00071 from {rcpt.domain-1-up}.doc\r\ninvoice-e00889 from {rcpt.domain}.rtf.doc\r\ng1:regex:(invoice|profile|document|doc|doc|document|payment advice note|invoice|attn|invoice|verification\r\nletter|status update|invoice status update|invoice id|invoice for service|08_2020 invoice for service|your\r\ninvoice|past due invoice|order confir.doc\r\nThere are also placeholders in the email body such as those shown below. A Spanish language email screenshot in\r\nFigure 3 illustrates this.\r\n{FROM.NAME}\r\n{MSG.MESSAGE}\r\nExample Emails\r\nThis section highlights email lures from some of the more notable TA542 campaigns.\r\nThe figure below shows the following emails:\r\nIndonesian language email targeting Indonesia. The subject “faktur dari” translates to “invoice from”. (top\r\nleft)\r\nHindi language email targeting India and utilizing thread hijacking. The “कृपया संलसं ग्न फॉ र्म देखें।खें ” text in the\r\nbody of the email translates to “Please see the attached form.” (top right)\r\nFilipino language email targeting Philippines. The attachment name “impormasyon ng contact.doc”\r\ntranslates to “contact information.doc”. Note that this email contains both a Word attachment and a URL\r\nlinking to a malicious Word file (bottom right)\r\nSwedish language email targeting Sweden. The subject “Dagordning för det kommande mötet på fredagen”\r\ntranslates to “Agenda for the upcoming meeting on Friday” (bottom left)\r\nhttps://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-summer-2020-return\r\nPage 6 of 23\n\nFigure 2: Clockwise, starting from top left corner, Indonesian, Hindi, Filipino, Swedish language emails.\r\nThe figure below shows the following emails:\r\nGerman language email targeting Germany. (top left)\r\nSpanish language email targeting Spain. Note that this email still contains the {FROM.NAME}\r\nplaceholder that should have been filled in with a name before the actor sent it. (top right)\r\nItalian language email targeting Italy. (bottom right)\r\nFrench language email targeting Canada. (bottom left)\r\nhttps://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-summer-2020-return\r\nPage 7 of 23\n\nFigure 3: Clockwise, starting from top left corner, German, Spanish, Italian, French language emails.\r\nThe figure below shows the following emails:\r\nCOVID-19 lure: On August 7, 2020 we began to see emails with attachment filenames that included\r\n“COVID-19” strings, such as “cd-8423 medical report covid-19.doc” and “covid-19 report 08 11\r\n2020.doc”.\r\nJapanese Bitcoin extortion: Extortion emails in Japan are back. We saw them before Emotet took a break\r\nwith an almost identical message.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-summer-2020-return\r\nPage 8 of 23\n\nFigure 4: COVID-19 email example, Japanese Bitcoin extortion email.\r\nWe confirmed open source reports that there are examples of Emotet emails that include benign attachments along\r\nwith malicious ones. These make up a minor portion of Emotet email. Examples below show benign PDF\r\nattachments along with malicious Word attachments.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-summer-2020-return\r\nPage 9 of 23\n\nFigure 5: benign PDF attachments in the same email with malicious Word attachments.