{ "id": "875608de-5388-45b6-b7cb-b995acd9f1b0", "created_at": "2026-04-06T00:07:58.841477Z", "updated_at": "2026-04-10T03:35:28.903002Z", "deleted_at": null, "sha1_hash": "7e258d6b0d59b0e638dce4c147cab1ac6bc56c96", "title": "Emotet Is Not Dead (Yet)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 564314, "plain_text": "Emotet Is Not Dead (Yet)\r\nBy Jason Zhang\r\nPublished: 2022-01-21 · Archived: 2026-04-05 22:00:58 UTC\r\nThe state of cyber security is a typical example of a cat-and-mouse game between hackers and defenders.\r\nSometimes, a threat that appears to be under control, if not completely mitigated, comes back with a vengeance.\r\nThis is exactly what happened to Emotet.   \r\nIt has been just about a year since the Emotet botnet was taken down, thanks to the international efforts of\r\nmultiple law enforcement agencies. But the silence from Emotet attackers did not last long. Late last year, we saw\r\na report on the resurface of Emotet distributed by Trickbot. Recently VMware’s Threat Analysis Unit saw another\r\nEmotet campaign—where the attacks leveraged the increasingly abused Excel 4.0 (XL4) macros to spread Emotet\r\npayloads.  \r\nIn this blog post, we investigate the first stage of the recent Emotet attacks by analyzing one of the samples from\r\nthe recent campaign and reveal novel tactics, techniques, and procedures (TTPs) that were not used by Emotet in\r\nthe past.\r\nThe Recent Emotet Campaign\r\nFigure 1 shows the detection timeline of a recent Emotet campaign that affected some of our customers—mostly\r\nin the EMEA region. The campaign started on January 11 and peaked the next day before fading away.\r\nFigure 1: Detection timeline of Emotet affecting some of VMware customers mainly in EMEA region.\r\nThe samples we checked from this campaign are all Microsoft (MS) Office 97-2003 Excel documents, with a\r\nrelatively small file size (between 110KB and 120KB). Figure 2 highlights the file magic number (D0 CF 11 E0\r\nA1 B1 1A E1) associated with MS Office 97-2003 file format. This is an old version of Office documents, as\r\ncompared to more recent versions, such as the MS Office 2007 file format (50 4B 03 04 14 00 06 00).\r\nhttps://blogs.vmware.com/networkvirtualization/2022/01/emotet-is-not-dead-yet.html/\r\nPage 1 of 7\n\nFigure 2: File magic number of one of the samples from the campaign.\r\nTable 1: A typical XL4 macro weaponized Excel file from the campaign.\r\nMD5 6fd5c84001462a92330a0c3d26db2088\r\nSHA1 7c0d0a80e7ebb3af7ce549df78a5a68cbd5debb5\r\nSHA256 6bbe67b5f91f49ff1cce69808d819d7a6f44672bc88d38f1abbf1c2fe582d3b4\r\nFile name 0019991760.xlsm\r\nSize 115712 bytes\r\nType application/msoffice-xls\r\nThe Emotet Downloader\r\nTo investigate the attacks, we analyzed one of the samples from the campaign (see Table 1). The document\r\ncontains common social engineering text (see Figure 3) to entice the victim to enable the malicious macro\r\nexecution, providing detailed instructions.\r\nhttps://blogs.vmware.com/networkvirtualization/2022/01/emotet-is-not-dead-yet.html/\r\nPage 2 of 7\n\nFigure 3: The opening page from the sample listed in Table 1.\r\nThis is a typical weaponized document with embedded malicious macros seen in the past, such as attacks based on\r\nthe commonly used Visual Basic Application (VBA) macros and campaigns leveraging the increasingly\r\nabused XL4 macros. To find out whether the malware leverages VBA macros or XL4 macros, we need to examine\r\nthe hidden macros. Figure 4 shows a snippet of the macros extracted using oletools. As seen from the figure, if\r\nmacros are enabled, the embedded macro script starts to call an auto_open method to execute the actual malicious\r\npayload stored on a macro worksheet called GTTT. This implies the script is a collection of XL4 macros. For\r\nmore information on XL4 macro and how XL4 macro weaponization has evolved over time, please refer to our\r\nearlier report. \r\nFigure 4: Highly obfuscated XL4 macros.\r\nTo better understand the human-unreadable macros, one can de-obfuscate them using off-the-shelf tools such\r\nas XLMMacroDeobfuscator. Figure 5 shows the de-obfuscated XL4 macros.  \r\nThe functionality of the macro is threefold: \r\nDownload the next stage payload from one of the payload hosts. The attackers chose to use multiple hosts\r\nto increase their chances to download the payload in case one or more hosts were taken down. \r\nExecute the downloaded payload by running rundll32.exe.\r\nhttps://blogs.vmware.com/networkvirtualization/2022/01/emotet-is-not-dead-yet.html/\r\nPage 3 of 7\n\nGain registry persistence by running DllRegisterServer (the de-obfuscated version of\r\nD”\u0026”l”\u0026”lR”\u0026”egister”\u0026”Serve”\u0026”r from the EXEC command line is shown in Figure 5).\r\nFigure 5: De-obfuscated XL4 macros.\r\nAll DLL payloads from this campaign have the same initial file name sun.ocx, which will be saved to C:\\Users\\\r\ndirectory upon successful download, as confirmed by analyzing the document with VMware Advanced Threat\r\nAnalyzer (see Figure 6). \r\nFigure 6: DLL payload downloaded to C:\\Users\\ directory.