{
	"id": "717325c3-121b-4645-8f46-2e9fddbf6566",
	"created_at": "2026-04-06T00:17:59.475315Z",
	"updated_at": "2026-04-10T13:12:56.21521Z",
	"deleted_at": null,
	"sha1_hash": "7a74f93fea0e288ac9fd2e55d06dc184fcff51b4",
	"title": "Emotet Malware Is Back - Virus Analysis | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2623405,
	"plain_text": "Emotet Malware Is Back - Virus Analysis | Proofpoint US\r\nBy November 16, 2022 Pim Trouerbach and Axel F\r\nPublished: 2022-11-15 · Archived: 2026-04-05 19:58:10 UTC\r\nKey Takeaways\r\nEmotet returned to the email threat landscape in early November for the first time since July 2022. It is\r\nonce again one of the most high-volume actors observed by Proofpoint, distributing hundreds of thousands\r\nof emails per day.\r\nProofpoint observed multiple changes to Emotet and its payloads including the lures used, and changes to\r\nthe Emotet modules, loader, and packer.\r\nEmotet was observed dropping IcedID.\r\nThe new activity suggests Emotet is returning to its full functionality acting as a delivery network for\r\nmajor malware families.\r\nNew operators or management might be involved as the botnet has some key differences with previous\r\ndeployments.\r\nOverview\r\nTA542, an actor that distributes Emotet malware, has once again returned from an extensive break from delivering\r\nmalicious emails. The actor was absent from the landscape for nearly four months, last seen on July 13, 2022\r\nbefore returning on November 2, 2022. Proofpoint has tracked the delivery methods, regional targeting, and done\r\nan analysis of the Emotet malware and the IcedID loader payload.\r\nOverall, this activity is similar to July campaigns and many previously observed tactics remain the same, however\r\nnew changes and improvements include:\r\nNew Excel attachment visual lures\r\nChanges to the Emotet binary\r\nIcedID loader dropped by Emotet is a light new version of the loader\r\nReports of Bumblebee dropped in addition to IcedID\r\nNow that they are back, TA542’s email campaigns are once again among the leaders by email volume. Proofpoint\r\nhas already blocked hundreds of thousands of messages each day.\r\nProofpoint expects that the actor will continue to evolve, with potential for higher email volumes, more\r\ngeographies targeted, and new variants or techniques of attached or linked threats. Additionally, given the\r\nobserved changes to the Emotet binary, it is likely to continue adapting as well.\r\nCampaigns \r\nhttps://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-fall-2022-return\r\nPage 1 of 20\n\nThe volume of emails that Emotet sending bots attempt to deliver each day is in the hundreds of thousands. These\r\nnumbers are comparable to historic averages. Hence, it does not appear that the Emotet botnet lost any significant\r\nspamming capability during the inactive period. For additional context, historic highs observed by Proofpoint\r\nwere millions of emails, with the last such spike in April 2022. The chart below shows an indexed volume of\r\nemails in the last 5 years. The spike at the bottom right of the chart represents November 2022 activity.\r\nFigure 1: Indexed volume of email messages containing Emotet, TA542’s signature payload (from April 19, 2017 –\r\nNovember 10, 2022)\r\nDelivery\r\nProofpoint continues to see a significant volume of thread hijacking and language localization in emails. The actor\r\ncontinues to use generic lures. Emotet used an IRS-themed lure briefly on November 8, which may correspond\r\nwith US-based businesses quarterly tax requirements. While no other current events and holiday-based lures have\r\nbeen observed yet, it is likely they will be used soon.\r\nAt the time of writing Proofpoint observed campaigns on nearly every weekday since November 2, more\r\nspecifically on the following dates: November 2, November 3, November 4, November 7, November 8, November\r\n9, November 10, and November 11, 2022. However, after being active daily for over a week, Emotet activity\r\nstopped. Proofpoint anticipates TA542 will return again soon.\r\nGeographies Targeted\r\nThe actor continues to target a similar set of countries to those targeted before the break. Proofpoint consistently\r\nobserved targeting of following countries with high volumes of emails: United States, United Kingdom, Japan,\r\nGermany, Italy, France, Spain, Mexico, Brazil (this is not a complete list). For these listed examples Proofpoint\r\nhttps://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-fall-2022-return\r\nPage 2 of 20\n\nconfirmed the targeting not only by location of recipients but additionally via appropriate local language use in\r\nemail bodies, subjects, and filenames.