{
	"id": "8eccd98e-210f-4c27-8177-ddfef445af8e",
	"created_at": "2026-04-06T00:12:19.899873Z",
	"updated_at": "2026-04-10T03:21:01.677909Z",
	"deleted_at": null,
	"sha1_hash": "7c7c2477f21506f2bc24a42b69de0954680a4204",
	"title": "Emotet Changes TTPs and Arrives in United States",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 366877,
	"plain_text": "Emotet Changes TTPs and Arrives in United States\r\nPublished: 2017-04-28 · Archived: 2026-04-05 23:21:46 UTC\r\nThe MS-ISAC recently observed a malicious email campaign delivering the Emotet banking Trojan via a\r\nmalicious PDF in the United States. This appears to be the first time Emotet has targeted the United States and\r\nused a PDF file attachment. The campaign targeted federal, state, local, tribal, and territorial (FSLTT) government\r\nemployees, among others, with fake invoices and documents from national branded businesses and organizations.\r\nEmotet is a variant of the Feodo Trojan family, which is a family of banking Trojans that include Emotet, Bugat,\r\nand Dridex.\r\nGeographic History\r\nEmotet was first reported by the cybersecurity community in June 2014. Its first two versions targeted German\r\nand Austrian banking clients from June 2014 until it went silent in December 2014. At the end of January 2015,\r\nreporting indicated that a third version emerged with upgraded evasion techniques. This version expanded outside\r\nof Germany and Austria to target Swiss banks. No significant campaigns were publicly documented during the\r\nrest of 2015 or all of 2016. Feodo Tracker, a site that tracks the Feodo Trojan family, showed the botnet\r\ninfrastructure to be almost completely offline in 2016 and completely offline as of April 27, 2017.\r\nHowever, around mid-April 2017, Forcepoint analyzed samples from a large-scale UK spam campaign and noted\r\nthat it used Geodo malware. Only instead of the new Dridex derivative, the campaign used the older Emotet\r\nvariant.\r\nThe April campaign used a fake invoice as the attachment and focused on the .uk country code domain (ccTLD).\r\nAccording to Forcepoint, the campaign peaked on April 18, 2017.\r\nOn April 24, 2017, the MS-ISAC observed a spam campaign against FSLTT government employees in the United\r\nStates, that has expanded to include targeting of the financial sector. We confirmed the malicious PDF attachments\r\nas directing recipients to URLs that downloaded the Emotet malware.\r\nCurrent Delivery Methodology\r\nThe U.S. campaign displays many similarities with the UK campaign from mid-April, although there are some\r\nnotable differences.\r\nEmotet, like most malware, has continuously evolved its delivery method. Proofpoint documented the mid-April\r\n2017 UK campaign as using an attachment with fake phone bills and then switching to embedding links to\r\nmalicious files within the emails. In the U.S. variant, the MS-ISAC has noted malicious PDF file attachments\r\ncontaining a link to javascript (JS), which the recipient is directed to download. The subject line of the emails\r\nvaried between fake billing notifications to reports needing to be read.\r\nhttps://www.cisecurity.org/blog/emotet-changes-ttp-and-arrives-in-united-states/\r\nPage 1 of 4\n\nInside the PDF, there is an overt reference to the link’s target being a JS file. The MS-ISAC believes this is done\r\nto inform the recipient about the unusual invoice format.\r\nhttps://www.cisecurity.org/blog/emotet-changes-ttp-and-arrives-in-united-states/\r\nPage 2 of 4\n\nThis link returns a .JS file, which is heavily obfuscated and laced with large amounts of ‘junk’ data. The de-obfuscated data shows around 2000 lines of junk data, with only one of the function lines being used.\r\nThe .JS file is meant to show the victim an error message (shown below) when run.\r\nOnce the .JS file is run, it makes HTTP GET requests over port 8080 to the command and control (C2) IP with\r\nwhat the MS-ISAC believes is identification data encrypted within an encoded cookie string.\r\nWhen the malware was successfully run, the remote IP address responded with a 404 error header and encrypted\r\ndata. The MS-ISAC observed that using the same cookie string in the requests, when resent, would garner\r\ndiffering content length in the server’s responses, showing that the reply could vary in response despite static\r\ncookie values being reused in testing. \r\nAssociation Between U.S. and UK Spam Campaign\r\nThough there are some notable differences, the U.S. campaign displays many similarities with the mid-April UK\r\ncampaign observed by Forcepoint. The UK emails took the form of fake billing notifications and around half of\r\nthe MS-ISAC observed emails used fake billing as the lure.\r\nThough the TTPs for delivery of the .JS file changed between campaigns, with the U.S. campaign using a\r\nmalicious link inside of a malicious attachment and the UK campaign using a malicious link inside the email\r\nbody, the .JS files from both campaigns were similar. Both the MS-ISAC and Forcepoint noted that the .JS file\r\ndownloaded from the malicious link was heavily obfuscated and contained a large amount of junk data.\r\nhttps://www.cisecurity.org/blog/emotet-changes-ttp-and-arrives-in-united-states/\r\nPage 3 of 4\n\nWhen the .JS runs, Forcepoint observed an error message that matched the error message found within the MS-ISAC .JS verbatim.  Both are shown below:\r\nThe MS-ISAC also observed differences between the C2 servers involved in previous Emotet versions and in the\r\nlatest interation of the malware. The communication request was an HTTP GET request with an encoded cookie\r\nstring. The C2 server responded to the request with a “404 Not Found” message containing an encrypted response.\r\nIndicators of Compromise (IOC)\r\nAttachments\r\nDocument attachments with names similar to “Document_11861097_NI_NSO__11861097.pdf” or\r\n“11861097_11861097.pdf” The same number is repeated twice with either a “_” or “_NI_NSO__” between\r\nthem.\r\nA PDF with no other indicators, such as “KZSY284404.PDF.” It is 7 or 9 characters long using only letters\r\nand numbers, mostly follows the format of “LLLNNNNNN.pdf.”\r\nThe invoice PDF variant, “Invoice.PDF.”\r\nAs of June 23, 2025, the MS-ISAC has introduced a fee-based membership. Any potential reference to no-cost\r\nMS-ISAC services no longer applies.\r\nSource: https://www.cisecurity.org/blog/emotet-changes-ttp-and-arrives-in-united-states/\r\nhttps://www.cisecurity.org/blog/emotet-changes-ttp-and-arrives-in-united-states/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.cisecurity.org/blog/emotet-changes-ttp-and-arrives-in-united-states/"
	],
	"report_names": [
		"emotet-changes-ttp-and-arrives-in-united-states"
	],
	"threat_actors": [],
	"ts_created_at": 1775434339,
	"ts_updated_at": 1775791261,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7c7c2477f21506f2bc24a42b69de0954680a4204.pdf",
		"text": "https://archive.orkl.eu/7c7c2477f21506f2bc24a42b69de0954680a4204.txt",
		"img": "https://archive.orkl.eu/7c7c2477f21506f2bc24a42b69de0954680a4204.jpg"
	}
}