{
	"id": "633030de-4d9b-4651-9b99-3d0312af3f04",
	"created_at": "2026-04-06T00:09:20.352024Z",
	"updated_at": "2026-04-10T13:11:59.357092Z",
	"deleted_at": null,
	"sha1_hash": "7ce9edb88d219f69acabbefa715d083e3f81c071",
	"title": "Emotet Campaign Restarts After Seven-Week Hiatus",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 89668,
	"plain_text": "Emotet Campaign Restarts After Seven-Week Hiatus\r\nBy Robert Lemos\r\nPublished: 2020-12-22 · Archived: 2026-04-05 23:12:33 UTC\r\n4 Min Read\r\nIn October, three surges of spam laden with the Emotet downloader worked to spread the malware to vulnerable\r\nusers' systems, starting a sequence that often results in a Ryuk ransomware infection or attempts to steal bank\r\naccount credentials via the Trickbot banking Trojan.\r\nOn Oct. 30, with the completion of the third campaign, the group's spamming died down and almost no\r\nsubsequent traffic appeared. Until now.\r\nSeven weeks after the last major Emotet campaign, the cybercriminals behind the downloader have started up\r\ntheir attempts to compromise more systems, according to multiple cybersecurity organizations. Anti-spam\r\ncrusader Abuse.ch noted on Dec. 22 that the cybercrime group had ramped up activity right before Christmas. The\r\nday before, messaging security provider Proofpoint noted that its systems were seeing more than 100,000\r\nmessages in various languages and with a variety of attachments or links.\r\nThe latest campaign could lead to compromised systems and threats to business networks, as most employees\r\ncontinue to work from home.\r\n\"What makes Emotet particularly dangerous for organizations is that it has been the primary foothold for the\r\nfuture deployment of other banking Trojans,\" says Sherrod DeGrippo, senior director of threat research and\r\ndetection at Proofpoint. \"At this point, any mainstream banking Trojan may lead to devastating ransomware\r\nattacks.\"\r\nWhile the company is still analyzing the latest Emotet variant, the US Department of Homeland Security's\r\nCybersecurity \u0026 Infrastructure Security Agency (CISA) called the malware campaigns \"one of the most prevalent\r\nongoing threats\" in an advisory published in early October. The US government had seen an increase in Emotet-associated indicators since July, and which specifically targeted state and local governments, the advisory stated.\r\n\"Emotet is an advanced Trojan primarily spread via phishing email attachments and links that, once clicked,\r\nlaunch the payload,\" the advisory stated. \"The malware then attempts to proliferate within a network by brute\r\nforcing user credentials and writing to shared drives.\"\r\nWhile the latest Emotet campaign started around mid-December, the activity became most apparent in the last few\r\nsays. Proofpoint issued a short statement on Twitter on Dec. 21 that also displayed a screenshot of the social\r\nengineering used to attempt to get victims to turn off features of Microsoft 365 that block malicious documents.\r\n\"#Emotet returns after a short break just in time for the holidays,\" Proofpoint tweeted as part of the statement.\r\n\"We're seeing 100k+ messages in English, German, Spanish, Italian, and more. Lures use thread hijacking with\r\nWord attachments, pw-protected zips, and URLs.\"\r\nhttps://www.darkreading.com/threat-intelligence/emotet-campaign-restarts-after-seven-week-hiatus/d/d-id/1339792\r\nPage 1 of 3\n\nEmotet has often been the initial attack of a triad of malware: the Emotet downloader, the Ryuk ransomware, and\r\nthe Trickbot banking trojan. The triple threat of malware has had enormous success. In June, the Cisco Talos\r\nIncident Response team stated that the majority of its engagements over the last year had been to clean up Ryuk\r\nransomware. In early December, security services firm CrowdStrike stated that, of the more than 200 incidents the\r\ncompany investigated, 63% were financially motivated, and 81% of those incidents were ransomware attacks or\r\nan early stage attack that typically leads to ransomware.\r\nCybersecurity companies continue to attempt to disrupt the profitable cybercriminal attacks. In October,\r\nMicrosoft, the Financial Services Information Sharing and Analysis Center (FS-ISAC), and other cybersecurity\r\nfirms banded together to attempt to disrupt the Trickbot botnet. \r\nThe latest data from the URLhaus database, which tracks malicious and suspicious domains, shows that Emotet\r\nspam activity has quickly increased in the past week.\r\nThis is not the first time that the Emotet group has taken a break. Spam volumes dropped in February 2020 and\r\ndid not return until July, according to data from Cisco Talos. \r\n\"Emotet occasionally takes periodic breaks from sending malicious spam emails, as seen earlier this year,\" the\r\ncompany stated in a blog post.\r\nWhile this version of Emotet could be similar to past versions, the developer of the malware chose to use dynamic\r\nlibraries to allow for its functions to be easily updated, the CISA noted in its advisory.\r\n\"Emotet is difficult to combat because of its 'worm-like' features that enable network-wide infections,\" the agency\r\nstated. \"Additionally, Emotet uses modular Dynamic Link Libraries to continuously evolve and update its\r\ncapabilities.\"\r\nAbout the Author\r\nContributing Writer\r\nVeteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen\r\npublications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired\r\nNews. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the\r\nBlaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the\r\nshortage in cybersecurity workers and annual vulnerability trends.\r\nhttps://www.darkreading.com/threat-intelligence/emotet-campaign-restarts-after-seven-week-hiatus/d/d-id/1339792\r\nPage 2 of 3\n\nSource: https://www.darkreading.com/threat-intelligence/emotet-campaign-restarts-after-seven-week-hiatus/d/d-id/1339792\r\nhttps://www.darkreading.com/threat-intelligence/emotet-campaign-restarts-after-seven-week-hiatus/d/d-id/1339792\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.darkreading.com/threat-intelligence/emotet-campaign-restarts-after-seven-week-hiatus/d/d-id/1339792"
	],
	"report_names": [
		"1339792"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434160,
	"ts_updated_at": 1775826719,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7ce9edb88d219f69acabbefa715d083e3f81c071.pdf",
		"text": "https://archive.orkl.eu/7ce9edb88d219f69acabbefa715d083e3f81c071.txt",
		"img": "https://archive.orkl.eu/7ce9edb88d219f69acabbefa715d083e3f81c071.jpg"
	}
}