{
	"id": "42269c80-8752-4adf-82df-33e54fec4b1d",
	"created_at": "2026-04-06T00:15:15.207255Z",
	"updated_at": "2026-04-10T03:22:00.959517Z",
	"deleted_at": null,
	"sha1_hash": "7c4a6454e3eb3c6012316b31b38551f187d9dc86",
	"title": "Emotet malware attacks return after three-month break",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2288444,
	"plain_text": "Emotet malware attacks return after three-month break\r\nBy Lawrence Abrams\r\nPublished: 2023-03-07 · Archived: 2026-04-05 20:41:48 UTC\r\nThe Emotet malware operation is again spamming malicious emails as of Tuesday morning after a three-month break,\r\nrebuilding its network and infecting devices worldwide.\r\nEmotet is a notorious malware distributed through email containing malicious Microsoft Word and Excel document\r\nattachments. When users open these documents and macros are enabled, the Emotet DLL will be downloaded and loaded\r\ninto memory.\r\nOnce Emotet is loaded, the malware will sit quietly, waiting for instructions from a remote command and control server.\r\nhttps://www.bleepingcomputer.com/news/security/emotet-malware-attacks-return-after-three-month-break/\r\nPage 1 of 7\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/emotet-malware-attacks-return-after-three-month-break/\r\nPage 2 of 7\n\nVisit Advertiser websiteGO TO PAGE\r\nEventually, the malware will steal victims' emails and contacts for use in future Emotet campaigns or download additional\r\npayloads such as Cobalt Strike or other malware that commonly leads to ransomware attacks.\r\nWhile Emotet has been considered the most distributed malware in the past, it has gradually slowed down, with its last spam\r\noperation seen in November 2022. However, even then, the spamming only lasted two weeks.\r\nEmotet returns in 2023\r\nToday, cybersecurity firm Cofense and the Emotet-tracking group Cryptolaemus warned that the Emotet botnet had once\r\nagain resumed sending emails.\r\n\"As of 1200UTC Ivan finally got E4 to send spam. We are seeing Red Dawn templates that are very large coming in at over\r\n500MB. Currently seeing a decent flow of spam. Septet of payload URLs and ugly macros,\" tweeted Cryptolaemus.\r\nCofense also confirmed to BleepingComputer that the spam campaign began at 7:00 AM ET, with current volumes\r\nremaining low.\r\n\"The first email we saw was around 7am EST. Volume remains low at this time as they continue to rebuild and gather new\r\ncredentials to leverage and address books to target,\" Cofense told BleepingComputer.\r\nInstead of using reply-chain emails like in the previous campaign, the threat actors are utilizing emails that pretend to be\r\ninvoices, as shown below.\r\nEmotet phishing email\r\nSource: Cofense\r\nAttached to these emails are ZIP archives containing inflated Word documents that are over 500 MB in size. They are\r\npadded with unused data to make the files larger and harder for antivirus solutions to scan and detect them as malicious.\r\nThese Microsoft Word documents use Emotet's 'Red Dawn' document template, prompting users to enable content on the\r\ndocument to see it correctly.\r\nhttps://www.bleepingcomputer.com/news/security/emotet-malware-attacks-return-after-three-month-break/\r\nPage 3 of 7\n\nMalicious Microsoft Word document using the Red Dawn template\r\nSource: BleepingComputer\r\nThese documents contain a mess of macros that will download the Emotet loader as a DLL from compromised sites, many\r\nof which are hacked WordPress blogs. \r\nA mess of malicious macros in an Emotet Word document\r\nSource: BleepingComputer\r\nWhen downloaded, Emotet will be saved to a random-named folder under %LocalAppData% and launched using\r\nregsvr32.exe.\r\nhttps://www.bleepingcomputer.com/news/security/emotet-malware-attacks-return-after-three-month-break/\r\nPage 4 of 7\n\nEmotet loader launched by Regsvr32.exe\r\nSource: BleepingComputer\r\nLike the Word document, the Emotet DLL has been also padded to be be 526MB to hinder the ability to detect it as\r\nmalicious by antivirus software.\r\nThis evasion technique shows success, as illustrated in a VirusTotal scan where the malware is only detected by one security\r\nvendor out of 64 engines, with that vendor only detecting it as 'Malware.SwollenFile'.\r\nhttps://www.bleepingcomputer.com/news/security/emotet-malware-attacks-return-after-three-month-break/\r\nPage 5 of 7\n\nLarge Emotet DLL to evade detection\r\nSource: BleepingComputer\r\nOnce running, the malware will run in the background, awaiting commands, which will likely install further payloads on the\r\ndevice\r\nThe payloads allow other threat actors to remotely access the device, which is then used to spread further in the\r\ncompromised network.\r\nThese attacks commonly lead to data theft and full-blown ransomware attacks on breached networks.\r\nCofense says that they have not seen any additional payloads being dropped now, and the malware is just collecting data for\r\nfuture spam campaigns.\r\nRecent Microsoft changes save the day\r\nWhile Emotet is rebuilding its network, the current method may not have much success after recent changes by Microsoft.\r\nIn July 2022, Microsoft finally disabled macros by default in Microsoft Office documents downloaded from the Internet.\r\nDue to this change, users who open an Emotet document will be greeted with a message stating that the macros are disabled\r\nbecause the source of the file is not trusted.\r\nMacros disabled by default in Microsoft Office\r\nSource: BleepingComputer\r\nANALYGENCE senior vulnerability analyst, Will Dormann, told BleepingComputer that this change also affects\r\nattachments saved from emails.\r\nFor most users receiving Emotet emails, this feature will likely protect them from mistakenly enabling macros unless they\r\nmake a concerted effort to enable them.\r\nThis change has led other threat actors to move away from Word and Excel documents and abuse other file formats, such as\r\nMicrosoft OneNote, ISO images, and JS files.\r\nIt would not be surprising to see Emotet also move to different attachment types after this initial campaign does not go as\r\nintended.\r\nhttps://www.bleepingcomputer.com/news/security/emotet-malware-attacks-return-after-three-month-break/\r\nPage 6 of 7\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/emotet-malware-attacks-return-after-three-month-break/\r\nhttps://www.bleepingcomputer.com/news/security/emotet-malware-attacks-return-after-three-month-break/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/emotet-malware-attacks-return-after-three-month-break/"
	],
	"report_names": [
		"emotet-malware-attacks-return-after-three-month-break"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434515,
	"ts_updated_at": 1775791320,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7c4a6454e3eb3c6012316b31b38551f187d9dc86.pdf",
		"text": "https://archive.orkl.eu/7c4a6454e3eb3c6012316b31b38551f187d9dc86.txt",
		"img": "https://archive.orkl.eu/7c4a6454e3eb3c6012316b31b38551f187d9dc86.jpg"
	}
}