\r\nAttachments/URLs\r\nThe malicious content included in the emails sent by this threat actor is either a URL or an attachment, and\r\nsometimes but rarely both a URL and an attachment in the same email. Word attachments are seen every day,\r\nURLs linking to Word files are also seen every day, and PDFs attachments are seen occasionally. Demonstrated\r\nfor the period of July 17, 2020 to August 18, 2020:\r\n2020-07-17: Word attachments, URLs\r\n2020-07-20: Word attachments, PDF attachments, URLs\r\n2020-07-21: Word attachments, PDF attachments, URLs\r\n2020-07-22: Word attachments, URLs\r\n2020-07-23: Word attachments, PDF attachments, URLs\r\n2020-07-27: Word attachments, PDF attachments, URLs\r\n2020-07-28: Word attachments, PDF attachments, URLs\r\n2020-07-29: Word attachments, URLs\r\n2020-07-30: Word attachments, URLs\r\n2020-07-31: Word attachments, URLs\r\nhttps://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-summer-2020-return\r\nPage 10 of 23\n\n2020-08-05: Word attachments, URLs\r\n2020-08-06: Word attachments, URLs\r\n2020-08-07: Word attachments, URLs\r\n2020-08-10: Word attachments, URLs\r\n2020-08-11: Word attachments, URLs\r\n2020-08-12: Word attachments, URLs\r\n2020-08-13: Word attachments, URLs\r\n2020-08-14: Word attachments, URLs\r\n2020-08-17: Word attachments, URLs\r\n2020-08-18: Word attachments, URLs\r\nAttachments\r\nMost often an attachment is a Word document with macros, and less commonly a PDF. Other attachment types\r\nthat the actor is known to use, specifically JScript or Zips, have not been observed since Emotet returned.\r\nThe Word attachments are first-stage downloaders that attempt to download the Emotet payload using macros\r\nfrom one of several (typically 5) hardcoded payload URLs. A new set of five payload URLs is seen periodically,\r\nas frequently as every 1 to 2 hours. Different documents may use the same set of 5 URLs. On any given day we\r\nobserve up to 100 total payload URLs.\r\nNote: On August 18, 2020 we started observing Word files with 6 or 7 payload URLs.\r\nThe PDF attachments contain an embedded URL linking to a site hosting a similar macro Word document.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-summer-2020-return\r\nPage 11 of 23\n\nFigure 6: TA542 most commonly uses Microsoft Word documents with macros. The actor periodically updates the\r\nvisual lure used in the document. This collage shows two of the observed lures.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-summer-2020-return\r\nPage 12 of 23\n\nFigure 7: Examples of PDF attachments observed.\r\nEmotet has a small library of templates for their PDF file names:\r\nFormat Example\r\nreport.pdf report.pdf\r\n[2 letters]-[4 digits] report p[1 number].pdf qx-6971 report p2.pdf\r\nsoc report [date].pdf soc report 07 21 2020.pdf\r\n[date]- balance \u0026 payment report.pdf 2020_07- balance \u0026 payment report.pdf\r\nTable 3: PDF file names and format\r\nhttps://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-summer-2020-return\r\nPage 13 of 23\n\nConversely, they have a large and varying library of file name templates that they use for the Word documents,\r\nbelow examples represent a small fraction of possibilities. Word attachment names are not always English–they\r\nmay be in a language appropriate to the targeted geography.