{ "id": "ad6ee20b-ea3a-441e-a05d-787d72f722e7", "created_at": "2026-04-06T00:11:33.617343Z", "updated_at": "2026-04-10T03:24:24.108406Z", "deleted_at": null, "sha1_hash": "63831bb429530b2e5d4f3f1415b73ef148ceca95", "title": "Emotet botnet switches to 64-bit modules, increases activity", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1994657, "plain_text": "Emotet botnet switches to 64-bit modules, increases activity\r\nBy Bill Toulas\r\nPublished: 2022-04-19 · Archived: 2026-04-05 21:16:26 UTC\r\nThe Emotet malware is having a burst in distribution and is likely to soon switch to new payloads that are currently detected\r\nby fewer antivirus engines.\r\nSecurity researchers monitoring the botnet are observing that emails carrying malicious payloads last month have increased\r\ntenfold.\r\nEmotet is a self-propagating modular trojan that can maintain persistence on the host. It is used for stealing user data,\r\nperforming network reconnaissance, moving laterally, or dropping additional payloads such as Cobalt Strike and\r\nransomware in particular.\r\nhttps://www.bleepingcomputer.com/news/security/emotet-botnet-switches-to-64-bit-modules-increases-activity/\r\nPage 1 of 4\n\nhttps://www.bleepingcomputer.com/news/security/emotet-botnet-switches-to-64-bit-modules-increases-activity/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nIt has been spotted growing slowly but steadily since the beginning of the year, but its operators may be shifting up a gear\r\nnow.\r\nSpike in distribution\r\nAccording to a report Kaspersky released today, Emotet activity is seeing a sharp rise from February to March, going from\r\n3,000 to 30,000 emails.\r\nThe languages used in these messages include English, French, Hungarian, Italian, Norwegian, Polish, Russian, Slovenian,\r\nSpanish, and Chinese.\r\nAs for the themes, Emotet distributors are known for changing the topics regularly to take advantage of seasonal interest\r\nswifts. This time it’s the Easter celebration they're taking advantage of.\r\nCheck Point also released a report, which ranked Emotet as the number one most prevalent and active malware in March\r\n2022.\r\nEmotet email using Easter lures on many languages\r\n(Check Point)\r\nKaspersky mentions that the ongoing Emotet email distribution campaigns also employ discussion thread hijacking tricks,\r\nseen in Qbot campaigns linked to the same operators.\r\n“Cybercriminals intercept already existing correspondence and send the recipients an email containing a file or link, which\r\noften leads to a legitimate popular cloud-hosting service,” Kaspersky\r\nhttps://www.bleepingcomputer.com/news/security/emotet-botnet-switches-to-64-bit-modules-increases-activity/\r\nPage 3 of 4\n\n“The aim of the email is to convince users to either (i) follow the link and download an archived document and open it –\r\nsometimes using a password mentioned in the email, or (ii) simply open an email attachment,” the researchers note.\r\nBecause the threat actors have access to previous correspondence, it is reasonably easy for them to present the attachment as\r\nsomething the recipient would expect as a continuation of the discussion with colleagues.\r\nSwitch to 64-bit\r\nThe Cryptolaemus security research group, who is keeping a sharp eye on Emotet botnet activity, said that the malware\r\noperators have also switched to 64-bit loaders and stealer modules on Epoch 4, one of subgroups of the botnet that run on\r\nseparate infrastructure. Previously, it relied on 32-bit code.\r\n#Emotet Update - Looks like Ivan laid an egg for easter and has been busy. As of about 14:00UTC today\r\n2022/04/18 - Emotet on Epoch 4 has switched over to using 64-bit loaders and stealer modules. Previously\r\neverything was 32-bit except for occasional loader shenanigans. 1/x— Cryptolaemus (@Cryptolaemus1) April\r\n19, 2022\r\nThe switch is not visible on Epoch 5 but the delay is expected, since Epoch 4 typically serves as a development test-bed for\r\nthe Emotet operators, researchers from Cryptolaemus say.\r\nAlready, the detection rate for Epoch 4 has dropped by 60%, which is believed to be a direct result of this change.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/emotet-botnet-switches-to-64-bit-modules-increases-activity/\r\nhttps://www.bleepingcomputer.com/news/security/emotet-botnet-switches-to-64-bit-modules-increases-activity/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/emotet-botnet-switches-to-64-bit-modules-increases-activity/" ], "report_names": [ "emotet-botnet-switches-to-64-bit-modules-increases-activity" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434293, "ts_updated_at": 1775791464, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/63831bb429530b2e5d4f3f1415b73ef148ceca95.pdf", "text": "https://archive.orkl.eu/63831bb429530b2e5d4f3f1415b73ef148ceca95.txt", "img": "https://archive.orkl.eu/63831bb429530b2e5d4f3f1415b73ef148ceca95.jpg" } }