{ "id": "005e76ae-ebf9-4a1c-910e-f4a12bca9610", "created_at": "2026-04-06T00:09:01.620591Z", "updated_at": "2026-04-10T13:11:48.289338Z", "deleted_at": null, "sha1_hash": "562ccfe770b228f27ae5f6bfa41faa192e3a43b6", "title": "Mummy Spider's Emotet Malware is Back After a Year Hiatus; Wizard Spider's TrickBot Observed in Its Return", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 504768, "plain_text": "Mummy Spider's Emotet Malware is Back After a Year Hiatus;\r\nWizard Spider's TrickBot Observed in Its Return\r\nBy Anomali Threat Research\r\nPublished: 2025-12-18 · Archived: 2026-04-05 13:07:58 UTC\r\nMummy Spider’s Emotet Malware is Back After a Year Hiatus,; Wizard Spider’s TrickBot Observed in Its Return\r\nEndnotes\r\nhttps://www.anomali.com/blog/mummy-spiders-emotet-malware-is-back-after-a-year-hiatus-wizard-spiders-trickbot-observed-in-its-return\r\nPage 1 of 3\n\nMummy Spider (TA542, Emotet) recently resumed their malicious activity with the notorious information-stealing\r\nmalware, Emotet, after a year-long hiatus.[1] As part of this return, the Emotet malware has been observed delivered via\r\nthe TrickBot malware, which is organized by the Wizard Spider (TrickBot, UNC1878) group.[2]\r\nEmotet and Trickbot are dangerous families that have undergone numerous changes and upgrades over years, with\r\nEmotet being first discovered in 2014 and TrickBot in 2016.[3] The longevity of these malware families, even with\r\ninternational law enforcement taking down Emotet infrastructure as of January 2021, showcases the relentless nature of\r\nthe threat actors behind them.\r\nhttps://www.anomali.com/blog/mummy-spiders-emotet-malware-is-back-after-a-year-hiatus-wizard-spiders-trickbot-observed-in-its-return\r\nPage 2 of 3\n\nTo assist in helping the community, especially with the online shopping season upon us, Anomali Threat Research has\r\nmade available two threat actor focused dashboards: Mummy Spider and Wizard Spider, for Anomali ThreatStream\r\ncustomers. The Dashboards are preconfigured to provide immediate access and visibility into all known Mummy\r\nSpider and Wizard Spider indicators of compromise (IOCs) made available through commercial and open-source threat\r\nfeeds that users manage on ThreatStream.\r\nCustomers using ThreatStream, Anomali Match, and Anomali Lens are able to immediately detect any IOCs present in\r\ntheir environments and quickly consume threat bulletins containing machine-readable IOCs. This enables analysts to\r\nquickly operationalize threat intelligence across their security infrastructures, as well as communicate to all\r\nstakeholders if/how they have been impacted.\r\nAnomali recently added thematic dashboards that respond to significant global events as part of ongoing product\r\nenhancements that further automate and speed essential tasks performed by threat intelligence and security operations\r\nanalysts. In addition to Mummy Spider and Wizard Spider, ThreatStream customers currently have access to multiple\r\ndashboards announced as part of our November quarterly product release.\r\nCustomers can integrate the Mummy Spider and Wizard Spider dashboard, among others, in the “+ Add Dashboard”\r\ntab in the ThreatStream console:\r\nEndnotes\r\n[1] “#Emotet has almost doubled its botnet C2 infrastructure in the past 24 hours from 8 active C2s yesterday to 14\r\nactive C2s today…,” abuse.ch, accessed November 22, 2021, published November 16, 2021,\r\nhttps://twitter.com/abuse_ch/status/1460649241454563341; “Another Update on #Emotet E4 distro - We are now\r\nseeing URL based lures for the document downloads…,” Cryptolaemus, accessed November 22, 2021, published\r\nNovember 17, 2021, https://twitter.com/Cryptolaemus1/status/1460870766518484993.