{
	"id": "bfc1ff9e-a96a-4f8f-a7fd-2d975dc973f8",
	"created_at": "2026-04-06T00:07:03.219135Z",
	"updated_at": "2026-04-10T03:23:51.109595Z",
	"deleted_at": null,
	"sha1_hash": "5766e6aea95e738684d5cc26568bf7cd3abc67d9",
	"title": "Emotet back in action after short break | Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1840726,
	"plain_text": "Emotet back in action after short break | Blog\r\nBy Atinderpal Singh, Abhay Kant Yadav\r\nPublished: 2019-10-30 · Archived: 2026-04-05 19:35:07 UTC\r\nIt’s common for cybercriminals to launch an attack, then shortly thereafter stop the campaign before they are detected. These\r\nbreaks also give these bad actors a chance to change tactics to, once again, attempt to avoid detection. That’s what operators\r\nusing the Emotet malware did, taking a short break before bringing Emotet back in a new, more dangerous form.\r\nEmotet operators took about a two-month break as command and control (C\u0026C) servers went down in late May and came\r\nback online around the end of August. Then, we began observing a new version of this malware around mid-September.\r\nEmotet started as a banking trojan in 2014. However, it has morphed into a very prominent threat. Now, it is mostly used for\r\nspamming and downloading additional malware threats on a target system. Based on the unique sample count of malware\r\nthreats seen by the Zscaler Cloud Sandbox, Emotet and its downloaders appear to be among the most prevalent threats in\r\n2019, followed by banking trojans and loaders, such as TrickBot and Ursnif, remote-access trojans (RATs), and off-the-shelf\r\npassword stealers, such as LokiBot and AZORult.\r\nEmotet is modular by design, as it supports multiple modules for different tasks, such as stealing information, spamming,\r\nand more. It is also known to download and to be downloaded by other malware families, such as TrickBot and Ursnif. It\r\nhas also been associated with the Ryuk ransomware.\r\n \r\nEmail conversation hijacking\r\nThis year, Emotet employed a new tactic of using stolen email content in spam campaigns. The hijacking of existing email\r\nthreads can be very effective as recipients are tricked into believing that the email was sent by the other person in the email\r\nthread. This trust factor can lead to the victim opening the email (and attachment) and getting infected with Emotet,\r\neffectively making the infected system part of an Emotet botnet.\r\nFigure 1: Emotet activity from the beginning of June 2019 to mid-September 2019.\r\nhttps://www.zscaler.com/blogs/research/emotet-back-action-after-short-break\r\nPage 1 of 9\n\nFigure 2: The new Emotet campaign after the break.\r\nNew campaign, new document templates, and new botnets?\r\nWe observed the following new templates in spammed malicious documents (maldocs) during this new campaign.\r\n  \r\nhttps://www.zscaler.com/blogs/research/emotet-back-action-after-short-break\r\nPage 2 of 9\n\nFigures 3 and 4: New macro templates (Product Notice and Protected View)\r\n \r\nEarlier, there were two Emotet botnets, known as Epoch 1 (E1) and Epoch2 (E2), that were using unique RSA keys to\r\ncommunicate with their C\u0026C. After the break, we noticed three new RSA keys being used, which suggests the possibility of\r\na botnet splitting into multiple botnets. Earlier keys were no longer seen in use and the latest three keys are now being used,\r\nwhich means operators are reorganizing their botnet infrastructure.