{
	"id": "59e8bc2c-4823-4bcb-b70b-d1017e05c362",
	"created_at": "2026-04-06T00:09:46.079973Z",
	"updated_at": "2026-04-10T13:11:41.066558Z",
	"deleted_at": null,
	"sha1_hash": "7c781cc1fcf26b77606e1233b0a79bf578b6e73b",
	"title": "Emotet Returns After Holiday Break with Major Campaigns | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 136526,
	"plain_text": "Emotet Returns After Holiday Break with Major Campaigns |\r\nProofpoint US\r\nPublished: 2020-01-16 · Archived: 2026-04-05 18:45:07 UTC\r\nJanuary 16, 2020\r\nThreat actor group TA542, the group that’s behind Emotet, is back from their Christmas holiday. Based on past\r\nactivity and what we’re seeing in just three days, one of the world’s most disruptive threats is back to work and\r\neveryone around the world should take note and implement steps to protect themselves.\r\nTo understand how serious the potential threat of Emotet’s latest return can be, it’s helpful to look at the last break\r\nthey took: May 2019 until late September 2019. Even though Emotet was on vacation for all but the last two\r\nweeks of Q3 (July – September), it still accounted for over 11% of all malicious payloads we saw for that entire\r\nquarter. That statistic alone tells the story of what TA542 is capable of with Emotet. TA542 has massive sending\r\ninfrastructure: nobody generates volumes like they do these days. Campaigns that TA542 unleash have big\r\nvolumes and are widespread across verticals, languages and people. Even if they take 150 days off in a year, like\r\nthey did in 2019, they can do lots of damage.\r\nOn Monday, we saw Emotet get back to work with a new campaign. In this campaign Proofpoint observed TA542\r\npursuing potential victims in the western hemisphere (U.S., Canada, and Mexico) in the pharmaceutical industry\r\nin particular. You can see an example from the latest Emotet campaign in Figure 1 below.\r\nhttps://www.proofpoint.com/us/corporate-blog/post/emotet-returns-after-holiday-break-major-campaigns\r\nPage 1 of 3\n\nFigure 1 Sample from Latest Emotet Campaign\r\nThen, on Tuesday, we saw the scope of the geographic expand significantly as they added over a dozen countries\r\naround the world. Countries being targeted now include:\r\n1. Australia\r\n2. Austria\r\n3. Canada\r\n4. Germany \r\n5. Hong Kong\r\n6. Italy  \r\n7. Japan\r\n8. Mexico\r\nhttps://www.proofpoint.com/us/corporate-blog/post/emotet-returns-after-holiday-break-major-campaigns\r\nPage 2 of 3\n\n9. Singapore\r\n10. South Korea\r\n11. Spain\r\n12. Switzerland \r\n13. Taiwan\r\n14. United Arab Emirates \r\n15. United States\r\nAt the same time, they expanded the languages used in their email lures from just English on Monday to English\r\nplus Chinese, German, Italian, Japanese and Spanish. As usual for this group, they’ve expanded to target a variety\r\nof industries.\r\nWe’ve mentioned that TA542 is capable of incredible volumes in a short period of time, that’s one of the things\r\nthat makes them such a significant threat.  On Monday alone we saw nearly three quarters of a million messages\r\nand they’re already fast approaching one million messages total. To give this context, this isn’t the highest volume\r\nwe’ve ever seen from this actor: that was over one million messages in one day. But Monday was the biggest\r\nvolume since April 2019.\r\nBased on past activity and what our researchers are seeing, organizations around the globe should take Emotet’s\r\nreturn seriously. Throughout their career, TA542 has used widespread email campaigns on a huge, international\r\nscale that have affected North America, Central America, South America, Europe, Asia, and Australia. TA542’s\r\ncontinued use of Emotet should cause concern as well: Emotet is a modular robust botnet, is capable of\r\ndownloading and installing a range of additional malware, that often steal information and sends malicious email.\r\nEmotet can also spread across networks and use infected devices to launch further attacks. Emotet is a highly\r\neffective malware being used by a highly effective and sophisticated threat group with a large global\r\ninfrastructure.\r\nWe recommend organizations take necessary steps to ensure email traffic is secure and warn users to be wary of\r\nemails that encourage urgent action, such as clicking on links or opening attachments. Layered defenses with\r\nprotection at the email gateway will help prevent delivery of these messages and customized user training\r\nprograms will help potential victims recognize malicious emails.\r\nSubscribe to the Proofpoint Blog\r\nSource: https://www.proofpoint.com/us/corporate-blog/post/emotet-returns-after-holiday-break-major-campaigns\r\nhttps://www.proofpoint.com/us/corporate-blog/post/emotet-returns-after-holiday-break-major-campaigns\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.proofpoint.com/us/corporate-blog/post/emotet-returns-after-holiday-break-major-campaigns"
	],
	"report_names": [
		"emotet-returns-after-holiday-break-major-campaigns"
	],
	"threat_actors": [
		{
			"id": "e8e18067-f64b-4e54-9493-6d450b7d40df",
			"created_at": "2022-10-25T16:07:24.515213Z",
			"updated_at": "2026-04-10T02:00:05.018868Z",
			"deleted_at": null,
			"main_name": "Mummy Spider",
			"aliases": [
				"ATK 104",
				"Gold Crestwood",
				"Mummy Spider",
				"TA542"
			],
			"source_name": "ETDA:Mummy Spider",
			"tools": [
				"Emotet",
				"Geodo",
				"Heodo"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "506404b2-82fb-4b7e-b40d-57c2e9b59f40",
			"created_at": "2023-01-06T13:46:38.870883Z",
			"updated_at": "2026-04-10T02:00:03.128317Z",
			"deleted_at": null,
			"main_name": "MUMMY SPIDER",
			"aliases": [
				"TA542",
				"GOLD CRESTWOOD"
			],
			"source_name": "MISPGALAXY:MUMMY SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2ac83159-1d9d-4db4-a176-97be6b7b07c9",
			"created_at": "2024-06-19T02:03:08.024653Z",
			"updated_at": "2026-04-10T02:00:03.672512Z",
			"deleted_at": null,
			"main_name": "GOLD CRESTWOOD",
			"aliases": [
				"Mummy Spider ",
				"TA542 "
			],
			"source_name": "Secureworks:GOLD CRESTWOOD",
			"tools": [
				"Emotet"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434186,
	"ts_updated_at": 1775826701,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7c781cc1fcf26b77606e1233b0a79bf578b6e73b.pdf",
		"text": "https://archive.orkl.eu/7c781cc1fcf26b77606e1233b0a79bf578b6e73b.txt",
		"img": "https://archive.orkl.eu/7c781cc1fcf26b77606e1233b0a79bf578b6e73b.jpg"
	}
}