\r\nFormat Example\r\n#[5 digits].doc #04216.doc\r\n[5 digits] logistics rate con.doc 00089 logistics rate con.doc\r\n[11 digits]_jul2020.doc 10068100718_jul2020.doc\r\n[4 digits]-[5 digits]_county_report.doc 1660-63745_county_report.doc\r\n[4 digits]-[5 digits]_city_report.doc 1850-91171_city_report.doc\r\n[date]- balance \u0026 payment report.doc 2020_07- balance \u0026 payment report.doc\r\n[date]- balance.doc 2020_07- balance.doc\r\n[date]- report.doc 2020_07- report.doc\r\n[date]- statement.doc 2020_07- statement.doc\r\n[16 digits]_[date].doc 2873890348491143_07202020.doc\r\n[4 digits]-[5 digits]_data sheet.doc 4087-60384_data sheet.doc\r\nanexo.doc\r\nhttps://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-summer-2020-return\r\nPage 14 of 23\n\narquivo.doc\r\nbank details and invoice.doc\r\nbiz_[11 digits].doc biz_10039266887.doc\r\naugust invoice.doc\r\nform - [date].doc form - aug 11, 2020.doc\r\nzahlungsschreiben_[date]_[10 digits].doc zahlungsschreiben_2020_08_1147364050.doc\r\nswift_[date]_[10 digits].doc swift_11_08_2020_6296415287.doc\r\nsepa_[date].doc sepa_2020_08.doc\r\nreport [7 digits].doc report 5557308.doc\r\npo#[6 digits] [date].doc po#046325 110820.doc\r\npayment summary - ref id- d[5 digits].doc payment summary - ref id- d28114.doc\r\nसंपसं र्क जा नका री .doc\r\nTable 4: Examples of Word document file names\r\nFile names that stood out: On August 7, Proofpoint saw attachment filenames that included “COVID-19” strings,\r\nsuch as “cd-8423 medical report covid-19.doc” and “covid-19 report 08 11 2020.doc”. These names are still in\r\nuse at the time of writing.\r\nExtension mismatches: Some emails have attachment file names with a .docm, .rtf, or .zip extension, where they\r\nshould be .doc extensions. This may be accidental or a deliberate attempt to evade detection. We did not do\r\nhttps://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-summer-2020-return\r\nPage 15 of 23\n\nthorough testing, but we know that Microsoft Word can open some of these attachments without errors despite the\r\nmismatch. For example, Word 2010 can open the files with .rtf extension.\r\nFigure 8: Example emails showing the extension mismatch\r\nURLs\r\nWe have not observed changes in the way that this actor embeds URLs in emails. The URLs are still frequently\r\nhosted on compromised sites, including vulnerable WordPress installations. The URLs hosted on compromised\r\nWordPress CMS sites are obvious to spot as they are often hosted with “wp-content”, “wp-admin”, “wp-includes”\r\nand other similar folder structure. For other URLs it is not immediately obvious how the actor compromised the\r\nsites since there are a range of servers (i.e. Apache, nginx, IIS), databases (i.e. MySQL), languages (i.e. PHP),\r\nlibraries, plugins, eCommerce frameworks, etc.\r\nThe actor typically adds a nested structure of one or more folders on the compromised site and hosts a malicious\r\nPHP script that initiates the download of the payload. Currently we only observe URLs leading to Microsoft Word\r\ndocuments with macros.\r\nMalware: Emotet\r\nWe have not done extensive comparative reverse engineering and review of Emotet and its modules, but\r\ncomponents that we analyzed had very little change. Emotet still uses the same way to store configuration and the\r\nsame network command and control protocol.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-summer-2020-return\r\nPage 16 of 23\n\nWe confirmed open source reports of a change in Emotet mail sending module now attaching benign attachments\r\nalong with malicious attachments.