{
	"id": "5d117c41-c915-415c-a2fc-1e2181c2e50b",
	"created_at": "2026-04-06T00:06:20.869195Z",
	"updated_at": "2026-04-10T03:22:06.241796Z",
	"deleted_at": null,
	"sha1_hash": "717f6a8493ee03fd359fd302f5d4d7a0a701dbb1",
	"title": "Malware | Emotet adds a further layer of camouflage | Spamhaus",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 169205,
	"plain_text": "Malware | Emotet adds a further layer of camouflage | Spamhaus\r\nArchived: 2026-04-02 11:58:27 UTC\r\nIntroduction\r\nMost professionals within enterprise security have come across ‘Emotet'. As its history illustrates, the criminals\r\nbehind Emotet malware are cunning and quick to maximize its ‘potential.' From a basic banking Trojan to a threat\r\ndistribution service, it is constantly being re-invented. This ‘constant malware improvement’ isn’t showing any\r\nsign of abating. Recently the Spamhaus Malware Labs team have identified further unsettling changes in Emotet.\r\nEmotet - what is it?\r\nAs previously mentioned, this malware came to the fore as a basic self-propagating banking Trojan in 2014.\r\nHowever, over the past 5 years the creators of this malware have taken the most successful facets of other\r\ndisruptive software and created a modular malware family that can evade detection, spread like wildfire across a\r\nnetwork and deliver multiple payloads.\r\nOnly a year ago Allentown, USA, hit the news headlines after becoming infected with Emotet. The remediation\r\ncosts were reported to be in the region of US $1million.\r\nEmotet - the data\r\nIn the last two months alone, the researchers at Spamhaus Malware Labs have tracked approximately 47,000\r\nEmotet infected machines emitting around 6,000 distinct URLs to compromised websites serving as infection\r\nvectors. This makes Emotet the most actively distributed malware at the moment, accounting for almost 45% the\r\ntotal number of URLs used for this purpose.\r\nThere is no sign that the numbers associated with Emotet will decline over the forthcoming months, particularly\r\ngiven a recent discovery that will make Emotet even more difficult to detect.\r\nEmotet HTTP advancement\r\nHTTP Headers - Previously, Emotet built moderately primitive HTTP packets. The fact they were primitive was\r\na good thing; these HTTP packets didn’t follow the standard protocol for either the type of data or how the data\r\nwas sent. This made them easy to detect using a static signature on network traffic.\r\nUnfortunately, these HTTP packets have become increasingly sophisticated: now they predominantly follow the\r\nRFC (Request for Comments) specifications of the HTTP protocol. These additional details in Emotet's HTTP\r\nhttps://www.spamhaus.org/news/article/783/emotet-adds-a-further-layer-of-camouflage\r\nPage 1 of 2\n\nheaders give the appearance of coming from a legitimate request, e.g., a browser or other application. As a result,\r\na static signature on network traffic won’t detect them, which is far from ideal.\r\nUniform Resource Identifier inclusion - Not only do we have the addition of these extra headers (as illustrated\r\nabove), but Emotet has also started to include a Uniform Resource Identifier (URI). In the past, a URI was\r\nmissing, but now it is randomizing between two different words. The URI randomly generates from a list of\r\nhardcoded comma separated words, as you can see in the example below.\r\nIt is worth noting that while Emotet’s HTTP headers have changed the layer below, i.e., the custom protocol\r\nremains unchanged, as this image illustrates.\r\nProtect yourself\r\nThe creators of Emotet have been savvy, and while nothing they have done is rocket science, there is clear\r\nevidence that they have a strong desire to make this malware more evasive and bulletproof. Which in turn means\r\nthat you need to have bulletproof security.\r\nSource: https://www.spamhaus.org/news/article/783/emotet-adds-a-further-layer-of-camouflage\r\nhttps://www.spamhaus.org/news/article/783/emotet-adds-a-further-layer-of-camouflage\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.spamhaus.org/news/article/783/emotet-adds-a-further-layer-of-camouflage"
	],
	"report_names": [
		"emotet-adds-a-further-layer-of-camouflage"
	],
	"threat_actors": [],
	"ts_created_at": 1775433980,
	"ts_updated_at": 1775791326,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/717f6a8493ee03fd359fd302f5d4d7a0a701dbb1.pdf",
		"text": "https://archive.orkl.eu/717f6a8493ee03fd359fd302f5d4d7a0a701dbb1.txt",
		"img": "https://archive.orkl.eu/717f6a8493ee03fd359fd302f5d4d7a0a701dbb1.jpg"
	}
}