{
	"id": "8bf59d8b-fb39-44bf-9444-85f2a8405ab7",
	"created_at": "2026-04-06T00:09:07.987297Z",
	"updated_at": "2026-04-10T03:30:11.91946Z",
	"deleted_at": null,
	"sha1_hash": "79e7623dd1455f31921463c582e5e96e7aebe0c1",
	"title": "Emotet Disruption and Outreach to Affected Users - JPCERT/CC Eyes",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 551432,
	"plain_text": "Emotet Disruption and Outreach to Affected Users - JPCERT/CC\r\nEyes\r\nBy 佐條 研(Ken Sajo)\r\nPublished: 2021-02-24 · Archived: 2026-04-05 14:28:12 UTC\r\nEmotet\r\nSince October 2019, many cases of Emotet infection were reported. JPCERT/CC has published a security alert and\r\na blog article detailing the detection and security measures, as well as providing notification and support for\r\naffected users.\r\nEuropol announced that Emotet infrastructure was disrupted thanks to the joint operation together with some\r\nforeign authorities in January 2021 and information regarding affected users is to be distributed via the CERT\r\nnetwork. In Japan, there are still many infected devices, and JPCERT/CC has been notifying those affected with\r\nthe support from local and international partners.\r\nThis article explains the global operation for Emotet disruption and the changes in the number of infected devices\r\nin Japan since then, followed by the notification activity by JPCERT/CC and guidance on how to respond to the\r\ninfection.\r\nContents\r\n1. Emotet overview\r\n2. Emotet disruption\r\n3. Emotet infection in Japan\r\n4. Notification to affected users\r\n5. Response to infection\r\n6. Updates on our notification activities\r\n1. Emotet overview\r\nA device is infected with Emotet when a user opens a malicious Word file and selects “Enable content”. The\r\nmalware may perform the following on the infected devices:\r\nSteal credentials stored in the device or browsers\r\nUse the stolen credentials to spread infection in the network via SMB\r\nSteal Email accounts and passwords\r\nSteal Email contents and contact information\r\nSend emails to spread infection using the stolen Email accounts and contents etc.\r\nInfect the device with other kinds of malware\r\n2. Emotet disruption\r\nhttps://blogs.jpcert.or.jp/en/2021/02/emotet-notice.html\r\nPage 1 of 7\n\nEmotet’s infrastructure was disrupted on 27 January 2021 as a result of “Operation LadyBird”, which is a joint\r\neffort by the authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania,\r\nCanada and Ukraine, coordinated by Europol and Eurojust. The following is the achievement of this operation:\r\nC2 servers connected to Emotet are now under the control of the authorities\r\nSome members operating Emotet have been arrested\r\nInfected devices are now redirected to servers controlled by the authorities\r\nThanks to this operation, it is safe to say that Emotet is no longer harmful. Nonetheless, infected devices are still\r\nlikely at the risk.\r\n3. Emotet infection in Japan\r\nFollowing the joint operation, foreign partner organisations started providing JPCERT/CC with the information\r\nabout infected hosts in Japan, particularly the details of the devices connected to the servers that are under the\r\nforeign authorities’ control. Figure 1 shows the number of infected devices in Japan based on the data provided.\r\nFigure 1： Emotet Infected devices in Japan\r\nAs of 27 January, when the joint operation took place, there were connections to the infrastructure from about 900\r\nIP addresses in Japan. Starting on 5 February, we have also been receiving the computer name of the infected\r\ndevices. It is assumed that the number of the unique computer names indicates more accurate number of infected\r\ndevices, as an IP address linked to a device may change.\r\nWith the disruption of the infrastructure, Emotet’s anti-detection function will no longer work, and it will be\r\ndetected and/or removed by antivirus software instead. However, based on the number of the computer names, it\r\nis assumed that there are about 500 infected devices as of February 2021.\r\n4. Notification to affected users\r\nhttps://blogs.jpcert.or.jp/en/2021/02/emotet-notice.html\r\nPage 2 of 7\n\nBased on the information provided by the relevant parties, JPCERT/CC has been notifying the users of the\r\ninfected devices in Japan with the support of ISPs and other partners.\r\nOn 19 February, Japan’s Ministry of Internal Affairs and Communication, together with the National Police\r\nAgency, ICT-ISAC and ISPs, announced their joint effort on notification activities to users of infected devices\r\nbased on the information from foreign authorities. While cooperating in this initiative, JPCERT/CC will also\r\ncontinue the aforementioned outreach activities based on the information from partners.\r\nThanks to the global operation, Emotet will be uninstalled from the devices at 12:00 on 25 April 2021 (according\r\nto the local time of each device). However, security measures still need to be implemented on the infected devices\r\nas the malware may have already performed the following:\r\nSteal credentials stored in the device or browsers\r\nSteal Email accounts and passwords\r\nSteal Email contents and contact information\r\nInfect the device with other kinds of malware\r\nUsers still need to take measures if antivirus software has detected and/or removed Emotet.