{
	"id": "110b25c2-6794-4b7f-9f03-7d942e99f0f2",
	"created_at": "2026-04-06T00:16:50.958205Z",
	"updated_at": "2026-04-10T13:12:35.164521Z",
	"deleted_at": null,
	"sha1_hash": "877e23dd1b203498558291fe12ce85c206ec4135",
	"title": "[Updated] Alert Regarding Emotet Malware Infection",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 383535,
	"plain_text": "[Updated] Alert Regarding Emotet Malware Infection\r\nArchived: 2026-04-05 18:06:41 UTC\r\nJPCERT-AT-2019-0044\r\nJPCERT/CC\r\n2019-11-27(Initial)\r\n2019-12-10(Update)\r\nI. Overview\r\nSince the second half of October 2019, JPCERT/CC has been receiving reports regarding Emotet malware\r\ninfection. Many of the reports were from victims who had received emails with a malicious Word format file\r\nattachment, impersonating a legitimate organization or person.\r\nFollowing this situation, in order to prevent further impact caused by Emotet malware, JPCERT/CC decided to\r\npublish this alert to share the primary infection vector of Emotet and its impact, as well as some tips on how to\r\ndetect and defend against Emotet infection, and how to respond once the infection is confirmed.\r\nUpdate: December 2, 2019 Update\r\nII. Attack Vector\r\nCases of Emotet infection that JPCERT/CC is aware of are mostly triggered by executing a malicious Word format\r\nfile and then\"enabling content\" of the document. Following is an example image of emails which may lead to\r\nEmotet malware infection.\r\nhttps://www.jpcert.or.jp/english/at/2019/at190044.html\r\nPage 1 of 7\n\nhttps://www.jpcert.or.jp/english/at/2019/at190044.html\r\nPage 2 of 7\n\n[Image 1: Email Example]\r\nSome emails attached with a Word format file that lead to Emotet infection are created based on information\r\nstolen by Emotet. There are other cases that the message body contains the emails exchanged in the past and\r\nappears to be a reply to existing email thread.Therefore, it is necessary to be careful of these emails as they may\r\nhave been sent from the attacker side using the information stolen by Emotet, although they appear to be sent from\r\nexisting business partner personnel.\r\nThe attached file contains information that prompts you to enable the content, and Emotet will be downloaded\r\nonce it is enabled.Depending on the Microsoft Word settings, Emotet may be downloaded without the warning.\r\n[Image 2: Attachment File Example]\r\nUpdate: December 10, 2019 Update\r\nSince around December 6, 2019, JPCERT/CC has observed emails with URL link in the body of the message,\r\nwhich lead to Emotet infection.Once a recipient clicks the URL link in the email body, a Word format file is\r\ndownloaded. Then Emotet is downloaded if the recipient enables the content after opening the file.\r\nhttps://www.jpcert.or.jp/english/at/2019/at190044.html\r\nPage 3 of 7\n\n[Image 4: Email Example]\r\nIt is recommended to stay alerted for emails with URL link in the message body such as above, and not to click\r\nthe URL link. Attack vectors of Emotet have been changed and may change in the future.Therefore, regardless of\r\nprevious Emotet attack vectors, we would recommend not to execute an attachment file or click URL links on\r\nsuspicious emails. Also, it is important to keep the emergency point of contact and reporting structure in your\r\norganization up-to-date.\r\nIII. Impact\r\nWhen infected with Emotet, the following events may occur.\r\n- Authentication information such as passwords stored on the device or browser may be stolen\r\n- Emotet infection may spread within the network by leveraging SMB exploits by using the stolen passwords\r\n- Email account and its password may be stolen\r\nhttps://www.jpcert.or.jp/english/at/2019/at190044.html\r\nPage 4 of 7\n\n- Email text and address book information may be stolen\r\n- Stolen email account and body texts may be exploited to send malicious emails\r\nUpon Emotet infection, information is stolen from the infected device, and then emails that spread the infection to\r\ncustomers and business partners might be delivered from the attackers'infrastructure. In addition, if the infected\r\ndevice remains in the organization, it could be exploited by attackers as a bot and send a large amount of\r\nsuspicious emails to external network.