\r\nThe DLL file turns out to be an Emotet payload. Exploring both the Excel sample and the DLL payload on\r\nVirusTotal reveals similar files and URLs from the same campaign, as shown in Figure 7.\r\nhttps://blogs.vmware.com/networkvirtualization/2022/01/emotet-is-not-dead-yet.html/\r\nPage 4 of 7\n\nFigure 7: The correlation of indicators of compromise (IoCs) from this attack, created with VirusTotal Graph,\r\nvisualizes the relationship between similar samples and the contacted hosts. The meaning of each node on the\r\ngraph can be found here.\r\nIt is not a secret that Emotet attacks typically leverage winmgmts:Win32_Process and PowerShell scripts via VBA\r\nmacros to download and execute Emotet payload, as discussed in our report. On the other hand, XL4 macros are\r\nknown to mainly spread infostealers (e.g., Agent Tesla, Danabot, Trickbot) and banking Trojans (e.g., ZLoader\r\nand Gozi). The more recent addition to the infostealer families delivered by XL4 was Qakbot (see our\r\nearlier report). Leveraging XL4 macros to spread Emotet payloads is certainly a key differentiator to the TTPs\r\nseen in those old Emotet attacks that were mainly based on VBA macros.  \r\nAutomating De-obfuscation with Symbexcel\r\nTo automate the de-obfuscation process with a large number of XL4 macro weaponized files, we used Symbexcel.\r\nSymbexcel is a recently developed tool that leverages symbolic execution to de-obfuscate and analyzes Excel 4.0\r\nmacros automatically. More information on the tool can be found in our blog post and BlackHat 2021\r\npresentation.  \r\nhttps://blogs.vmware.com/networkvirtualization/2022/01/emotet-is-not-dead-yet.html/\r\nPage 5 of 7\n\nFigure 8 shows the output of Symbexcel when scanning the Excel sample (described in Table 1). The output\r\ncontains multiple states representing multiple conditional statements found in the original XL4 macros, which\r\ndemonstrates that Symbexcel successfully de-obfuscated the highly obfuscated XL4 macros at each state.\r\nFigure 8: Symbexcel de-obfuscation output showing key IoCs.\r\nWe then applied Symbexcel to successfully scan all 186 XL4 macro weaponized Excel samples collected from\r\nthis campaign, and identified 12 unique payload host URLs (see section Appendix: IoCs)\r\nVMware NSX Detection with MITRE ATT\u0026CK Mapping\r\nVMware NSX customers are well-protected against such Emotet attacks. Figure 9 shows the analysis overview\r\nfrom a controlled environment when executing the initial malware. As shown in the figure, VMware’s AI-driven Advanced Threat Analyzer successfully identified the malware as Emotet, with a few other high-risk\r\ncharacteristics, such as the presence of an XL4 macro sheet containing potentially obfuscated code, the\r\nobservation of command \u0026 control traffic, and the execution of a dropped a file.  \r\nFigure 9: VMware NSX advanced threat analysis overview with MITRE ATT\u0026CK mapping.\r\nThe analysis overview also contains MITRE ATT\u0026CK tactic and technique mapping for some of the key\r\nmalicious behaviors observed during the attack execution. The typical ATT\u0026CK tactics used in this attack include\r\nhttps://blogs.vmware.com/networkvirtualization/2022/01/emotet-is-not-dead-yet.html/\r\nPage 6 of 7\n\nTA0002: Execution and TA0011: Command and Control. A detailed MITRE ATT\u0026CK tactic and technique\r\nmapping for Emotet can be found in the MITRE report. \r\nConclusions\r\nThis blog post discussed a recent Emotet attack leveraging weaponized XL4 macros. The resurfacing of Emotet\r\nafter its takedown a year ago reminds the security defenders that the threat landscape is dynamic, and a win in this\r\nbattle against hackers rarely lasts too long. On the contrary, in the latest Emotet campaign, we observed that TTPs\r\nin cyber-attacks have never been static, and they evolve over time. Leveraging XL4 macros proved to be yet\r\nanother arrow in malware authors’ quiver. While Microsoft has now announced that it will disable XL4 macros by\r\ndefault for customers utilizing Excel, malware authors will keep exploring new ways of obfuscation and other\r\nTTPs to evade detection. This imposes great challenges to detections heavily depending on signatures. Instead,\r\nbehavior-based approaches such as VMware’s AI-driven Advanced Threat Analyzer showed great effectiveness to\r\ndefeat attacks leveraging the techniques discussed above. \r\nAppendix: IoCs\r\nIndicators of compromise identified from this report can be found on VMware TAU’s GitHub IoCs repository.\r\nSource: https://blogs.vmware.com/networkvirtualization/2022/01/emotet-is-not-dead-yet.html/\r\nhttps://blogs.vmware.com/networkvirtualization/2022/01/emotet-is-not-dead-yet.html/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blogs.vmware.com/networkvirtualization/2022/01/emotet-is-not-dead-yet.html/" ], "report_names": [ "emotet-is-not-dead-yet.html" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434078, "ts_updated_at": 1775792128, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7e258d6b0d59b0e638dce4c147cab1ac6bc56c96.pdf", "text": "https://archive.orkl.eu/7e258d6b0d59b0e638dce4c147cab1ac6bc56c96.txt", "img": "https://archive.orkl.eu/7e258d6b0d59b0e638dce4c147cab1ac6bc56c96.jpg" } }