\r\nAlready existing RSA keys \r\n-----BEGIN PUBLIC KEY-----\r\n\\nMHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx\\nS0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSl\r\n----END PUBLIC KEY-----\r\n-----BEGIN PUBLIC KEY-----\r\n\\nMHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+\\n0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBx\r\n----END PUBLIC KEY-----\r\nNew RSA keys\r\n-----BEGIN PUBLIC KEY-----\r\nMHwwDQYJKoZIhvcNAQEBBQADawAwaAJhALk+KlHgOKXm9eDkWu2yN9lanjwOm6W2\\nPV0tgr4msNVby2pOJ6S1MZQnQwxl7y6WWzT4kve\r\n-----END PUBLIC KEY-----\r\n-----BEGIN PUBLIC KEY-----\r\nMHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM426uN11n2LZDk/JiS93WIWG7fGCQmP\\n4h5yIJUxJwrjwtGVexCelD2WKrDw9sa/xKwmQKk3b\r\n-----END PUBLIC KEY-----\r\n-----BEGIN PUBLIC KEY-----\r\nMHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOzoTryw1r9RxRJPFKalO4+q7JaDZWSB\\nKZlEc22H6ITuE06tvJspue42TF1yk8xN+1bqW++QeV6C\r\n-----END PUBLIC KEY-----\r\nhttps://www.zscaler.com/blogs/research/emotet-back-action-after-short-break\r\nPage 3 of 9\n\nFigure 5: Emotet RSA keys used before and after the break.\r\nRSA1 and RSA2 were used before the break. In this new campaign, we saw Emotet using RSA3, RSA4, and RSA5. (1, 2, 3,\r\n4, and 5 are assigned based on their first observation sequence in the wild).\r\nBefore the break, the two RSA keys didn't share any C\u0026C infrastructure. In this new campaign, two sub-botnets are sharing\r\nsome infrastructure (as shown in the following screenshots).\r\nFigure 6: Emotet RSA keys and C\u0026C infrastructure before the break.\r\nFigure 7: RSA keys and C\u0026C infrastructure of the new Emotet campaign.\r\nIf we check the overall C\u0026C infrastructure and RSA key relationships before and after the break, we can clearly see a\r\nreorganization of the C\u0026C infrastructure, which is now divided among three new Epochs. One Epoch is divided into two\r\nwhile the other one is used to create a single botnet with some new C\u0026Cs.\r\nhttps://www.zscaler.com/blogs/research/emotet-back-action-after-short-break\r\nPage 4 of 9\n\nFigure 8: The Emotet RSA key and C\u0026C infrastructure relationships before and after the break.\r\nEmotet Downloader payload - Technical analysis\r\nThe Emotet infection cycle generally starts with spam emails containing malicious macro documents that drop a JavaScript\r\nfile. This JavaScript file further downloads the Emotet payload from a compromised WordPress website. Almost all the\r\nsamples we observed were served from compromised WordPress websites (mostly version 5.2.3). \r\nWe will take a look at one such malicious document for the purpose of analysis here - \r\nMD5 – 359696113a2156617c28d4f79cc7d44b (“file 20190924 LTR6051.doc”)\r\nThe macro in the documents is quite simple and straightforward but contains lots of junk.\r\nFigure 9: Macro code containing junk instructions.\r\n \r\nAfter removing the junk, this is how the macro code looks.\r\nhttps://www.zscaler.com/blogs/research/emotet-back-action-after-short-break\r\nPage 5 of 9\n\nFigure 10: Cleaned macro code.\r\n \r\nIt gets its text from TextBox1 in UserForm2, then saves that in a \"JS\" file before executing that file.\r\nFigure 11: A user form containing javascript code.\r\n \r\nThis JavaScript file is heavily obfuscated. More obfuscation is being added to the \"JS\" code incrementally. As in earlier\r\nversions of this downloader, some of the strings and function names were readable and now almost every string is\r\nobfuscated.