\r\nHonorable mention: Proofpoint observed Greece targeting with attachment names such as τιμολόγιο.xls,\r\nέγγραφο.xls and τραπεζικούς λογαριασμούς.xls. Greece is not a commonly targeted country by TA542.\r\nFigure 2: English language email targeting United States and German language email targeting Germany\r\nFigure 3: Italian language email targeting Italy \u0026 Spanish language email targeting Mexico\r\nhttps://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-fall-2022-return\r\nPage 3 of 20\n\nFigure 4: French language email targeting France and Portuguese language email targeting Brazil\r\nFigure 5: Japanese language email targeting Japan\r\nAttachments\r\nhttps://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-fall-2022-return\r\nPage 4 of 20\n\nThe malicious content included in the emails sent by TA542 since the return on November 2 is typically an Excel\r\nattachment or a password-protected zip attachment with an Excel file inside. The Excel files contain XL4 macros\r\nthat download the Emotet payload from several (typically four) built-in URLs.\r\nThese are the same type of macro-laden Excel sheets that the actor used before the period of inactivity, in July\r\n2022. However, what's new is that the Excel file now contains instructions for potential victims to copy the file to\r\na Microsoft Office Template location and run it from there instead. This is a trusted location and opening a\r\ndocument located in this folder will cause immediate execution of the macros without any warnings or\r\ninteractions from the user needed. However, while moving a file to a template location, the operating system asks\r\nusers to confirm and that administrator permissions are required to do such a move.\r\nIt remains unclear how effective this technique is. While there is no longer a need for users to enable macros with\r\nan extra click, there is instead a need to perform a file move, acknowledge the dialog, and the user must have\r\nAdministrator privileges.\r\nFigure 6: Dialog displayed to the users when moving files to Template folders\r\nhttps://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-fall-2022-return\r\nPage 5 of 20\n\nFigure 7: Screenshot of the typical Excel attachment observed since November 2\r\nFigure 8: Since November 9, the actor switched to a slight variation of the Excel lure, with green background\r\ninstead of yellow used on the “Relaunch Required” rectangle\r\nMalware Analysis\r\nhttps://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-fall-2022-return\r\nPage 6 of 20\n\nXMRig\r\nAs previously mentioned, TA542 was absent from the landscape for nearly four months, last seen sending\r\nmalicious emails on July 13. However, during the period of inactivity, there were still a couple major events\r\nindicating that someone, or some group, was working on the botnet. On September 16, XMRig, the most common\r\nMonero (XMR) miner, was installed by Emotet using command 2 which is just for loading modules. This sample\r\nwas packed in the same way that other Emotet modules are packed. Therefore, it effectively worked just like the\r\nother Emotet modules but dropped and executed XMRig. Generally, this is only done when the development team\r\ncommits to delivering the module long term (like the credit card stealer). XMRig contains a configuration that\r\nspecifies the mining pool and the wallet address. From the botnet there were two specific wallet IDs that were\r\nused. These can be seen below:\r\nFigure 9: XMRig config 1\r\nhttps://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-fall-2022-return\r\nPage 7 of 20\n\nFigure 10: XMRig config 2\r\nHardware Module\r\nAround this time, in September 2022, there was still no spam from the botnet, but modules were being sent to the\r\nbotnet every 24 hours. These modules were the standard information stealers and email stealers. Then, on October\r\n10, module ID 2381 was delivered to all E4 bots. This new module showed some new features that eventually\r\nwould make their way into the actual Emotet loader. This module gathers hardware information from the host and\r\nsends it to a dedicated list of command and control (C2) servers. The following fields are sent in the packet in the\r\ngiven order:\r\nHostname\r\nUsername\r\nProcess name\r\nOS (Operating System) information\r\nSession ID\r\nCPU identifier\r\nTotal size of memory\r\nUsed memory\r\nhttps://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-fall-2022-return\r\nPage 8 of 20\n\nAt the end of this packet there is a value that is used to weed out the real bots from the fake bots. There is a table\r\nwithin the main function of this module that corresponds to 64 different functions that each return a 4-byte integer.