\r\n[2] Luca Ebach, “Guess who’s back,” cyber.wtf, accessed November 22, 2021, published November 15, 2021,\r\nhttps://cyber.wtf/2021/11/15/guess-whos-back/; “Emotet is back. Here’s what we know.,” Intel471 Blog, accessed\r\nNovember 22, published November 16, 2021, https://intel471.com/blog/emotet-is-back-2021.\r\n[3] Alina Georgiana Petcu, “Emotet Malware Over the Years: The History of an Infamous Cyber-Threat,” Heimdal\r\nSecurity Blog, accessed November 22, 2021, published April 29, 2021, https://heimdalsecurity.com/blog/emotet-malware-history/; Hugh Aver, “New tricks of the Trickbot Trojan, Kaspersky Blog, accessed November 22, 2021,\r\npublished October 19, 2021, https://www.kaspersky.com/blog/trickbot-new-tricks/42622/#:~:text=Exactly%20five%20years%20ago%2C%20in,credentials%20for%20online%20banking%20services.\r\nSource: https://www.anomali.com/blog/mummy-spiders-emotet-malware-is-back-after-a-year-hiatus-wizard-spiders-trickbot-observed-in-its-return\r\nhttps://www.anomali.com/blog/mummy-spiders-emotet-malware-is-back-after-a-year-hiatus-wizard-spiders-trickbot-observed-in-its-return\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.anomali.com/blog/mummy-spiders-emotet-malware-is-back-after-a-year-hiatus-wizard-spiders-trickbot-observed-in-its-return" ], "report_names": [ "mummy-spiders-emotet-malware-is-back-after-a-year-hiatus-wizard-spiders-trickbot-observed-in-its-return" ], "threat_actors": [ { "id": "12211366-1f14-4eed-9d91-46b6a2ede618", "created_at": "2025-08-07T02:03:25.014713Z", "updated_at": "2026-04-10T02:00:03.624097Z", "deleted_at": null, "main_name": "GOLD ULRICK", "aliases": [ "Grim Spider ", "UNC1878 " ], "source_name": "Secureworks:GOLD ULRICK", "tools": [ "Bloodhound", "Buer Loader", "Cobalt Strike", "Conti", "Diavol", "PowerShell Empire", "Ryuk", "SystemBC", "Team9 (aka BazarLoader)", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "e8e18067-f64b-4e54-9493-6d450b7d40df", "created_at": "2022-10-25T16:07:24.515213Z", "updated_at": "2026-04-10T02:00:05.018868Z", "deleted_at": null, "main_name": "Mummy Spider", "aliases": [ "ATK 104", "Gold Crestwood", "Mummy Spider", "TA542" ], "source_name": "ETDA:Mummy Spider", "tools": [ "Emotet", "Geodo", "Heodo" ], "source_id": "ETDA", "reports": null }, { "id": "ab9d6b30-7c60-4d0b-8f49-e2e913c28508", "created_at": "2022-10-25T16:07:24.584775Z", "updated_at": "2026-04-10T02:00:05.042135Z", "deleted_at": null, "main_name": "UNC1878", "aliases": [], "source_name": "ETDA:UNC1878", "tools": [ "Agentemis", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "KEGTAP", "Ryuk", "Team9Backdoor", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "506404b2-82fb-4b7e-b40d-57c2e9b59f40", "created_at": "2023-01-06T13:46:38.870883Z", "updated_at": "2026-04-10T02:00:03.128317Z", "deleted_at": null, "main_name": "MUMMY SPIDER", "aliases": [ "TA542", "GOLD CRESTWOOD" ], "source_name": "MISPGALAXY:MUMMY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "0a4f4edc-ea8c-4a30-8ded-35394e29de01", "created_at": "2023-01-06T13:46:39.178183Z", "updated_at": "2026-04-10T02:00:03.23716Z", "deleted_at": null, "main_name": "UNC1878", "aliases": [], "source_name": "MISPGALAXY:UNC1878", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "2ac83159-1d9d-4db4-a176-97be6b7b07c9", "created_at": "2024-06-19T02:03:08.024653Z", "updated_at": "2026-04-10T02:00:03.672512Z", "deleted_at": null, "main_name": "GOLD CRESTWOOD", "aliases": [ "Mummy Spider ", "TA542 " ], "source_name": "Secureworks:GOLD CRESTWOOD", "tools": [ "Emotet" ], "source_id": "Secureworks", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434141, "ts_updated_at": 1775826708, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/562ccfe770b228f27ae5f6bfa41faa192e3a43b6.pdf", "text": "https://archive.orkl.eu/562ccfe770b228f27ae5f6bfa41faa192e3a43b6.txt", "img": "https://archive.orkl.eu/562ccfe770b228f27ae5f6bfa41faa192e3a43b6.jpg" } }