\r\nhttps://www.zscaler.com/blogs/research/emotet-back-action-after-short-break\r\nPage 6 of 9\n\nFigure 12: Heavily obfuscated script\r\nThis script contains an array of strings in variable “a.” First, the elements of the array are shuffled using an anonymous\r\nfunction just after the array definition. Then there is function “b,” which is used to decrypt strings and is extensively used\r\nthroughout the script. Using this function, we can log the decrypted strings just before they return. Some of the interesting\r\nstrings include:\r\n\\+\\+ *(?:_0x(?:[a-f0-9]){4,6}|(?:\\b|\\d)[a-z0-9]{1,4}(?:\\b|\\d))\r\nwhile (true) {}\r\nreturn (function()\r\n{}.constructor(\"return this\")( )\r\n4|0|7|5|3|1|8|2|6\r\n2|1|0|6|3|5|4\r\nsplit\r\ndebug\r\nerror\r\nexception\r\ntrace\r\nhttp://thewomentour.com/wp-includes/f8yezb9/\r\nWScript.Shell\r\nResponseBody\r\nActiveXObject\r\nhttps://www.marquedafrique.com/k9c5qh/eb1wiw8192/\r\nScripting.FileSystemObject\r\nCreateObject\r\nhttps://thecrystaltrees.com/nofij3ksa/o5523/\r\nhttp://4excellent.com/wp-includes/ii950106/\r\nWScript.Shell\r\nPopup\r\nMSXML2.XMLHTTP\r\nGET\r\nopen\r\nsend\r\nhttp://www.davidleighlaw.com/wp-content/wlfsj15707/\r\nPosition\r\nOpen\r\nType\r\nSaveToFile\r\nrandom\r\ntoString\r\nsubstr\r\n0|1|3|4|2\r\n11|15|13|4|6|9|8|7|5|0|2|3|1|10|16|14|12\r\nhttps://www.zscaler.com/blogs/research/emotet-back-action-after-short-break\r\nPage 7 of 9\n\nreturn (function()\r\n{}.constructor(\"return this\")( )\r\n7|2|8|0|5|1|4|6|3\r\n2|0|3|4|1\r\n0|14|11|8|3|6|13|9|5|2|1|12|4|10|7\r\nNot Supported File Format\r\nThere was an error opening this document. The file is damaged and could not be repaired (for example, it was sent as\r\nan email attachment and wasn't correctly decoded).\r\nThe script's functionality can be clearly determined from the decrypted strings. It downloads, saves, and runs its payload\r\nfrom a list of URLs and shows the following message box to trick a user into believing the file is corrupt:\r\nFigure 13: An error message to trick a user into believing the file is corrupt.\r\nThere are multiple URLs embedded in the script files. The following URLs were extracted from this script:\r\nhttp://thewomentour[.]com/wp-includes/f8yezb9/\r\nhttps://www[.]marquedafrique[.]com/k9c5qh/eb1wiw8192/\r\nhttps://thecrystaltrees[.]com/nofij3ksa/o5523/\r\nhttp://4excellent[.]com/wp-includes/ii950106/\r\nhttp://www[.]davidleighlaw[.]com/wp-content/wlfsj15707/\r\nIn this case, the Emotet loader is downloaded from “http://thecrystaltrees[.]com/nofij3ksa/o5523/” (MD5 –\r\n402b20268d64acded1c48ce760c76c47).\r\nThe Emotet loader already has been extensively analyzed and blogged about, so we won't be getting into technical details of\r\nthe loader here. Below are artifacts extracted from this sample:\r\nRSA key extracted from this sample:\r\n-----BEGIN PUBLIC KEY-----\r\n\\nMHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOzoTryw1r9RxRJPFKalO4+q7JaDZWSB\\nKZlEc22H6ITuE06tvJspue42TF1yk8xN+1bqW++QeV\r\n----END PUBLIC KEY-----\r\nC\u0026C server addresses from the