{
	"id": "0409fc0d-5d76-4316-9118-b3a51b42b8c2",
	"created_at": "2026-04-06T00:13:07.196098Z",
	"updated_at": "2026-04-10T13:11:44.419034Z",
	"deleted_at": null,
	"sha1_hash": "59378899238ff927f193794670b471341106e640",
	"title": "Bruised but Not Broken: The Resurgence of the Emotet Botnet Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2174172,
	"plain_text": "Bruised but Not Broken: The Resurgence of the Emotet Botnet Malware\r\nBy Adolph Christian Silverio, Jeric Miguel Abordo, Khristian Joseph Morales, Maria Emreen Viray ( words)\r\nPublished: 2022-05-19 · Archived: 2026-04-05 20:35:37 UTC\r\nThe Emotetopen on a new tab botnet malware is well known in the cybersecurity industry for its success in using spam\r\nemails to compromise machines and then selling access to these machines as part of its infamous malware-as-a-service\r\n(MaaS) scheme. Operators behind notorious threats such as the Trickbot trojanopen on a new tab and the Ryukopen on a\r\nnew tab or Contiopen on a new tab ransomware are among the malicious actors who have used the botnet malware in their\r\nattacks.\r\nBut in January 2021 came news of Emotet’s dismantlingopen on a new tab, dubbed Operation Ladybird, during which law\r\nenforcement agencies from Canada, France, Germany, Lithuania, the Netherlands, Ukraine, the UK, and the US worked in\r\nconcert to seize control of Emotet’s infrastructure. In spite of this, the botnet malware proved quite resilient and it\r\nresurfacedopen on a new tab in November 2021. According to researchers at AdvIntelopen on a new tab, its return was\r\ngreatly influenced by Conti’s operators, who sought to continue their partnership with the operators of Emotet, as the botnet\r\nmalware had played an integral role in the ransomware’s initial access phase.\r\nDuring the first quarter of 2022, we discovered a significant number of infections in various regions (Figure 1) and across\r\ndifferent industries (Figure 2) using multiple new Emotet variants. Based on our telemetry, a large percentage of the infected\r\ncustomers were in Japan, followed by countries in the Asia-Pacific and EMEA (Europe, the Middle East, and Africa)\r\nregions. It is possible that the operators behind Emotet targeted profitable industries like manufacturing and education to\r\nattract the attention of other malicious actors as potential customers for their MaaS offering.\r\nFigure 1. Emotet infections by region during the first quarter of 2022\r\nhttps://www.trendmicro.com/en_us/research/22/e/bruised-but-not-broken--the-resurgence-of-the-emotet-botnet-malw.html\r\nPage 1 of 13\n\nFigure 2. Emotet infections by industry during the first quarter of 2022\r\nIn with the new\r\nWe observed that this surge in Emotet spam campaigns used both old and new techniques to trick their intended victims into\r\naccessing malicious links and enabling macro content. The newer Emotet samples we analyzed retained the same initial\r\ndownloader as the one found in previous campaigns. However, these more recent samples used Excel 4.0 macros, an old\r\nExcel feature, to execute its download routines (Figure 3), as opposed to Emotet’s previous use of Visual Basic for\r\nApplications (VBA).  \r\nhttps://www.trendmicro.com/en_us/research/22/e/bruised-but-not-broken--the-resurgence-of-the-emotet-botnet-malw.html\r\nPage 2 of 13\n\nFigure 3. Emotet’s Excel lures\r\nEmotet employs various obfuscation techniques to evade detection of the malicious Excel file. One such technique is its use\r\nof the .ocx file name extension (Figure 4) and carets (Figures 12 and 13) in URLs, which allow Emotet to sidestep detection\r\nmethods that look for specific command-line keywords or extensions.