\r\nEmotet Payload: Qbot\r\nQbot affiliate id “partner01” is the primary payload dropped by Emotet seen almost daily. However, Emotet has\r\npreviously delivered Qbot affiliate “hhhXX” on a few occasions such as in March 2019, January 2019, May 2017,\r\nand April 2017. Before Emotet disappeared from the landscape, it primarily delivered The Trick affiliate “morXX”\r\nin January and February 2020.\r\nExample Qbot “partner01” sha256 hashes observed between July 17 and August 18:\r\n576029dbd4166e9d6548f877bea422da5d7a07adfc5ca60c93dabbecfab3d6c7\r\n0b2d1270ce2c5950f73ef209a08ad8e32c583e83d076509be956353bf828f03b\r\ne999fcc1edd2cc05f82a63d4c32cc7a6fbc0fbd12de2ee82dfdd857a8a15c403\r\nfdfa54ad4c15993944cdde7e9c37f9191c3e8eeff0e93b2c14a5973caa4dbeba\r\n7bf42580bf8ef469a1501e53d66220542e51cc4e5af7d24e97dbc34ffe2072c2\r\na39c9be9acaec5e804aed2b79f937bf7e5ed6ac7220c71ca2c66decf26388cd9\r\na85780b23d01cb41db6f387e8351606361669bca4f669c869dee61a81333909a\r\nb2d115a104c08eab952fc2bf342369307b89007fe24496c20378a422facb6341\r\ncfb7d981b4782a468013b79d888ddb120b3166d4e0f2f1c4badb257ae0d233d4\r\n02638706a6e9bdc4d62fe6d0aed441c95b19f66b4647b5e9a0aded18c17c1a64\r\n7ca48480ca645ee2b83bf707893e84115f87ea6e327f369e40c4ab0afc8abe7a\r\nExample Qbot configuration for the “7ca48480ca645ee2b83bf707893e84115f87ea6e327f369e40c4ab0afc8abe7a”\r\nsample:\r\nID: partner01\r\nTimestamp: 1597332272\r\nC\u0026C: 72[.]28[.]255[.]159:995\r\nC\u0026C: 197[.]210[.]96[.]222:995\r\nC\u0026C: 71[.]192[.]44[.]92:443\r\nC\u0026C: 189[.]183[.]72[.]138:995\r\nhttps://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-summer-2020-return\r\nPage 17 of 23\n\nC\u0026C: 68[.]33[.]206[.]204:443\r\nC\u0026C: 49[.]191[.]3[.]234:443\r\nC\u0026C: 71[.]56[.]53[.]127:443\r\nC\u0026C: 80[.]14[.]209[.]42:2222\r\nC\u0026C: 24[.]139[.]132[.]70:443\r\nC\u0026C: 76[.]187[.]12[.]181:443\r\nC\u0026C: 89[.]137[.]211[.]239:443\r\nC\u0026C: 216[.]201[.]162[.]158:443\r\nC\u0026C: 151[.]73[.]112[.]220:443\r\nC\u0026C: 92[.]59[.]35[.]196:2222\r\nC\u0026C: 189[.]140[.]55[.]226:443\r\nC\u0026C: 201[.]216[.]216[.]245:443\r\nC\u0026C: 50[.]244[.]112[.]10:995\r\nC\u0026C: 108[.]28[.]179[.]42:995\r\nC\u0026C: 108[.]27[.]217[.]44:443\r\nC\u0026C: 72[.]185[.]47[.]86:995\r\nC\u0026C: 199[.]116[.]241[.]147:443\r\nC\u0026C: 109[.]154[.]214[.]242:2222\r\nC\u0026C: 81[.]133[.]234[.]36:2222\r\nC\u0026C: 24[.]201[.]79[.]208:2078\r\nC\u0026C: 2[.]89[.]74[.]34:21\r\nC\u0026C: 50[.]244[.]112[.]106:443\r\nC\u0026C: 78[.]100[.]229[.]44:61201\r\nC\u0026C: 98[.]26[.]50[.]62:995\r\nC\u0026C: 174[.]104[.]21[.]157:443\r\nC\u0026C: 72[.]214[.]55[.]195:995\r\nhttps://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-summer-2020-return\r\nPage 18 of 23\n\nC\u0026C: 71[.]126[.]139[.]251:443\r\nC\u0026C: 73[.]136[.]242[.]114:443\r\nC\u0026C: 86[.]99[.]75[.]165:2222\r\nC\u0026C: 199[.]247[.]22[.]145:443\r\nC\u0026C: 69[.]123[.]179[.]70:443\r\nC\u0026C: 41[.]97[.]231[.]7:443\r\nC\u0026C: 96[.]255[.]188[.]58:443\r\nC\u0026C: 102[.]44[.]192[.]196:995\r\nC\u0026C: 82[.]78[.]132[.]227:443\r\nC\u0026C: 75[.]135[.]184[.]133:443\r\nC\u0026C: 141[.]158[.]47[.]123:443\r\nC\u0026C: 187[.]200[.]218[.]244:443\r\nC\u0026C: 73[.]60[.]148[.]209:443\r\nC\u0026C: 185[.]246[.]9[.]69:995\r\nC\u0026C: 39[.]118[.]245[.]6:443\r\nC\u0026C: 71[.]187[.]170[.]235:443\r\nC\u0026C: 2[.]7[.]65[.]32:2222\r\nC\u0026C: 188[.]173[.]70[.]18:443\r\nC\u0026C: 188[.]26[.]11[.]29:2222\r\nC\u0026C: 2[.]89[.]74[.]34:995\r\nC\u0026C: 