\r\nIV. Countermeasures\r\nPlease consider the following actions to prevent Emotet infection and minimize damage caused by the infection.\r\n- Raise awareness in your organization through alert and advisory\r\n- Disable automatic execution of Word macro *\r\n- Detection of emails attached with malware by introducing email security products\r\n- Enable email audit log\r\n- Regularly apply OS patches (measures against spreading infection with SMB vulnerabilities)\r\n- Obtain periodic offline backup (measures against targeted ransomware attacks)\r\n* Select \"Disable all macros with notification\" in the Microsoft Office Trust Center Macro Settings.\r\nhttps://www.jpcert.or.jp/english/at/2019/at190044.html\r\nPage 5 of 7\n\n[image 3: Microsoft Office Trust Center Macro Settings]\r\nV. Post infection\r\nIn addition to the case where anti-virus software used in your organization detects and discovers the Emotet\r\ninfection, if either of the following situations is confirmed, one or more devices in the organization may be\r\ninfected with Emotet.\r\n- You are informed by an external organization that they received an email that appears to be coming from your\r\norganization's email address with an attached Word format file\r\n- You check your organization's mail server, etc. and confirm that a large number of emails with Word format\r\nattachment or spoofed emails have been sent\r\nIf Emotet infection is confirmed in a device or system of your organization, it is recommended to take the\r\nfollowing actions as an initial response in order to prevent further impact.\r\n- Isolate the infected device from the network\r\n- Change the password of the email account used in the infected device\r\nhttps://www.jpcert.or.jp/english/at/2019/at190044.html\r\nPage 6 of 7\n\nThen, the following investigations and actions should be considered after consulting with a security vendor as\r\nnecessary.\r\n- Scan all devices in the organization with anti-virus software\r\n- Change the password of accounts that are used in the infected device\r\n- Monitor network traffic logs\r\n- Initialize the infected device after investigation\r\nVI. References\r\nUS-CERT\r\nAlert (TA18-201A) Emotet Malware\r\nhttps://www.us-cert.gov/ncas/alerts/TA18-201A\r\nAustralian Cyber Security Centre (ACSC)\r\nAdvisory 2019-131a: Emotet malware campaign\r\nhttps://www.cyber.gov.au/threats/advisory-2019-131a-emotet-malware-campaign\r\nIf you have any information regarding this alert, please contact JPCERT/CC.\r\nUpdate: December 6, 2019 Update\r\nWe corrected the TEL number below as it was incorrect. We apologize for any inconvenience caused.\r\nRevision History\r\n2019-11-27 First edition\r\n2019-12-02 Updated \"I. Overview\"\r\n2019-12-06 Updated TEL number at the bottom\r\n2019-12-10 Updated \"II. Attack Vector\"\r\nJPCERT Coordination Center (JPCERT/CC)\r\nMAIL: ew-info@jpcert.or.jp\r\nTEL: +81-3-6811-0610 FAX: +81-3-6271-8908\r\nhttps://www.jpcert.or.jp/english/\r\nSource: https://www.jpcert.or.jp/english/at/2019/at190044.html\r\nhttps://www.jpcert.or.jp/english/at/2019/at190044.html\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.jpcert.or.jp/english/at/2019/at190044.html"
	],
	"report_names": [
		"at190044.html"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434610,
	"ts_updated_at": 1775826755,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/877e23dd1b203498558291fe12ce85c206ec4135.pdf",
		"text": "https://archive.orkl.eu/877e23dd1b203498558291fe12ce85c206ec4135.txt",
		"img": "https://archive.orkl.eu/877e23dd1b203498558291fe12ce85c206ec4135.jpg"
	}
}