{
	"id": "264ec752-e650-4594-9ff3-e9533f5bfa49",
	"created_at": "2026-04-06T00:13:11.877442Z",
	"updated_at": "2026-04-10T03:21:45.035189Z",
	"deleted_at": null,
	"sha1_hash": "7610fb3fcc0bb4d8e1ffa8f386b5e9b333a84a74",
	"title": "Emotet Botnet Rises Again | Bitsight",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 797867,
	"plain_text": "Emotet Botnet Rises Again | Bitsight\r\nBy Written by Pedro Umbelino Principal Research Scientist\r\nArchived: 2026-04-05 13:57:37 UTC\r\nIf you work in cybersecurity, you’ve probably heard of the Emotet botnet. Once considered the world’s largest\r\nmalware botnet more than one year ago, Emotet was composed of hundreds of command and control servers and\r\nalmost two million victims. Emotet was so large that it took a joint effort between law enforcement agencies and\r\nauthorities from Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada, and\r\nUkraine to allow investigators to take control of the botnet's servers, disrupt the malware's operation, and arrest\r\ntwo operators.\r\nUnfortunately, law enforcement was not able to deliver a fatal blow to Emotet. In November 2021, a new version\r\nof Emotet emerged. How did this happen? What is the botnet doing today? And how can organizations avoid\r\nbecoming victims?\r\nFirst discovered as a banking trojan in 2014, Emotet malware evolved into the go-to solution for cybercriminals\r\nover the years. One of the main reasons for Emotet’s popularity is its functionality. Emotet is a self-propagating\r\nand “modular loader” malware, which means that while it is running on an infected system, botnet operators can\r\nsend different modules that are capable of executing different jobs.\r\nThe Emotet infrastructure essentially acted as a primary door opener for computer systems on a global scale. It\r\nwas then rented by cyber criminals to install their own malware: info stealers, ransomware, banking trojans, and\r\nother types of malware. In many respects, Emotet worked like a SaaS solution, only in this case, it was MaaS\r\n(malware-as-a-service).\r\nObserving millions of infected machines, law enforcement tried to move against Emotet. In January 2021, law\r\nenforcement shut down Emotet and seized the infrastructure behind it. After gaining control of the infrastructure,\r\non April 25, 2021, law enforcement effectively killed the botnets by issuing a final update to remove the\r\nremaining infections. But before the takedown, a partnership between Emotet operators and the Trickbot group\r\nallowed Trickbot operators to leverage the Emotet infrastructure to distribute Trickbot, a banking trojan. On\r\nNovember 14, 2021, Trickbot command and control servers began issuing tasks to their infected machines,\r\ninstructing them to download a new Emotet version.\r\nEmotet began spreading rapidly once again. The malware that law enforcement hoped to kill was back in business.\r\nEmotet spreads itself via email phishing campaigns, using the infected computers to send the malicious emails.\r\nThe emails can have multiple formats, such as simple emails without any context or replies to stolen email\r\nthreads. Typically, the emails can carry either an attached Excel/Word document, a password-protected zip file, or\r\nhttps://www.bitsight.com/blog/emotet-botnet-rises-again\r\nPage 1 of 9\n\na link to download the document. More recently, on April 22, our team spotted Emotet using LNK files instead of\r\nthe usual Excel files, showing that the threat actors are trying to improve their tactics to increase their infection\r\nsuccess rate.\r\nBelow is an example of a hijacked email thread with an attached Excel XLS file:\r\nFigure 1. Hijacked email thread (observed by Bitsight)\r\nWhen opened, the attached Excel file asks the user to enable the macros:\r\nhttps://www.bitsight.com/blog/emotet-botnet-rises-again\r\nPage 2 of 9\n\nFigure 2. Emotet XLS file (observed by Bitsight)\r\nOnce the user clicks “Enable Content,” Excel runs a macro that will try to download and execute the Emotet\r\npayload. Below, we can see what a complete process tree looks like when the macros are enabled:\r\nFigure 3. Emotet infection process tree (https://tria.ge/220517-g92l5sgac3/)\r\nAs seen above, the process tree ends with Emotet being launched via regsvr32.exe.\r\nIf the compromised user has administrator privileges, Emotet sets up persistence by creating a Windows service\r\nthat will run automatically. If the user has regular permissions, a new key gets added under the Windows registry\r\nkey \"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\".\r\nOnce installed, Emotet starts polling tasks from the command and control servers. These tasks can instruct the bot\r\nto either execute an Emotet module or a third-party malware.\r\nhttps://www.bitsight.com/blog/emotet-botnet-rises-again\r\nPage 3 of 9\n\nTypically, we see Emotet trying to steal information (email client passwords, email contacts, email threads, and\r\nsaved browser credentials) and turn the victim's computer into a spam bot capable of sending emails using the\r\nstolen credentials.\r\nIn some cases, we see Emotet trying to install third-party malware, which means that the botnet operators will\r\nprovide access to other threat actors that operate a different type of malware. Since the re-emergence of Emotet,\r\nwe have seen Emotet delivering malware such as CobaltStrike, Qbot, and SystemBC.\r\nSince March 2022, Bitsight has observed Emotet targeting more than 3 million unique email addresses with spam.