{
	"id": "3c95bdeb-c839-4e03-98a8-d8a168e930f5",
	"created_at": "2026-04-06T00:21:50.999333Z",
	"updated_at": "2026-04-10T13:12:59.594109Z",
	"deleted_at": null,
	"sha1_hash": "88bc5c4c414e3484c0dd56b410f0b59e05c357c9",
	"title": "International Action Targets Emotet Crimeware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1077972,
	"plain_text": "International Action Targets Emotet Crimeware\r\nPublished: 2021-01-27 · Archived: 2026-04-05 22:46:22 UTC\r\nAuthorities across Europe on Tuesday said they’d seized control over Emotet, a prolific malware strain and\r\ncybercrime-as-service operation. Investigators say the action could help quarantine more than a million Microsoft\r\nWindows systems currently compromised with malware tied to Emotet infections.\r\nFirst surfacing in 2014, Emotet began as a banking trojan, but over the years it has evolved into one of the more\r\naggressive platforms for spreading malware that lays the groundwork for ransomware attacks.\r\nIn a statement published Wednesday morning on an action dubbed “Operation Ladybird,” the European police\r\nagency Europol said the investigation involved authorities in the Netherlands, Germany, United States, the United\r\nKingdom, France, Lithuania, Canada and Ukraine.\r\n“The EMOTET infrastructure essentially acted as a primary door opener for computer systems on a global scale,”\r\nEuropol said. “Once this unauthorised access was established, these were sold to other top-level criminal groups\r\nto deploy further illicit activities such data theft and extortion through ransomware.”\r\nExperts say Emotet is a pay-per-install botnet that is used by several distinct cybercrime groups to deploy\r\nsecondary malware — most notably the ransomware strain Ryuk and Trickbot, a powerful banking trojan. It\r\npropagates mainly via malicious links and attachments sent through compromised email accounts, blasting out\r\ntens of thousands of malware-laced missives daily.\r\nhttps://krebsonsecurity.com/2021/01/international-action-targets-emotet-crimeware\r\nPage 1 of 4\n\nEmotet relies on several hierarchical tiers of control servers that communicate with infected systems. Those\r\ncontrollers coordinate the dissemination of second-stage malware and the theft of passwords and other data, and\r\ntheir distributed nature is designed to make the crimeware infrastructure more difficult to dismantle or\r\ncommandeer.\r\nIn a separate statement on the malware takeover, the Dutch National police said two of the three primary servers\r\nwere located in the Netherlands.\r\n“A software update is placed on the Dutch central servers for all infected computer systems,” the Dutch authorities\r\nwrote. “All infected computer systems will automatically retrieve the update there, after which the Emotet\r\ninfection will be quarantined. Simultaneous action in all the countries concerned was necessary to be able to\r\neffectively dismantle the network and thwart any reconstruction.”\r\nA statement from the German Federal Criminal Police Office about their participation in Operation Ladybird said\r\nprosecutors seized 17 servers in Germany that acted as Emotet controllers.\r\n“As part of this investigation, various servers were initially identified in Germany with which the malicious\r\nsoftware is distributed and the victim systems are monitored and controlled using encrypted communication,” the\r\nGerman police said.\r\nSources close to the investigation told KrebsOnSecurity the law enforcement action included the arrest of several\r\nsuspects in Europe thought to be connected to the crimeware gang. The core group of criminals behind Emotet are\r\nwidely considered to be operating out of Russia.\r\nA statement by the National Police of Ukraine says two citizens of Ukraine were identified “who ensured the\r\nproper functioning of the infrastructure for the spread of the virus and maintained its smooth operation.”\r\nA video released to YouTube by the NPU this morning shows authorities there raiding a residence, seizing cash\r\nand computer equipment, and what appear to be numerous large bars made of gold or perhaps silver. The\r\nUkrainian policeman speaking in that video said the crooks behind Emotet have caused more than $2 billion in\r\nlosses globally. That is almost certainly a very conservative number.\r\nhttps://krebsonsecurity.com/2021/01/international-action-targets-emotet-crimeware\r\nPage 2 of 4\n\nPolice in the Netherlands seized huge volumes of data stolen by Emotet infections, including email addresses,\r\nusernames and passwords. A tool on the Dutch police website lets users learn if their email address has been\r\ncompromised by Emotet.\r\nBut because Emotet is typically used to install additional malware that gets its hooks deeply into infected systems,\r\ncleaning up after it is going to be far more complicated and may require a complete rebuild of compromised\r\ncomputers.\r\nThe U.S. Cybersecurity \u0026 Infrastructure Security Agency has labeled Emotet “one of the most prevalent\r\nongoing threats” that is difficult to combat because of its ‘worm-like’ features that enable network-wide\r\ninfections.” Hence, a single Emotet infection can often lead to multiple systems on the same network getting\r\ncompromised.\r\nIt is too soon to say how effective this operation has been in fully wresting control over Emotet, but a takedown of\r\nthis size is a significant action.\r\nIn October, Microsoft used trademark law to disrupt the Trickbot botnet. Around the same time, the U.S. Cyber\r\nCommand also took aim at Trickbot. However, neither of those actions completely dismantled the crimeware\r\nnetwork, which remains in operation today.\r\nRoman Hüssy, a Swiss information technology expert who maintains Feodotracker — a site that lists the location\r\nof major botnet controllers — told KrebsOnSecurity that prior to January 25, some 98 Emotet control servers were\r\nactive. The site now lists 20 Emotet controllers online, although it is unclear if any of those remaining servers\r\nhave been commandeered as part of the quarantine effort.\r\nA current list of Emotet control servers online. Source: Feodotracker.abuse.ch\r\nhttps://krebsonsecurity.com/2021/01/international-action-targets-emotet-crimeware\r\nPage 3 of 4\n\nFurther reading: Team Cymru on taking down Emotet\r\nSource: https://krebsonsecurity.com/2021/01/international-action-targets-emotet-crimeware\r\nhttps://krebsonsecurity.com/2021/01/international-action-targets-emotet-crimeware\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://krebsonsecurity.com/2021/01/international-action-targets-emotet-crimeware"
	],
	"report_names": [
		"international-action-targets-emotet-crimeware"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434910,
	"ts_updated_at": 1775826779,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/88bc5c4c414e3484c0dd56b410f0b59e05c357c9.pdf",
		"text": "https://archive.orkl.eu/88bc5c4c414e3484c0dd56b410f0b59e05c357c9.txt",
		"img": "https://archive.orkl.eu/88bc5c4c414e3484c0dd56b410f0b59e05c357c9.jpg"
	}
}