45[.]32[.]155[.]12:443\r\nC\u0026C: 74[.]129[.]24[.]163:443\r\nC\u0026C: 67[.]209[.]195[.]198:443\r\nC\u0026C: 67[.]246[.]16[.]250:995\r\nC\u0026C: 76[.]179[.]54[.]116:443\r\nC\u0026C: 75[.]136[.]40[.]155:443\r\nhttps://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-summer-2020-return\r\nPage 19 of 23\n\nC\u0026C: 67[.]11[.]43[.]93:443\r\nC\u0026C: 94[.]49[.]67[.]180:995\r\nC\u0026C: 69[.]47[.]26[.]41:443\r\nC\u0026C: 99[.]240[.]226[.]2:443\r\nC\u0026C: 188[.]210[.]228[.]156:443\r\nC\u0026C: 173[.]26[.]189[.]151:443\r\nC\u0026C: 47[.]146[.]32[.]175:443\r\nC\u0026C: 178[.]222[.]12[.]162:995\r\nC\u0026C: 217[.]165[.]115[.]0:990\r\nC\u0026C: 68[.]116[.]193[.]239:443\r\nC\u0026C: 71[.]197[.]126[.]250:443\r\nC\u0026C: 2[.]50[.]58[.]57:443\r\nC\u0026C: 189[.]210[.]114[.]157:443\r\nC\u0026C: 207[.]255[.]18[.]67:443\r\nC\u0026C: 78[.]102[.]138[.]103:995\r\nC\u0026C: 149[.]71[.]49[.]39:443\r\nC\u0026C: 87[.]65[.]204[.]240:995\r\nC\u0026C: 96[.]232[.]163[.]27:443\r\nC\u0026C: 68[.]134[.]181[.]98:443\r\nC\u0026C: 98[.]219[.]77[.]197:443\r\nC\u0026C: 65[.]131[.]20[.]49:995\r\nC\u0026C: 66[.]30[.]92[.]147:443\r\nC\u0026C: 74[.]222[.]204[.]82:443\r\nC\u0026C: 67[.]6[.]3[.]51:443\r\nC\u0026C: 175[.]111[.]128[.]234:443\r\nC\u0026C: 200[.]124[.]231[.]21:443\r\nhttps://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-summer-2020-return\r\nPage 20 of 23\n\nC\u0026C: 47[.]206[.]174[.]82:443\r\nC\u0026C: 12[.]5[.]37[.]3:995\r\nC\u0026C: 96[.]227[.]127[.]13:443\r\nC\u0026C: 134[.]0[.]196[.]46:995\r\nC\u0026C: 72[.]190[.]101[.]70:443\r\nC\u0026C: 72[.]142[.]106[.]198:465\r\nC\u0026C: 73[.]228[.]1[.]246:443\r\nC\u0026C: 2[.]51[.]240[.]61:995\r\nC\u0026C: 109[.]100[.]125[.]127:2222\r\nC\u0026C: 193[.]248[.]44[.]2:2222\r\nC\u0026C: 66[.]222[.]88[.]126:995\r\nC\u0026C: 75[.]110[.]250[.]89:995\r\nC\u0026C: 71[.]43[.]175[.]202:61200\r\nC\u0026C: 47[.]28[.]131[.]209:443\r\nC\u0026C: 86[.]182[.]234[.]245:2222\r\nC\u0026C: 186[.]82[.]157[.]66:443\r\nC\u0026C: 67[.]8[.]103[.]21:443\r\nC\u0026C: 86[.]153[.]98[.]126:2222\r\nC\u0026C: 73[.]137[.]184[.]213:443\r\nC\u0026C: 70[.]123[.]92[.]175:2222\r\nC\u0026C: 72[.]240[.]200[.]181:2222\r\nC\u0026C: 68[.]225[.]56[.]31:443\r\nC\u0026C: 172[.]87[.]134[.]226:443\r\nC\u0026C: 71[.]182[.]142[.]63:443\r\nC\u0026C: 72[.]142[.]106[.]198:995\r\nC\u0026C: 187[.]214[.]9[.]138:995\r\nhttps://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-summer-2020-return\r\nPage 21 of 23\n\nC\u0026C: 182[.]185[.]98[.]215:995\r\nC\u0026C: 188[.]15[.]173[.]34:995\r\nC\u0026C: 68[.]190[.]152[.]98:443\r\nC\u0026C: 67[.]165[.]206[.]193:993\r\nC\u0026C: 75[.]183[.]171[.]155:995\r\nC\u0026C: 74[.]195[.]88[.]59:995\r\nC\u0026C: 96[.]41[.]93[.]96:443\r\nC\u0026C: 99[.]231[.]221[.]117:443\r\nC\u0026C: 209[.]182[.]122[.]217:443\r\nC\u0026C: 98[.]190[.]24[.]81:443\r\nC\u0026C: 209[.]137[.]209[.]163:995\r\nC\u0026C: 65[.]24[.]76[.]114:443\r\nC\u0026C: 95[.]76[.]185[.]240:443\r\nC\u0026C: 83[.]110[.]226[.]145:443\r\nC\u0026C: 74[.]75[.]237[.]11:443\r\nC\u0026C: 93[.]151[.]180[.]170:61202\r\nC\u0026C: 47[.]138[.]204[.]170:443\r\nC\u0026C: 98[.]173[.]34[.]212:995\r\nC\u0026C: 24[.]116[.]227[.]63:443\r\nC\u0026C: 172[.]78[.]30[.]215:443\r\nC\u0026C: 72[.]209[.]191[.]27:443\r\nC\u0026C: 76[.]170[.]77[.]99:995\r\nC\u0026C: 47[.]153[.]115[.]154:465\r\nC\u0026C: 200[.]75[.]136[.]78:443\r\nC\u0026C: 100[.]37[.]36[.]240:443\r\nC\u0026C: 