{ "id": "22abfea6-d078-4767-97d4-1fde99bbc303", "created_at": "2026-04-06T00:15:43.320612Z", "updated_at": "2026-04-10T03:24:24.41432Z", "deleted_at": null, "sha1_hash": "690d1c187ea6ab6e649ec8ea7d52ee666454b8aa", "title": "Emotet now drops Cobalt Strike, fast forwards ransomware attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1060658, "plain_text": "Emotet now drops Cobalt Strike, fast forwards ransomware attacks\r\nBy Lawrence Abrams\r\nPublished: 2021-12-07 · Archived: 2026-04-05 23:49:57 UTC\r\nIn a concerning development, the notorious Emotet malware now installs Cobalt Strike beacons directly, giving immediate\r\nnetwork access to threat actors and making ransomware attacks imminent.\r\nEmotet is a malware infection that spreads through spam emails containing malicious Word or Excel documents. These\r\ndocuments utilize macros to download and install the Emotet Trojan on a victim's computer, which is then used to steal\r\nemail and deploy further malware on the device.\r\nHistorically, Emotet would install the TrickBot or Qbot trojans on infected devices. These Trojans would eventually deploy\r\nCobalt Strike on an infected device or perform other malicious behavior.\r\nhttps://www.bleepingcomputer.com/news/security/emotet-now-drops-cobalt-strike-fast-forwards-ransomware-attacks/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/emotet-now-drops-cobalt-strike-fast-forwards-ransomware-attacks/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nCobalt Strike is a legitimate penetration testing toolkit that allows attackers to deploy \"beacons\" on compromised devices to\r\nperform remote network surveillance or execute further commands.\r\nHowever, Cobalt Strike is very popular among threat actors who use cracked versions as part of their network breaches and\r\nis commonly used in ransomware attacks.\r\nEmotet changes its tactics\r\nToday, Emotet research group Cryptolaemus warned that Emotet is now skipping their primary malware payload of TrickBot\r\nor Qbot and directly installing Cobalt Strike beacons on infected devices.\r\nA Flash Alert shared with BleepingComputer by email security firm Cofense explained that a limited number of Emotet\r\ninfections installed Cobalt Strike, attempted to contact a remote domain, and then was uninstalled.\r\n\"Today, some infected computers received a command to install Cobalt Strike, a popular post-exploitation tool,\" warns the\r\nCofense Flash Alert.\r\n\"Emotet itself gathers a limited amount of information about an infected machine, but Cobalt Strike can be used to evaluate\r\na broader network or domain, potentially looking for suitable victims for further infection such as ransomware.\"\r\n\"While the Cobalt Strike sample was running, it attempted to contact the domain lartmana[.]com. Shortly afterward, Emotet\r\nuninstalled the Cobalt Strike executable.\"\r\nThis is a significant change in tactics as after Emotet installed its primary payload of TrickBot or Qbot, victims typically had\r\nsome time to detect the infection before Cobalt Strike was deployed.\r\nNow that these initial malware payloads are skipped, threat actors will have immediate access to a network to spread\r\nlaterally, steal data, and quickly deploy ransomware.\r\n\"This is a big deal. Typically Emotet dropped TrickBot or QakBot, which in turn dropped CobaltStrike. You'd usually have\r\nabout a month between first infection and ransomware. With Emotet dropping CS directly, there's likely to be a much much\r\nshorter delay,\" security researcher Marcus Hutchins tweeted about the development.\r\nThis rapid deployment of Cobalt Strike will likely speed up ransomware deployment on compromised networks. This is\r\nespecially true for the Conti ransomware gang who convinced the Emotet operators to relaunch after they were shut down\r\nby law enforcement in January.\r\nCofense says that it is unclear if this is a test, being used by Emotet for their own network surveillance, or is part of an attack\r\nchain for other malware families that partner with the botnet.\r\n\"We don’t know yet whether the Emotet operators intend to gather data for their own use, or if this is part of an\r\nattack chain belonging to one of the other malware families. Considering the quick removal, it might have been a\r\ntest, or even unintentional.\" - Cofense.\r\nResearchers will closely monitor this new development, and as further information becomes available, we will update this\r\narticle.\r\nhttps://www.bleepingcomputer.com/news/security/emotet-now-drops-cobalt-strike-fast-forwards-ransomware-attacks/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/emotet-now-drops-cobalt-strike-fast-forwards-ransomware-attacks/\r\nhttps://www.bleepingcomputer.com/news/security/emotet-now-drops-cobalt-strike-fast-forwards-ransomware-attacks/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.bleepingcomputer.com/news/security/emotet-now-drops-cobalt-strike-fast-forwards-ransomware-attacks/" ], "report_names": [ "emotet-now-drops-cobalt-strike-fast-forwards-ransomware-attacks" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434543, "ts_updated_at": 1775791464, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/690d1c187ea6ab6e649ec8ea7d52ee666454b8aa.pdf", "text": "https://archive.orkl.eu/690d1c187ea6ab6e649ec8ea7d52ee666454b8aa.txt", "img": "https://archive.orkl.eu/690d1c187ea6ab6e649ec8ea7d52ee666454b8aa.jpg" } }