{
	"id": "5b12c5e4-0d7b-46c9-881c-4d5f8d9a17e2",
	"created_at": "2026-04-06T00:10:35.086069Z",
	"updated_at": "2026-04-10T03:23:52.042042Z",
	"deleted_at": null,
	"sha1_hash": "7ba92e8c163b58d974f58e34111acf8c632c10cd",
	"title": "United Nations Targeted With Emotet Malware Phishing Attack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1229873,
	"plain_text": "United Nations Targeted With Emotet Malware Phishing Attack\r\nBy Lawrence Abrams\r\nPublished: 2020-01-14 · Archived: 2026-04-05 16:21:43 UTC\r\nPretending to be the Permanent Mission of Norway, the Emotet operators performed a targeted phishing attack against email\r\naddresses associated with users at the United Nations.\r\nYesterday, the Emotet trojan roared back to life after a 3-week vacation with strong spam campaigns that targeted countries\r\nthroughout the world.\r\nWhile Emotet's normal spam campaigns pretended to be fake accounting reports, delivery notices, and invoices, the malware\r\noperators had something special in mind for the United Nations.\r\nhttps://www.bleepingcomputer.com/news/security/united-nations-targeted-with-emotet-malware-phishing-attack/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/united-nations-targeted-with-emotet-malware-phishing-attack/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nImpersonating the \"Permanent Mission of Norway\"\r\nIn a sample of a phishing email shared with BleepingComputer by email security firm Cofense, the Emotet operators\r\npretend to be representatives of Norway at the United Nations in New York, who state that there is a problem with an\r\nattached signed agreement.\r\nAccording to Cofense, this phishing campaign had \"highly specific targeting\" and was seen being sent to 600 unique email\r\naddresses at the United Nations.\r\nThe email states that the representatives of Norway found a problem with a signed agreement and that the recipient should\r\nreview it to learn the issue.\r\nEmotet spam targeting the United Nations\r\nThe full text of this targeted phishing email can be read below:\r\nHi,\r\nPlease be advised that the new problem has been appeared today.\r\nSee below our info for this question.\r\nPlease let me know if you need anything else.\r\nRegards\r\nPermanent Mission of Norway to the United Nations in New York\r\nAttached to these emails is a Microsoft Word document that starts with \"Doc_01_13\" that pretends to be the signed\r\nagreement being sent by the Permanent Mission of Norway.\r\nWhile there was room for Emotet to send a more convincing Word document template, they instead sent the same one that is\r\nused for all of the malspam campaigns.\r\nhttps://www.bleepingcomputer.com/news/security/united-nations-targeted-with-emotet-malware-phishing-attack/\r\nPage 3 of 5\n\nThis template pretends to be a warning that the \"document only available for desktop or laptop versions of Microsoft Office\r\nWord.\" It then prompts the user to click on 'Enable editing' or 'Enable Content' to view the document.\r\nMalicious Email Attachment\r\nIf a user opens the document and enables its content, malicious Word macros will be executed that downloads and installs\r\nEmotet on the computer.\r\nEmotet will now run in the background while sending out spam emails to other victims.\r\nEventually, Emotet will also install other payloads such as Trickbot, which would be when things get really bad for the\r\ncompromised UN workstation.\r\nEmotet can lead to a full network compromise\r\nWhen Emotet is installed on a machine, one of the malware payloads that is invariably installed is the TrickBot trojan.\r\nThe TrickBot trojan will attempt to harvest data from the computer such as cookies, login credentials, files from the\r\ncomputer, and possibly spread to other computers on the network.\r\nAfter the harvesting of information is finished, TrickBot is known to open a reverse shell back to the operators of Ryuk\r\nRansomware.\r\nThese operators will proceed to infiltrate the network, gain administrator credentials, and ultimately deploy Ryuk so that it\r\nencrypts every device on the network.\r\nThis is particularly worrisome for a UN network as ransomware operators are known to steal data before encrypting files,\r\nwhich could expose extremely sensitive diplomatic or government information.\r\nWhile there are no known victims of this phishing attack, this targeted attack illustrates that bad actors are constantly trying\r\nto get access to the networks of organizations and government networks.\r\nThis is why it is imperative for all employees regardless of what sector they work in to be properly trained on how to\r\nrecognize phishing emails.\r\nFurthermore, before opening any attachments and enabling macros, users should notify their network administrator and\r\ncontact the alleged user who sent the email to confirm its authenticity.\r\nBleepingComputer has contacted the Permanent Mission of Norway about this attack but has not heard back at this time.\r\nhttps://www.bleepingcomputer.com/news/security/united-nations-targeted-with-emotet-malware-phishing-attack/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/united-nations-targeted-with-emotet-malware-phishing-attack/\r\nhttps://www.bleepingcomputer.com/news/security/united-nations-targeted-with-emotet-malware-phishing-attack/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/united-nations-targeted-with-emotet-malware-phishing-attack/"
	],
	"report_names": [
		"united-nations-targeted-with-emotet-malware-phishing-attack"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434235,
	"ts_updated_at": 1775791432,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7ba92e8c163b58d974f58e34111acf8c632c10cd.pdf",
		"text": "https://archive.orkl.eu/7ba92e8c163b58d974f58e34111acf8c632c10cd.txt",
		"img": "https://archive.orkl.eu/7ba92e8c163b58d974f58e34111acf8c632c10cd.jpg"
	}
}