\r\nWhen the module is sent to the bot, a job ID is sent along with it that is a unique ID to that module and bot. This\r\njob ID is then used to compute a value between 0-63 and select one of these functions that returns an integer. That\r\ninteger needs to be placed at the end of the packet. If this value is left out or not the expected result the operators\r\nknow the bot is fake and will be banned. To date this has been the most challenging evasion technique the botnet\r\nhas implemented to stop researchers from analyzing it.\r\nFigure 11: Function table containing the 64 callbacks\r\nTo make these values even more difficult to extract, the integer values are calculated dynamically rather than just\r\nreturning a hardcoded value. In the screenshot below, the final value returned is going to be 0x523EC8.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-fall-2022-return\r\nPage 9 of 20\n\nFigure 12: Obfuscated arithmetic to return a constant value\r\nEmotet Loader Updates\r\nHaving not seen a loader update since mid-July, when Emotet returned there were quite a few differences in the\r\nbotnet. \r\nNew commands\r\nNew implementation of the communication loop\r\nNew check-in packet format\r\nNew packer used\r\nEmotet supports a variety of commands. When it first returned in November 2021, there were seven total\r\ncommands that were denoted by values 1-7. Eventually commands 4 and upwards were removed until the return\r\nin November 2022. Currently there are 5 commands that Emotet supports:\r\n1 – Update bot\r\n2 - Load module\r\n3 - Load executable\r\n4 - Load executable via regsvr32.exe\r\n16343 – invoke rundll32.exe with a random named DLL and the export PluginInit\r\nhttps://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-fall-2022-return\r\nPage 10 of 20\n\nCommands 4 and 16343 were added with this latest version of the botnet. 16343 stands out due to it being a break\r\nin the pattern of commands as well as having a specific export. That export is also commonly used for IcedID\r\ninfections. Notably, Proofpoint has observed Emotet delivering IcedID as a second stage payload in recent\r\ncampaigns.\r\nThe original packet format of Emotet contained what we suspect to be two version numbers. One that was specific\r\nto the loader and one that was specific to the protocol. These values have been replaced in the packet with a\r\nsingular version number that was set to 4000 with the latest return.\r\nOne of the biggest changes made to the unpacked loader itself was the reimplementation of the communications\r\nloop. The old version used a sleep to determine how often requests were made to the C2 servers. The new version\r\nutilizes the windows API CreateTimerQueueEx. This API takes a callback function which is called after an initial\r\nduration and then after a set period in a loop. This also meant changes were made to the response parsing of the\r\nbots. If the bots receive a twelve-byte value back from the C2, then the bot reads the last 4 bytes, turns that into an\r\ninteger and multiplies it by 250 which will be the number of milliseconds to sleep. For long sleeps, Emotet\r\ndefaults to 150 seconds and for short sleeps its either 30 seconds or 7.5 seconds.\r\nFinally, the packer used with the loader itself has been updated. Pre-November 2, the packed sample would\r\ncontain an encrypted resource that would be XOR decrypted with a randomized plaintext string within the sample.\r\nThis new packer being used has the encrypted payload inside the .data section around offset 20. Once the payload\r\nis found within the sample it can be decrypted with the same process of finding the random plaintext string and\r\nXOR decrypting to get the unpacked sample.\r\nCommand \u0026 Control Mishaps\r\nHistorically Emotet has had three major pools of C2s per botnet (E4 and E5). These pools are the loader, the\r\ngeneric modules, then finally the spam modules. These pools do not overlap and generally what is in one module\r\nfor the generic pool will be an exact match of what is in another. So, if the process list module has six C2s in it,\r\nthe mail stealer module will have those exact same six C2s in it as well. This is where things start to deviate from\r\nprevious iterations of Emotet. There are now cases where IPs are missing from some modules and the developers\r\nhave left localhost as part of the valid C2s. The following graphs show the modules and their IDs as the green\r\nnodes and the C2s as the red nodes. For module 1444 they seem to have left localhost within the C2 table.