\r\nFigure 4. Total targets (observed by Bitsight)\r\nOne thing that is interesting to note about Emotet is that there are occasionally time periods where no emails are\r\nsent at all. This is typical of Emotet’s behavior, and usually comes when the operators are working on an update to\r\nthe malware. Time periods of no activity are typically followed by periods of heightened activity when a new\r\nwave of spam emails is being sent.\r\nSince March 2022, Bitsight has observed more than 300,000 unique stolen email credentials, suggesting that\r\nEmotet is again becoming a significant malware threat.\r\nhttps://www.bitsight.com/blog/emotet-botnet-rises-again\r\nPage 4 of 9\n\nFigure 5. Total stolen credentials (observed by Bitsight)\r\nJapan and Italy in the Crosshairs\r\nWhile Bitsight observes a significant number of top-level domains being targeted, Japan stands out as one of the\r\nmost targeted top-level domains. Our observations are consistent with previous reports from Japan’ s CERT,\r\nJPCC, describing the rise in Emotet infections affecting Japanese email addresses. Besides the interest in Japan,\r\nEmotet regularly targets Italy with malicious email campaigns.\r\nSince the beginning of March, we have seen .COM, .IT (Italy), and .JP (Japan) as the three most targeted top-level\r\ndomains within the spam targets. The remaining top-level domains that complete the top 10 list of most targeted\r\nTLDs are: .BR, .MX, .NET, .CA, .FR, .ID, and .DE.\r\nhttps://www.bitsight.com/blog/emotet-botnet-rises-again\r\nPage 5 of 9\n\nFigure 6. Spam targets top 10 TLD (observed by Bitsight)\r\nDuring the same period, we have observed that .COM, .JP, and .MX (Mexico) are the top-level domains that are\r\nobserved to have the highest number of stolen email credentials. The remaining top-level domains that complete\r\nthe top 10 list of TLDs within the stolen credentials are: .IT, .BR, .NET, .ZA, .IN, .ID, and .AR.\r\nhttps://www.bitsight.com/blog/emotet-botnet-rises-again\r\nPage 6 of 9\n\nFigure 7. Stolen SMTP accounts top 10 TLD (observed by Bitsight)\r\nGlobal Distribution of Command and Control Systems\r\nBefore the takedown, Emotet had three distinct botnets (Epoch1, Epoch2, and Epoch3). Currently, Emotet already\r\nhas two botnets, known as Epoch4 and Epoch5.\r\nThe botnets have a tiered infrastructure where their command and control (Tier-1 C2) server IP addresses are hard-coded within the malware samples. These servers are reverse proxies that forward bot requests to upstream servers\r\n(Tier-2 C2), which in turn forward requests to another tier of upstream servers (Tier-3 C2), and so on.\r\nBitsight has identified a total of 339 Tier-1 C2s. These servers were most prevalent in the US, Germany, and\r\nFrance. Other countries observed hosting a high number of Tier-1 C2s include: Singapore, Brazil, Indonesia,\r\nThailand, South Korea, Canada, and the UK. These 10 countries hosted roughly 70% of the identified Tier-1 C2s.\r\nIn all, Bitsight observed a total of 47 countries hosting Tier-1 C2s. The map below highlights the distribution of\r\nthese servers by country (red indicates the highest number of servers).\r\nhttps://www.bitsight.com/blog/emotet-botnet-rises-again\r\nPage 7 of 9\n\nNetwork telemetry of the communications with the Tier-1 C2s since the beginning of March allowed us to\r\nestimate the distribution of Emotet infected systems around this time. We can easily see that, by now, there are\r\ninfected systems, or bots, all over the world. Based on that telemetry, the most affected countries are: Brazil,\r\nThailand, and Indonesia. These three countries amount to roughly 33% of all infected systems. The remaining\r\ncountries in the top 10 of countries with most infections are: India, Italy, Mexico, United States, Saudi Arabia,\r\nPhilippines, and Vietnam. The top 10 amount to 69% of all infected systems.\r\nhttps://www.bitsight.com/blog/emotet-botnet-rises-again\r\nPage 8 of 9\n\nResponding to Emotet: Best Practices and IOCs\r\nEmotet is a notorious malware family that has resurfaced after suffering a takedown. Organizations should treat it\r\nas a significant adversary to their infrastructures since it can cause lots of damage to them and enable access to\r\nother criminals, such as ransomware operators. Emotet is most likely still in a growing/testing phase and\r\nrecovering from the effects of a takedown. Nevertheless, organizations should know that this threat is back and,\r\nonce again, targeting companies worldwide.\r\nThe main spread method for Emotet is via email malicious files or links, so following cyber risk best practices and\r\npreventing the opening of suspicious emails is the best preemptive measure to avoid getting infected. Bitsight has\r\npublished a short list of cyber risk best practices.\r\nFor network administrators, please consider adding Bitsight’s IOCs IP list to traffic filtering solutions to\r\nsuccessfully prevent compromised systems communicating effectively with their C2 servers, downloading and\r\ninstalling further malware. Bitsight is sharing the Tier-1 C2 IOC list here: https://github.com/bitsight-research/threat_research/blob/main/emotet/emotet.csv\r\nSource: https://www.bitsight.com/blog/emotet-botnet-rises-again\r\nhttps://www.bitsight.com/blog/emotet-botnet-rises-again\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bitsight.com/blog/emotet-botnet-rises-again"
	],
	"report_names": [
		"emotet-botnet-rises-again"
	],
	"threat_actors": [],
	"ts_created_at": 1775434391,
	"ts_updated_at": 1775791305,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7610fb3fcc0bb4d8e1ffa8f386b5e9b333a84a74.pdf",
		"text": "https://archive.orkl.eu/7610fb3fcc0bb4d8e1ffa8f386b5e9b333a84a74.txt",
		"img": "https://archive.orkl.eu/7610fb3fcc0bb4d8e1ffa8f386b5e9b333a84a74.jpg"
	}
}