{
	"id": "bc246f4f-511c-46ba-b795-d5d32e206608",
	"created_at": "2026-04-06T00:17:26.458847Z",
	"updated_at": "2026-04-10T03:23:51.861753Z",
	"deleted_at": null,
	"sha1_hash": "6508083a25289a2f48f383ac2f62810f7b8651cb",
	"title": "Emotet strikes Quebec’s Department of Justice: An ESET Analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 194059,
	"plain_text": "Emotet strikes Quebec’s Department of Justice: An ESET Analysis\r\nBy Gabrielle Ladouceur Despins\r\nArchived: 2026-04-05 19:19:34 UTC\r\nCybercrime\r\nThe cyberattack, which affected 14 inboxes belonging to the Department of Justice, was confirmed by ESET\r\nresearchers\r\n16 Sep 2020  •  , 6 min. read\r\nESET's team of malware researchers in Montreal, in collaboration with journalist Hugo Joncas, helped shed light\r\non a cyberattack that affected the Quebec Department of Justice. \r\nIndeed, on August 11 and 12, the Department of Justice suffered a cyberattack in which threat actors used\r\nmalicious software to compromise 14 inboxes under the Department's jurisdiction. The attackers were thus able to\r\naccess the emails addressed to these mailboxes. Alexis Dorais-Joncas (no relation), director of ESET's R\u0026D office\r\nhttps://www.welivesecurity.com/2020/09/16/emotet-quebec-department-justice-eset/\r\nPage 1 of 5\n\nin Montreal, reported that the hackers used a version of the Emotet malware, whose malicious campaigns have\r\nbeen running for several years.   \r\nIn the case of this latest attack, the hackers used the stolen information to spread their malware in a particularly\r\ninsidious manner. Cybercriminals sent seemingly legitimate messages to those who contacted the afflicted\r\nmailboxes, apparently originating from the Department, and included malicious attachments. \"We have to assume\r\nthat all messages sent to these accounts were stolen,\" says Dorais-Joncas. \r\nIn addition to the data of citizens who contacted the department, the union Syndicat de professionnelles et\r\nprofessionnels du gouvernement du Québec points out that \"the hackers allegedly stole the personal information of\r\napproximately 300 active and inactive employees (retired or now working elsewhere). \" \r\nESET telemetry shows a significant peak in Emotet detections in Canada during the month of August.\r\nThis corresponds to the period when the Department of Justice was targeted. Given the modus operandi\r\nof Emotet's campaigns, it is likely that other companies and organizations were also targeted. \r\nA strategy in case of security incidents, an asset for your organization \r\nThis is a good time, as always, to develop or review your organization's strategy in the event of a security incident.\r\nWhatever the type of emergency, planning is your ally. Just like your fire plan, your security incident strategy will\r\nensure a more effective and coordinated response when needed. And unlike your fire escape plan, when it comes\r\nto cyberattacks, the question is not whether you will use your plan, but when you will.\r\nYou may not think your organization would be a potential target for bad actors but think again. If you have\r\nelectronic data, it has value to cybercriminals, regardless of your organization's size, industry or revenue. \r\nAccording to Dorais-Joncas: \"The incident at the Department of Justice is a reminder to all organizations dealing\r\nwith personal data. An information leak is not always the result of a targeted and sophisticated attack. Indeed, the\r\nhttps://www.welivesecurity.com/2020/09/16/emotet-quebec-department-justice-eset/\r\nPage 2 of 5\n\nsimple act of opening a malicious attachment can lead to the theft of the entire contents of the email inbox. A\r\nprepared organization can quickly circumscribe the breach, identify the extent of the damage and go into\r\nnotification mode to warn people whose personal data has been compromised. \" \r\nRELATED READING: Now is the best time to craft your breach response \r\nYour security breach strategy should contain several important elements.  Here are some key elements to include: \r\nThe first step in your action plan should be to assess the extent of the attack. Don't just rely on intuition - or\r\nworse, magical thinking! - when it comes to determining this. There is no substitute for an analysis of the\r\nproblem. Points to check include   \r\nWhich systems were affected and how?  \r\nWere any data stolen? What types of data? Does it affect clients, staff, partners?   \r\nIs the incident limited to certain devices only, or does it also affect sub-networks?   \r\nDetermine which key teams and individuals within the organization will be involved in this analysis.   \r\nThen you will want to do business continuity planning. This is where transparent communication becomes\r\nessential. It's never easy to communicate with customers and employees to notify them of a data breach\r\nthat threatens their data. Creating a response template now can help you focus your team's efforts on\r\nproviding timely and accurate information. Your plan should include contacting potential victims regularly\r\nto keep them informed of the situation, rather than waiting until the survey is complete.   \r\nIf the cyber-attack is still ongoing, you will then need to develop an infestation contingency plan. This\r\nbegins by isolating the material that you know has been compromised, following the first step in your\r\nstrategy. Isolate the subnets, devices and systems that have been affected by the cyber-incident to prevent\r\nthe problem from spreading throughout the organization. You will then be able to eradicate the attack, and\r\nmake sure to remove the vulnerability(ies) that made the cyberattack possible. Also include\r\npasswords update or any access information that attackers might have had access to in your plan. \r\nAfter a data breach, companies often offer their customers enhanced security measures to help mitigate any\r\ndamage that may have been caused. In the case of credit monitoring, it makes sense to offer it only after an\r\nattack. Plan for the steps your organization can take, both upstream and downstream, to protect the security\r\nand privacy of customers in the event of an attack.\r\nTest your plan regularly and prepare your analysis and response feedback. For example, in the case\r\nof Emotet's campaigns, this usually involves employees opening a message containing malicious content.\r\nOnce the malware has been completely removed from the organization's systems, more in-depth\r\ncybersecurity training for all staff can prevent further compromise. \r\nWhat if my personal information have been breached?   \r\nThere is always concern if you suspect that you may have been the victim of a data breach like this. However,\r\nusers who have contacted the Department by email do not have to wait to receive notification from\r\nthe Department if one is forthcoming. Simple security measures, and increased attention, are your best allies.   \r\nhttps://www.welivesecurity.com/2020/09/16/emotet-quebec-department-justice-eset/\r\nPage 3 of 5\n\nAlexis Dorais-Joncas explains: \"If you have exchanged emails with the Registries and Certification Branch of the\r\nDepartment of Justice in the past, you need to be even more vigilant than usual. If you receive an email that\r\nappears to be from the Department and contains an attachment, do not open it. Instead, contact the Department by\r\ntelephone to confirm whether or not the communication is legitimate.\" These tips echo the Department’s press\r\nrelease, which invites the public to contact their Client Contact Centre at 1-866-536-5140 (option 4) for any\r\ninquiries regarding this incident. \r\nRELATED READING: Would you get hooked by a phishing scam? Test yourself  \r\nIf you are concerned that your personal information may have been stolen as part of this Emotet campaign, or as a\r\nresult of another security incident, here are some tips to follow. \r\nSpam campaigns such as Emotet's are transmitted through malicious attachments. Never open an\r\nattachment or hyperlink from a source you do not know. Even if the message seems urgent or a priori\r\nlegitimate, pay attention to details such as the source address, mistakes, or quick action notices.  \r\nVisit Have I Been Pwned. This service allows users to check if an email address has been stolen and is on\r\nan email and password list available online. This database is regularly updated and includes emails\r\nand passwords that have been stolen recently. Keep in mind, however, that the absence\r\nof your address or passwords does not imply that your data has not\r\nbeen affected. They could indeed appear on a list that is not registered by the site. \r\nSpeaking of passwords, be sure to use secure and separate passwords - or passphrases - for each of your\r\naccounts. Also change any passwords that have been potentially compromised. If you are concerned that\r\nyou may have opened a malicious attachment, change the password associated with your email. \r\nPay attention to any suspicious situation, on all of your accounts. Also pay special attention to transactions\r\nmade on your behalf. Following a major security breach, many organizations will offer you a credit\r\nverification service. And actually, this is what the Department decided, as they committed to offering this\r\nservice to the victims of this breach.   \r\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nhttps://www.welivesecurity.com/2020/09/16/emotet-quebec-department-justice-eset/\r\nPage 4 of 5\n\nSource: https://www.welivesecurity.com/2020/09/16/emotet-quebec-department-justice-eset/\r\nhttps://www.welivesecurity.com/2020/09/16/emotet-quebec-department-justice-eset/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.welivesecurity.com/2020/09/16/emotet-quebec-department-justice-eset/"
	],
	"report_names": [
		"emotet-quebec-department-justice-eset"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434646,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6508083a25289a2f48f383ac2f62810f7b8651cb.pdf",
		"text": "https://archive.orkl.eu/6508083a25289a2f48f383ac2f62810f7b8651cb.txt",
		"img": "https://archive.orkl.eu/6508083a25289a2f48f383ac2f62810f7b8651cb.jpg"
	}
}