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-fall-2022-return\r\nPage 11 of 20\n\nhttps://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-fall-2022-return\r\nPage 12 of 20\n\nFigure 13: Generic Emotet modules (green) linked to their C2s\r\nFor the spam C2s, they have some C2s in the modules that do not exist in others, which historically has never\r\nbeen the case. Generally, every module that is part of the group will contain all the C2s in the C2 list.\r\nFigure 14: Spam Emotet modules (green) linked to their C2s\r\nThese mistakes highlight that the botnet might be under new management or potentially new operators have been\r\nhired to set up the infrastructure.\r\nPost Infection Activity \r\nOne of the first payloads that was delivered to the Emotet bots was a new variant of the IcedID loader. This\r\nvariant is brand new or still in development as it contains a legitimate PDB path.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-fall-2022-return\r\nPage 13 of 20\n\nFigure 15: IcedID payload with “anubis” PDB path\r\nFrom analysis done on the Conti Leaks from February 2022 in which a researcher with access to Conti's internal\r\noperations began leaking data from the cybercriminal organization, researchers have learned that Anubis is the\r\ninternal name for IcedID and this new variant of the IcedID loader.\r\nIcedID is a two-stage malware. The first stage is the loader which makes a request to download the second stage\r\n(the bot). Standard IcedID that is delivered via malspam exfiltrates system information through cookies in the\r\nrequest to the loader C2. The C2 then uses that information to determine whether the loader will receive the\r\nIcedID bot payload. With the system information generated, the C2 server can easily identify sandboxes which is\r\nthe reason most sandboxes don’t see the second stage of IcedID.\r\nThis new loader forgoes all of that system information exfiltration. Proofpoint researchers believe this is because\r\nthe loader is being delivered to already infected machines and therefore there is no need to do a check on the\r\nsystem profile. The loader starts by resolving the APIs needed to execute properly then it makes up to two HTTP\r\nrequests to download the encrypted next stage.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-fall-2022-return\r\nPage 14 of 20\n\nFigure 16: Main function of the loader delivered to Emotet showing the C2 decryption and response parsing\r\nFigure 17: Code showing this new loader trying to download the bot via port 443 over HTTPS then over HTTP on\r\nport 80\r\nhttps://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-fall-2022-return\r\nPage 15 of 20\n\nIn this case, the malware has a hardcoded URI and domain that are concatenated to create the full payload path;\r\nbayernbadabum[.]com/botpack.dat. Unlike the standard IcedID loader, this loader tries first on port 443 over\r\nHTTPS then if that fails will try again on 80 over standard HTTP. If the response is over 0x400 bytes, the loader\r\ntries to decrypt and inject the second stage. The second stage can be decrypted via the following Python code.\r\nFigure 18: IcedID’s decryption routine used consistently throughout the bot\r\nWith the botpack decrypted, it has a similar format to the GZIP response that the malspam IcedID loader gets. The\r\nformat is as follows:\r\nhttps://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-fall-2022-return\r\nPage 16 of 20\n\nFigure 19: The structure definition of the botpack format used by IcedID\r\nThe decrypted data needs to start with a 2, which most likely is a version. Next there is a boolean value which\r\ndetermines if the loader is invoked via the export name or just the ordinal value #1. Following that are two sizes\r\nwhich relate to the cleartext custom bot loader, and the encrypted bot. The bot itself is encrypted so needs to be\r\ndecrypted in the same manner that botpack.dat was decrypted.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-fall-2022-return\r\nPage 17 of 20\n\nFigure 20: decrypting botpack and parsing out the DLL loader and the encrypted bot\r\nCode wise, the IcedID bot here is the exact same as the standard bot delivered to IcedID malspam campaigns but\r\nthere is a slight difference in how the bot is initialized. When standard IcedID gets commands from the C2, it\r\ncomes in a list. These commands differ when looking at the IcedID being delivered to Emotet infected hosts.