77[.]27[.]173[.]8:995\r\nhttps://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-summer-2020-return\r\nPage 22 of 23\n\nC\u0026C: 207[.]255[.]161[.]8:465\r\nC\u0026C: 2[.]90[.]92[.]255:443\r\nC\u0026C: 90[.]68[.]84[.]121:2222\r\nC\u0026C: 188[.]247[.]252[.]243:443\r\nC\u0026C: 71[.]80[.]66[.]107:443\r\nC\u0026C: 197[.]165[.]161[.]55:995\r\nC\u0026C: 73[.]227[.]232[.]166:443\r\nC\u0026C: 41[.]228[.]35[.]102:443\r\nC\u0026C: 80[.]195[.]103[.]146:2222\r\nC\u0026C: 65[.]48[.]219[.]244:22\r\nC\u0026C: 174[.]80[.]7[.]235:443\r\nC\u0026C: 5[.]13[.]88[.]29:995\r\nC\u0026C: 68[.]46[.]142[.]48:995\r\nC\u0026C: 24[.]28[.]183[.]107:995\r\nC\u0026C: 68[.]204[.]164[.]222:443\r\nConclusion\r\nSince returning from an extended vacation, TA542 email campaigns are once again the most prevalent by message\r\nvolume by a large margin, with only a few other actors coming close. They have introduced code changes to their\r\nmalware, such as updates to the email sending module, and picked up a new affiliate payload to distribute (Qbot).\r\nThey continue to experiment with delivery to new countries. Despite these changes we also noted that many of\r\ntheir other methods and tooling have remained relatively unchanged from previous activity since their return.\r\nCurrent lures, delivery mechanisms, and widespread geographic targeting are all similar to what we have observed\r\nin the past. Whether they iterate and change their tactics or continue in the same manner, Emotet remains a highly\r\ndangerous threat.\r\nEmerging Threats + Emerging Threats Pro Signature\r\n2842317 - ETPRO MALWARE Win32/Emotet CnC Activity (POST) M9\r\nSource: https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-summer-2020-return\r\nhttps://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-summer-2020-return\r\nPage 23 of 23",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-summer-2020-return"
	],
	"report_names": [
		"comprehensive-look-emotets-summer-2020-return"
	],
	"threat_actors": [
		{
			"id": "e8e18067-f64b-4e54-9493-6d450b7d40df",
			"created_at": "2022-10-25T16:07:24.515213Z",
			"updated_at": "2026-04-10T02:00:05.018868Z",
			"deleted_at": null,
			"main_name": "Mummy Spider",
			"aliases": [
				"ATK 104",
				"Gold Crestwood",
				"Mummy Spider",
				"TA542"
			],
			"source_name": "ETDA:Mummy Spider",
			"tools": [
				"Emotet",
				"Geodo",
				"Heodo"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "506404b2-82fb-4b7e-b40d-57c2e9b59f40",
			"created_at": "2023-01-06T13:46:38.870883Z",
			"updated_at": "2026-04-10T02:00:03.128317Z",
			"deleted_at": null,
			"main_name": "MUMMY SPIDER",
			"aliases": [
				"TA542",
				"GOLD CRESTWOOD"
			],
			"source_name": "MISPGALAXY:MUMMY SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2ac83159-1d9d-4db4-a176-97be6b7b07c9",
			"created_at": "2024-06-19T02:03:08.024653Z",
			"updated_at": "2026-04-10T02:00:03.672512Z",
			"deleted_at": null,
			"main_name": "GOLD CRESTWOOD",
			"aliases": [
				"Mummy Spider ",
				"TA542 "
			],
			"source_name": "Secureworks:GOLD CRESTWOOD",
			"tools": [
				"Emotet"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434421,
	"ts_updated_at": 1775792143,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/55bd586adb0adaf1cd72dba31ae4ca70388c6686.pdf",
		"text": "https://archive.orkl.eu/55bd586adb0adaf1cd72dba31ae4ca70388c6686.txt",
		"img": "https://archive.orkl.eu/55bd586adb0adaf1cd72dba31ae4ca70388c6686.jpg"
	}
}