{
	"id": "c582244f-b46b-417d-b2a7-d1c64839be72",
	"created_at": "2026-04-06T00:14:17.617172Z",
	"updated_at": "2026-04-10T13:11:30.177123Z",
	"deleted_at": null,
	"sha1_hash": "6285c7aac3860661f90bbc3caf6c859a68ce5dc9",
	"title": "Emotet Sending Malicious Emails After Three-Month Hiatus",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 170096,
	"plain_text": "Emotet Sending Malicious Emails After Three-Month Hiatus\r\nArchived: 2026-04-05 13:24:43 UTC\r\nThe Cofense Intelligence team continues to see the Emotet malware family being leveraged across the threat\r\nlandscape. To protect against the many threats out there, it’s important to know about the various types of malware\r\nthat exist and how they have evolved over time. One of the most serious malware families is Emotet, a type of\r\nbanking trojan that has been around since 2014. We will cover the history of Emotet at the end of our findings.\r\nWhat is Emotet?\r\nEmotet was first discovered in 2014 by security researchers who were tracking a malicious network traffic pattern.\r\nIt was quickly identified as a Trojan virus that could gain access to computers through email attachments or\r\nmalicious links sent via email campaigns or social media messages. In worm-like fashion, it spread from one\r\ncomputer to another, stealing confidential information and personal data from unsuspecting users.  \r\nAt first, Emotet was primarily used for financial fraud, stealing bank account numbers and credit card details from\r\nunsuspecting victims. But as its capabilities grew, so did its scope—from financial fraud to espionage and political\r\nsabotage. As other malicious actors became aware of the power of Emotet, they began using it to launch larger-scale attacks on businesses, government agencies, and even healthcare providers.\r\nRecent Key Findings:\r\nEmotet malicious email activity resumed Tuesday, March 7, 2023 at 8:00am EST.\r\nMalicious emails contain attached .zip files that are not password protected.\r\nThe attached .zip files deliver Office documents with malicious macros, which in turn download and\r\nexecute the Emotet .dll.\r\nIt is unclear how long this round of email activity will last, as periods of activity in 2022 varied widely.\r\nAfter several months of inactivity, the Emotet botnet resumed email activity this morning at 8:00am EST. The\r\nmalicious emails seem to be replying to already existing email chains, with the addition of an attached .zip file\r\n(Figure 1). The .zip files are not password protected. The themes of the attached files include finances and\r\ninvoices.\r\nhttps://cofense.com/blog/emotet-sending-malicious-emails-after-three-month-hiatus/\r\nPage 1 of 3\n\nFigure 1: Sample Emotet email with attached .zip file.\r\nThe .zip files attached to these recent Emotet emails contain an Office Document with macros (Figure 2). Once\r\nopened, the user is prompted to “Enable Content”, which will allow the malicious macros to run. The macros will\r\ndownload an Emotet .dll from an external site and execute it locally on the machine.\r\nFigure 2: Office document with macros to download and execute Emotet.\r\nhttps://cofense.com/blog/emotet-sending-malicious-emails-after-three-month-hiatus/\r\nPage 2 of 3\n\nIt is unclear how long this round of email activity will last. While an earlier round of activity in 2022 extended\r\nacross multiple weeks, the last round occurred over less than two weeks in November 2022, with more than three\r\nmonths of inactivity on either side.\r\nModern Emotet Attacks\r\nToday’s version of Emotet is even more sophisticated than its predecessors. It can now be used for ransomware\r\nattacks—where attackers encrypt files on computers until victims pay a ransom—and distributed denial-of-service\r\n(DDoS) attacks—where attackers overwhelm websites with traffic until they crash or become inaccessible for\r\nlegitimate visitors. Additionally, modern versions of Emotet are now able to steal passwords from web browsers\r\nand spread itself across networks without user interaction.  \r\nCybersecurity professionals must stay up-to-date on the latest threats like Emotet so they can protect their\r\nnetworks against these dangerous forms of malware. While it is impossible to predict when and where new forms\r\nof malware will appear next, vigilance is key in mitigating any damage caused by these malicious actors before\r\nit’s too late.  \r\nWith Cofense, you can take security to the next level by providing simulations that teach users about Emotet and\r\nhow to spot it. Current customers can log into PhishMe and simply search for “emotet” when creating a new\r\nscenario. There are multiple scenarios to choose from so you can create a bespoke playbook for training end users\r\non this threat and how to spot it. Cofense can take it a step further by removing malicious emails that contain\r\nEmotet malware automatically and before users even see them. If you are interested in learning more about\r\nEmotet and how Cofense can better train end users, please reach out to sales@cofense.com.  \r\nSource: https://cofense.com/blog/emotet-sending-malicious-emails-after-three-month-hiatus/\r\nhttps://cofense.com/blog/emotet-sending-malicious-emails-after-three-month-hiatus/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://cofense.com/blog/emotet-sending-malicious-emails-after-three-month-hiatus/"
	],
	"report_names": [
		"emotet-sending-malicious-emails-after-three-month-hiatus"
	],
	"threat_actors": [],
	"ts_created_at": 1775434457,
	"ts_updated_at": 1775826690,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6285c7aac3860661f90bbc3caf6c859a68ce5dc9.pdf",
		"text": "https://archive.orkl.eu/6285c7aac3860661f90bbc3caf6c859a68ce5dc9.txt",
		"img": "https://archive.orkl.eu/6285c7aac3860661f90bbc3caf6c859a68ce5dc9.jpg"
	}
}