\r\nFigure 4. Emotet using Excel 4.0 macros and the .ocx file name extension for its payload\r\nWe also observed that some of the recent Emotet samples drop BAT (batch) files (Figures 5 and 6) and VBScript files\r\n(Figures 7 and 8) to execute their download routines.\r\nhttps://www.trendmicro.com/en_us/research/22/e/bruised-but-not-broken--the-resurgence-of-the-emotet-botnet-malw.html\r\nPage 3 of 13\n\nFigure 5. An obfuscated BAT file\r\nFigure 6. A deobfuscated BAT file (Figure 5) that downloads Emotet’s payload via PowerShell\r\nFigure 7. An obfuscated VBScript file\r\nhttps://www.trendmicro.com/en_us/research/22/e/bruised-but-not-broken--the-resurgence-of-the-emotet-botnet-malw.html\r\nPage 4 of 13\n\nFigure 8. A deobfuscated VBScript file (Figure 7) that downloads Emotet’s payload via PowerShell\r\nUnlike past variants, the recent Emotet samples behave in a more straightforward way, directly downloading and executing\r\ntheir payloads. These samples use regsvr32.exe under the SysWow64 folder to execute their payloads, which ensures that the\r\nmalware runs in a 64-bit environment using the 32-bit binary. This suggests that Emotet now targets only 64-bit machines,\r\nwhich is in line with the recent news of Emotet’s switch to 64-bit loadersopen on a new tab.\r\nWe also discovered that the recent Emotet samples employ LNK (link) files to download 64-bit loaders (Figure 9). These\r\nallow Emotet to directly execute PowerShell commands for payload execution. For each infection, the LNK file creates a\r\nPS1 file via PowerShell, which is then used to download and run Emotet’s payload (Figures 10 and 11).\r\nFigure 9. Emotet’s malicious LNK file\r\nFigure 10. The executed command from Emotet’s malicious LNK file\r\nhttps://www.trendmicro.com/en_us/research/22/e/bruised-but-not-broken--the-resurgence-of-the-emotet-botnet-malw.html\r\nPage 5 of 13\n\nFigure 11. The deobfuscated command from Emotet’s malicious LNK file (Figure 10)\r\nAnother notable behavior we observed in the samples of these new Emotet variants was their use of hexadecimal (Figure 12)\r\nand octal (Figure 13) representations of the IP addresses they connected to, as we reported in a previous blog entry.open on a\r\nnew tab Using these formats to obscure the URLs enables these new variants to circumvent pattern-matching detection\r\nmethods, thereby allowing the execution of their download routines.\r\nFigure 12. A hex representation of the Emotet URL (with carets)\r\nFigure 13. An octal representation of the Emotet URL (with carets)\r\nEmotet’s payload\r\nEmotet’s older 32-bit variants use seven core commands. But the recent Emotet samples are of 32-bit variants that use only\r\nsix core commands and 64-bit variants that use only five, as shown in Table 1.\r\nCommand Execution method of 32-bit variants Execution method of 64-bit variants\r\n1\r\nDownload and execute DLL with regsvr32.exe\r\nwith parameter \r\n%Window%\\regsvr32.exe /s {Installation\r\nfolder}\\{random}.dll {Base64-encoded\r\nstring of (randomly created installation\r\nfolder)}\\(file name of dropped copy) \r\nDownload and execute DLL with regsvr32.exe\r\n%Windows%\\regsvr32.exe {Installation\r\nfolder}\\{random}.dll {Base64-encoded\r\nstring of (randomly created installation\r\nfolder)}\\(file name of dropped copy)\r\n2 Execute shellcode via CreateThread  Execute shellcode via CreateThread \r\nhttps://www.trendmicro.com/en_us/research/22/e/bruised-but-not-broken--the-resurgence-of-the-emotet-botnet-malw.html\r\nPage 6 of 13\n\n3\r\nDownload EXE file and execute it using\r\nCreateProcessW (non-admin) \r\n{Installation folder}\\{random}.exe \r\nDownload EXE file and execute it using\r\nCreateProcessW (non-admin)\r\n{Installation folder}\\{random}.exe\r\n4\r\nDownload EXE file and execute it using\r\nCreateProcessAsUserW (admin) \r\n{Installation folder}\\{random}.exe \r\nDownload EXE file and execute it using\r\nCreateProcessAsUserW (admin)\r\n{Installation folder}\\{random}.exe\r\n5 Execute shellcode via CreateThread \r\nLoad module in memory and execute exported\r\nfunction (via LoadLibraryA and GetProcAddress)\r\n6\r\nDownload and execute DLL with regsvr32.exe \r\n%Window%\\regsvr32.exe /s {Installation\r\nfolder}\\{random}.dll \r\n \r\nNote: {installation folder} could be %AppDataLocal%\\{random} (non-admin) or %System% \\{random} (admin), depending\r\non the mode of execution.