\r\nFigure 21: Standard IcedID Commands\r\nThe integers in the response correspond to commands within the bot. So, for the above response the bot would\r\nexecute the following commands in this specific order.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-fall-2022-return\r\nPage 18 of 20\n\n54897577 – update C2 list\r\n36609609 – start beaconing\r\n61593029 – get desktop info\r\n46731293 – get running processes\r\n24258075 – get system information\r\n45055027 – get browser cookies\r\n95350285 – get stored browser credentials\r\nThe bot sent to the Emotet infected machines get the above commands as well as the following:\r\n58139018 – send internal IcedID log\r\n13707473 – read a file and send contents to C2\r\n72842329 – search for file and send contents to C2\r\nThis could indicate that more priority is being placed on the IcedID bots running on Emotet machines or that the\r\ngroup managing IcedID bots from malspam is different than the group managing the bots sourced from Emotet.  \r\nOutlook/Conclusion\r\nOverall, these modifications made to the client indicate the developers are trying to deter researchers and reduce\r\nthe number of fake or captive bots that exist within the botnet. The addition of commands related to IcedID and\r\nthe widespread drop of a new IcedID loader might mean a change of ownership or at least the start of a\r\nrelationship between IcedID and Emotet.\r\nEmotet dropping IcedID marks Emotet as being in full functionality again, by acting as a delivery network for\r\nother malware families. Emotet has not demonstrated full functionality and consistent follow-on payload delivery\r\n(that’s not Cobalt Strike) since 2021, when it was observed distributing The Trick and Qbot. TA542’s return\r\ncoinciding with the delivery of IcedID is concerning. IcedID has previously been observed as a follow-on payload\r\nto Emotet infections. In many cases, these infections can lead to ransomware.\r\nIndicator Description First Seen\r\n05a3a84096bcdc2a5cf87d07ede96aff7fd5037679f9585fee9a227c0d9cbf51\r\nIcedID\r\nSHA256\r\nObserved on\r\nEmotet E4\r\n3\r\nNovember\r\n2022\r\nBayernbadabum[.]com\r\nIcedID domain\r\ncontaining the\r\nencrypted bot\r\n3\r\nNovember\r\n2022\r\nhttps://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-fall-2022-return\r\nPage 19 of 20\n\n99580385a4fef0ebba70134a3d0cb143ebe0946df148d84f9e43334ec506e301\r\nXMRig\r\nmodule\r\n SHA256\r\ndelivered to\r\nE4\r\n13\r\nSeptember\r\n2022\r\nSource: https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-fall-2022-return\r\nhttps://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-fall-2022-return\r\nPage 20 of 20\n\n https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-fall-2022-return     \nFigure 16: Main function of the loader delivered to Emotet showing the C2 decryption and response parsing\nFigure 17: Code showing this new loader trying to download the bot via port 443 over HTTPS then over HTTP on\nport 80      \n   Page 15 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-fall-2022-return"
	],
	"report_names": [
		"comprehensive-look-emotets-fall-2022-return"
	],
	"threat_actors": [
		{
			"id": "e8e18067-f64b-4e54-9493-6d450b7d40df",
			"created_at": "2022-10-25T16:07:24.515213Z",
			"updated_at": "2026-04-10T02:00:05.018868Z",
			"deleted_at": null,
			"main_name": "Mummy Spider",
			"aliases": [
				"ATK 104",
				"Gold Crestwood",
				"Mummy Spider",
				"TA542"
			],
			"source_name": "ETDA:Mummy Spider",
			"tools": [
				"Emotet",
				"Geodo",
				"Heodo"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "506404b2-82fb-4b7e-b40d-57c2e9b59f40",
			"created_at": "2023-01-06T13:46:38.870883Z",
			"updated_at": "2026-04-10T02:00:03.128317Z",
			"deleted_at": null,
			"main_name": "MUMMY SPIDER",
			"aliases": [
				"TA542",
				"GOLD CRESTWOOD"
			],
			"source_name": "MISPGALAXY:MUMMY SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2ac83159-1d9d-4db4-a176-97be6b7b07c9",
			"created_at": "2024-06-19T02:03:08.024653Z",
			"updated_at": "2026-04-10T02:00:03.672512Z",
			"deleted_at": null,
			"main_name": "GOLD CRESTWOOD",
			"aliases": [
				"Mummy Spider ",
				"TA542 "
			],
			"source_name": "Secureworks:GOLD CRESTWOOD",
			"tools": [
				"Emotet"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434679,
	"ts_updated_at": 1775826776,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7a74f93fea0e288ac9fd2e55d06dc184fcff51b4.pdf",
		"text": "https://archive.orkl.eu/7a74f93fea0e288ac9fd2e55d06dc184fcff51b4.txt",
		"img": "https://archive.orkl.eu/7a74f93fea0e288ac9fd2e55d06dc184fcff51b4.jpg"
	}
}