\r\n5. Response to Emotet infection\r\n“EmoCheck”, developed by JPCERT/CC, can be used to check if a device is infected with Emotet. Please\r\ndownload the tool from GitHub and copy it to the devices that need checking. It is recommended to run it with the\r\nprivilege of the user who normally use the device.\r\nJPCERTCC/EmoCheck - GitHub https://github.com/JPCERTCC/EmoCheck/releases\r\nIf the message “Emotet was detected” is displayed (as highlighted in red in Figure 2), the device is infected with\r\nEmotet.\r\nFigure 2：Sample results (Emotet detected)\r\nhttps://blogs.jpcert.or.jp/en/2021/02/emotet-notice.html\r\nPage 3 of 7\n\nFigure 3：Sample image path of Emotet according to EmoCheck result (highlighted in yellow in\r\nFigure 2)\r\nWhen the infected devices are identified, please take the following security measures:\r\nDelete Emotet which is stored in the image path according to the EmoCheck result.\r\nChange email account passwords for Outlook, Thunderbird, etc.\r\nChange passwords stored in browsers.\r\nCheck if the device is infected with other kinds of malware.\r\nIf the device is infected with other kinds of malware, evidence may be left in the following locations:\r\nAutorun registry\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nTask scheduler\r\nIf the above settings refer to the suspicious folders as below, the device is possibly infected with other kinds of\r\nmalware:\r\nFolders under C:\\Users(user name)\\AppData\\\r\nC:\\ProgramData\\\r\nMore details on how to check and respond to the infection are also available on our past blog article\r\n6. Updates on our notification activities (Updated on 25/May 2021)\r\nJPCERT/CC has notified affected users cooperating with ISPs and other organizations since we received the said\r\ndata in late January until Emotet was automatically deleted in late April. Through the joint notification effort by\r\nthe National Police Agency and the Ministry of Internal Affairs and Communication, the information on the\r\naffected IP addresses was provided to ICT-ISAC in mid-February and received by each ISP in late March. This\r\naccounts for about 90 percent of the whole affected IP addresses in Japan, and JPCERT/CC has notified the rest\r\ndirectly to administrators since late January.\r\nAfter the global take down operation, Emotet was updated so that it automatically stops itself at 12:00 on 25 April\r\n(local time of each device). The following figure on the number of Emotet-infected devices in Japan clearly shows\r\nhttps://blogs.jpcert.or.jp/en/2021/02/emotet-notice.html\r\nPage 4 of 7\n\nthat only few infections have been observed since then.\r\nFigure 4：Emotet Infected devices in Japan\r\nWe appreciate all the supports we received from everyone concerned.\r\nIn closing\r\nWe would like to take this opportunity to thank the effort by “Operation LadyBird” in disrupting the Emotet\r\ninfrastructure.\r\nBesides Emotet, there are many other kinds of malware spreading infection via email and its attachment. Please\r\npay careful attention when you open attachments. We also recommend that you regularly scan your devices with\r\nthe latest antivirus definition file, in addition to applying the latest security programs for your OS and software.\r\nJPCERT/CC will continue to work closely with both local and international partners.\r\nKen Sajo\r\n(Translated by Yukako Uchida)\r\n佐條 研(Ken Sajo)\r\nJoined JPCERT/CC in January 2019 after being engaged in security monitoring operation at a financial institution.\r\nCurrently in charge of threat analysis and incident response for email scam and APT.\r\nhttps://blogs.jpcert.or.jp/en/2021/02/emotet-notice.html\r\nPage 5 of 7\n\nRelated articles\r\nMultiple Threat Actors Rapidly Exploit React2Shell: A Case Study of Active Compromise\r\nUpdate on Attacks by Threat Group APT-C-60\r\nCrossC2 Expanding Cobalt Strike Beacon to Cross-Platform Attacks\r\nhttps://blogs.jpcert.or.jp/en/2021/02/emotet-notice.html\r\nPage 6 of 7\n\nMalware Identified in Attacks Exploiting Ivanti Connect Secure Vulnerabilities\r\nTempted to Classifying APT Actors: Practical Challenges of Attribution in the Case of Lazarus’s Subgroup\r\nSource: https://blogs.jpcert.or.jp/en/2021/02/emotet-notice.html\r\nhttps://blogs.jpcert.or.jp/en/2021/02/emotet-notice.html\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blogs.jpcert.or.jp/en/2021/02/emotet-notice.html"
	],
	"report_names": [
		"emotet-notice.html"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "15b8d5d8-32cf-408b-91b1-5d6ac1de9805",
			"created_at": "2023-07-20T02:00:08.724751Z",
			"updated_at": "2026-04-10T02:00:03.341845Z",
			"deleted_at": null,
			"main_name": "APT-C-60",
			"aliases": [
				"APT-Q-12"
			],
			"source_name": "MISPGALAXY:APT-C-60",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "ab47428c-7a8e-4ee8-9c8e-4e55c94d2854",
			"created_at": "2024-12-28T02:01:54.668462Z",
			"updated_at": "2026-04-10T02:00:04.564201Z",
			"deleted_at": null,
			"main_name": "APT-C-60",
			"aliases": [
				"APT-Q-12"
			],
			"source_name": "ETDA:APT-C-60",
			"tools": [
				"SpyGlace"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434147,
	"ts_updated_at": 1775791811,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/79e7623dd1455f31921463c582e5e96e7aebe0c1.pdf",
		"text": "https://archive.orkl.eu/79e7623dd1455f31921463c582e5e96e7aebe0c1.txt",
		"img": "https://archive.orkl.eu/79e7623dd1455f31921463c582e5e96e7aebe0c1.jpg"
	}
}