\r\nTable 1. A list of core commands used by the newer Emotet samples\r\nOur analysis of the recent samples showed that Emotet’s use of rundll32.exe for execution between November 2021 and\r\nJanuary 2022 had been phased out, replaced by the “regsvr32.exe /s” command as of February 2022. Nonetheless, Emotet\r\nemploys modular architecture for its other payloads. Based on this, we can still infer that the samples have the same\r\ninfection chain as in previous Emotet-related campaigns, with some variants opting to include the gathering of running\r\nprocesses as part of their modules instead of their main routine (Figure 14).\r\nhttps://www.trendmicro.com/en_us/research/22/e/bruised-but-not-broken--the-resurgence-of-the-emotet-botnet-malw.html\r\nPage 7 of 13\n\nFigure 14. Emotet’s infection chain\r\nThe reappearance of Emotet is also notable because its operators have since added Cobalt Strike, a well-known penetration-testing tool, to its arsenal. This poses a bigger risk for target enterprises, as the integration of Cobalt Strike provides more\r\nflexibility for Emotet’s MaaS partners to gain a foothold in an intended victim’s systems. With these new features, we expect\r\nto see in the coming months a continuous stream of Emotet cases and the delivery of other malware used in Emotet’s MaaS\r\nscheme.\r\nSimilarities with QakBot\r\nSince January, we have received and analyzed 300 submissions of the QakBot loader (Figure 15), and our investigation has\r\nrevealed that its attack chain shares many similarities with that of Emotet (Figure 16).\r\nhttps://www.trendmicro.com/en_us/research/22/e/bruised-but-not-broken--the-resurgence-of-the-emotet-botnet-malw.html\r\nPage 8 of 13\n\nFigure 15. Emotet and QakBot submissions from January to April 2022\r\nFigure 16. A comparison of QakBot and Emotet’s attack chains\r\nQakBot spam messages attempt to deceive their intended victim into clicking a download link, which is usually a OneDrive\r\nURL (Figure 17). An Emotet spam message, on the other hand, poses as a forwarded email that has a password-protected\r\nhttps://www.trendmicro.com/en_us/research/22/e/bruised-but-not-broken--the-resurgence-of-the-emotet-botnet-malw.html\r\nPage 9 of 13\n\narchive attachment (Figure 18).\r\nFigure 17. A QakBot spam message containing a malicious download link\r\nFigure 18. An Emotet spam message containing a password-protected archive attachment\r\nQakBot infections start with the intended victim downloading a malicious Excel file with an .xlsb file name extension\r\n(Figure 19). Emotet infections also involve an Excel file, but with an .xlsm file name extension (Figure 20).\r\nFigure 19. The malicious Excel file in a QakBot attack\r\nhttps://www.trendmicro.com/en_us/research/22/e/bruised-but-not-broken--the-resurgence-of-the-emotet-botnet-malw.html\r\nPage 10 of 13\n\nFigure 20. The malicious Excel file in an Emotet attack\r\nAnother key difference between the two pieces of malware is that the macro sheets embedded in QakBot’s downloader\r\nsamples contain links with the .png file name extension in the URLs (Figure 21), while Emotet links do not (Figure 22). This\r\nis a means for QakBot to evade detection, as using a common file name extension like .png makes QakBot URLs less\r\nsuspicious.