sample:\r\n187[.]188[.]166[.]192:80,\r\n200[.]57[.]102[.]71:8443,\r\n200[.]21[.]90[.]6:8080,\r\n46[.]41[.]134[.]46:8080,\r\n178[.]249[.]187[.]151:8080,\r\n217[.]199[.]160[.]224:8080,\r\n71[.]244[.]60[.]230:7080,\r\n119[.]59[.]124[.]163:8080,\r\n185[.]86[.]148[.]222:8080,\r\n190[.]230[.]60[.]129:80,\r\n178[.]79[.]163[.]131:8080,\r\n186[.]83[.]133[.]253:8080,\r\n179[.]62[.]18[.]56:443,\r\n91[.]205[.]215[.]57:7080,\r\n217[.]113[.]27[.]158:443,\r\n181[.]36[.]42[.]205:443,\r\n190[.]19[.]42[.]131:80,\r\n183[.]82[.]97[.]25:80,\r\n77[.]245[.]101[.]134:8080,\r\n109[.]104[.]79[.]48:8080,\r\n159[.]203[.]204[.]126:8080,\r\n5[.]77[.]13[.]70:80,\r\nhttps://www.zscaler.com/blogs/research/emotet-back-action-after-short-break\r\nPage 8 of 9\n\n189[.]187[.]141[.]15:50000,\r\n46[.]28[.]111[.]142:7080,\r\n46[.]21[.]105[.]59:8080,\r\n189[.]166[.]68[.]89:443,\r\n183[.]87[.]87[.]73:80,\r\n190[.]200[.]64[.]180:7080,\r\n79[.]143[.]182[.]254:8080,\r\n119[.]92[.]51[.]40:8080,\r\n187[.]155[.]233[.]46:443,\r\n89[.]188[.]124[.]145:443,\r\n201[.]163[.]74[.]202:443,\r\n62[.]75[.]160[.]178:8080,\r\n51[.]15[.]8[.]192:8080,\r\n46[.]29[.]183[.]211:8080,\r\n62[.]75[.]143[.]100:7080,\r\n114[.]79[.]134[.]129:443,\r\n190[.]230[.]60[.]129:80,\r\n190[.]117[.]206[.]153:443,\r\n203[.]25[.]159[.]3:8080,\r\n217[.]199[.]175[.]216:8080,\r\n80[.]85[.]87[.]122:8080,\r\n190[.]1[.]37[.]125:443,\r\n23[.]92[.]22[.]225:7080,\r\n81[.]169[.]140[.]14:443,\r\n46[.]163[.]144[.]228:80,\r\n5[.]196[.]35[.]138:7080,\r\n189[.]129[.]4[.]186:80,\r\n151[.]80[.]142[.]33:80,\r\n190[.]221[.]50[.]210:8080,\r\n190[.]104[.]253[.]234:990,\r\n71[.]244[.]60[.]231:7080,\r\n91[.]83[.]93[.]124:7080,\r\n181[.]81[.]143[.]108:80,\r\n181[.]188[.]149[.]134:80,\r\n50[.]28[.]51[.]143:8080,\r\n123[.]168[.]4[.]66:22,\r\n211[.]229[.]116[.]97:80,\r\n201[.]184[.]65[.]229:80,\r\n77[.]55[.]211[.]77:8080,\r\n212[.]71[.]237[.]140:8080,\r\n190[.]38[.]14[.]52:80,\r\n46[.]41[.]151[.]103:8080,\r\n149[.]62[.]173[.]247:8080,\r\n87[.]106[.]77[.]40:7080,\r\n86[.]42[.]166[.]147:80,\r\n109[.]169[.]86[.]13:8080,\r\n88[.]250[.]223[.]190:8080,\r\n138[.]68[.]106[.]4:7080,\r\n200[.]58[.]171[.]51:80\r\nConclusion\r\nEmotet is an ever-evolving threat, employing new tricks and tactics. Although it started as a banking trojan, Emotet is now\r\nassociated with several different malware campaigns, including ransomware and infostealers. The Zscaler ThreatLabZ\r\nteam proactively tracks and ensures coverage to block downloaders, payloads, and C\u0026C activity from Emotet and other\r\nthreats.\r\nThreatLabZ is the research division of Zscaler. To learn more about ThreatLabZ and Zscaler cloud activity,\r\nvisit https://www.zscaler.com/threatlabz/cloud-activity-dashboard\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/research/emotet-back-action-after-short-break\r\nhttps://www.zscaler.com/blogs/research/emotet-back-action-after-short-break\r\nPage 9 of 9\n\nthread. This trust factor effectively making can lead to the victim the infected system part opening the email of an Emotet botnet. (and attachment) and getting infected with Emotet,\nFigure 1: Emotet activity from the beginning of June 2019 to mid-September 2019.\n  Page 1 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.zscaler.com/blogs/research/emotet-back-action-after-short-break"
	],
	"report_names": [
		"emotet-back-action-after-short-break"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434023,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5766e6aea95e738684d5cc26568bf7cd3abc67d9.pdf",
		"text": "https://archive.orkl.eu/5766e6aea95e738684d5cc26568bf7cd3abc67d9.txt",
		"img": "https://archive.orkl.eu/5766e6aea95e738684d5cc26568bf7cd3abc67d9.jpg"
	}
}