\r\nFigure 21. The URLs in a QakBot macro sheet\r\nFigure 22. The URLs in an Emotet macro sheet\r\nhttps://www.trendmicro.com/en_us/research/22/e/bruised-but-not-broken--the-resurgence-of-the-emotet-botnet-malw.html\r\nPage 11 of 13\n\nAlthough the Excel files in both QakBot (Figure 23) and Emotet (Figure 24) infections employ regsvr32.exe to execute their\r\npayloads, only QakBot drops its payload in a folder with a random five-character name that is located in the C:\\ drive\r\n(Figure 25). Emotet, on the other hand, drops its payload in the parent directory of its downloader (Figure 26).\r\nFigure 23. QakBot’s use of regsvr32.exe to execute its payload\r\nFigure 24. Emotet’s use of regsvr32.exe to execute its payload\r\nFigure 25. QakBot dropping its malicious payload in a folder in C:\\\r\nFigure 26. Emotet dropping its malicious payload in a folder\r\nSecurity recommendations\r\nFor enterprises to avoid falling victim to spam emails used in Emotet and QakBot campaigns, user awareness training for\r\nemployees should be expanded to address email reply chain attacks. Security practices that can mitigate the risk of infection\r\ninclude:\r\nEnsuring that macros are disabled in Microsoft Office applications\r\nhttps://www.trendmicro.com/en_us/research/22/e/bruised-but-not-broken--the-resurgence-of-the-emotet-botnet-malw.html\r\nPage 12 of 13\n\nHovering over embedded links to check the URLs before opening them \r\nBeing wary of unfamiliar email addresses, mismatched email addresses and sender names, and spoofed company\r\nemails, all of which are telltale signs that the sender has malicious intent\r\nRefraining from downloading any email attachments without verifying the sender’s identity\r\nEnabling advanced detection capabilities, such as predictive machine learning\r\nUsers and businesses can defend themselves against threats like Emotet using endpoint solutions such as Trend\r\nMicro’s Smart Protection Suites and Worry-Free Business Security solutions, which have behavior-monitoring capabilities\r\nthat can detect malicious files, scripts, and messages, and block all related malicious URLs. The Trend Micro™ Deep\r\nDiscovery™ solution also has a layer for email inspectionproducts that can protect enterprises by detecting malicious\r\nattachments and URLs.\r\nAdditional insights by Jett Paulo Bernardo, Arianne Dela Cruz, Dexter Esteves, Gerald Fernandez, Mark Marti, Ryan\r\nPagaduan, and Louella Darlene Sevilla\r\nIndicators of compromise (IOCs)\r\nSHA-256 Description Detection name\r\n48426fd5c5be7a8efdbbf2d9f0070626aa9bfe9734aab9278ddd293e889a19cc\r\nEmotet\r\nsample using\r\nExcel 4.0\r\nmacros\r\nTrojan.XF.EMOTET.YJCCXB\r\ne9bf38414636c6cef4cc35fad5523de205eca815b979ed36e96a7e6166a58370\r\nEmotet\r\npayload\r\nTrojanSpy.Win32.EMOTET.YJCC\r\n5c4f33e22f9def7f7fea863e08c38f6a8b4ea9fcc78911c23bb54c4fdf4590e1\r\nHexadecimal\r\nIP address\r\nsample\r\nTrojan.XF.EMOTET.SMYXBLAA\r\ne961e46fe0000505f4534e036a9d1d2a59823cf644438a2733ab659e9c22988b\r\nOctal IP\r\naddress\r\nsample\r\nTrojan.XF.EMOTET.SMYXBLAA\r\nSource: https://www.trendmicro.com/en_us/research/22/e/bruised-but-not-broken--the-resurgence-of-the-emotet-botnet-malw.html\r\nhttps://www.trendmicro.com/en_us/research/22/e/bruised-but-not-broken--the-resurgence-of-the-emotet-botnet-malw.html\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/22/e/bruised-but-not-broken--the-resurgence-of-the-emotet-botnet-malw.html"
	],
	"report_names": [
		"bruised-but-not-broken--the-resurgence-of-the-emotet-botnet-malw.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434387,
	"ts_updated_at": 1775826704,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/59378899238ff927f193794670b471341106e640.pdf",
		"text": "https://archive.orkl.eu/59378899238ff927f193794670b471341106e640.txt",
		"img": "https://archive.orkl.eu/59378899238ff927f193794670b471341106e640.jpg"
	}
}