{
	"id": "c9d7bdcf-d9f8-4a56-b586-df8e22ee0c67",
	"created_at": "2026-04-06T00:19:26.075033Z",
	"updated_at": "2026-04-10T03:21:32.592103Z",
	"deleted_at": null,
	"sha1_hash": "91aff21663c4fee11ac9257e67e50c44b084dbd5",
	"title": "Emotet is back after a summer break",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 239030,
	"plain_text": "Emotet is back after a summer break\r\nBy Colin Grady\r\nPublished: 2019-09-17 · Archived: 2026-04-05 16:29:54 UTC\r\nTuesday, September 17, 2019 16:00\r\nEmotet is still evolving, five years after its debut as a banking trojan. It is one of the world's most dangerous\r\nbotnets and malware droppers-for-hire. The malware payloads dropped by Emotet serve to more fully monetize\r\ntheir attacks, and often include additional banking trojans, information stealers, email harvesters, self-propagation\r\nmechanisms and even ransomware.\r\nAt the beginning of June 2019, Emotet's operators decided to take an extended summer vacation. Even the\r\ncommand and control (C2) activities saw a major pause in activity. However, as summer begins drawing to a\r\nclose, Talos and other researchers started to see increased activity in Emotet's C2 infrastructure. And as of Sept.\r\n16, 2019, the Emotet botnet has fully reawakened, and has resumed spamming operations once again. While this\r\nreemergence may have many users scared, Talos' traditional Emotet coverage and protection remains the same. We\r\nhave a slew of new IOCs to help protect users from this latest push, but past Snort coverage will still block this\r\nmalware, as well traditional best security practices such as avoiding opening suspicious email attachments and\r\nusing strong passwords.\r\nEmotet's email propagation\r\nOne of Emotet's most devious methods of self-propagation centers around its use of socially engineered spam\r\nemails. Emotet's reuse of stolen email content is extremely effective. Once they have swiped a victim's email,\r\nEmotet constructs new attack messages in reply to some of that victim's unread email messages, quoting the\r\nbodies of real messages in the threads.\r\nhttps://blog.talosintelligence.com/2019/09/emotet-is-back-after-summer-break.html\r\nPage 1 of 7\n\nThe email above illustrates Emotet's social engineering. In this example, we have a malicious email from Emotet,\r\nand contained inside the body of the email we can see a previous conversation between two aides to the mayor of\r\na U.S. city.\r\n1. Initially, Lisa sent an email to Erin about placing advertisements to promote an upcoming ceremony where\r\nthe mayor would be in attendance.\r\n2. Erin replied to Lisa inquiring about some of the specifics of the request.\r\n3. Lisa became infected with Emotet. Emotet then stole the contents of Lisa's email inbox, including this\r\nmessage from Erin.\r\n4. Emotet composed an attack message in reply to Erin, posing as Lisa. An infected Word document is\r\nattached at the bottom. It's easy to see how someone expecting an email as part of an ongoing conversation\r\ncould fall for something like this, and it is part of the reason that Emotet has been so effective at spreading\r\nhttps://blog.talosintelligence.com/2019/09/emotet-is-back-after-summer-break.html\r\nPage 2 of 7\n\nitself via email. By taking over existing email conversations, and including real Subject headers and email\r\ncontents, the messages become that much more randomized, and more difficult for anti-spam systems to\r\nfilter.\r\nEmotet's email sending infrastructure  \r\nThis message wasn't sent using Lisa's own Emotet-infected computer through her configured outbound mail\r\nserver. Instead, this email was transmitted from an Emotet infection in a completely different location, utilizing a\r\ncompletely unrelated outbound SMTP server.\r\nIt turns out that in addition to stealing the contents of victims' inboxes, Emotet also swipes victims' credentials for\r\nsending outbound email. Emotet then distributes these stolen email credentials to other bots in its network, who\r\nthen utilize these stolen credentials to transmit Emotet attack messages.\r\nIn the process of analyzing Emotet, Cisco Talos has detonated hundreds of thousands of copies of the Emotet\r\nmalware inside of our malware sandbox, Threat Grid. Over the past 10 months, Emotet has attempted to use\r\nThreat Grid infections as outbound spam emitters nearly 19,000 times.\r\nWhen Emotet's C2 designates one of its infections as a spam emitter, the bot will receive a list of outbound email\r\ncredentials containing usernames, passwords and mail server IP addresses. Over the past 10 months, Cisco Talos\r\ncollected 349,636 unique username/password/IP combos. Of course, many larger networks deploy multiple mail\r\nserver IP addresses, and in the data we saw a fair amount of repeat usernames and passwords using different, but\r\nrelated mail server IPs. Eliminating the server IP data, and looking strictly at usernames and passwords, Talos\r\nfound 202,675 unique username-password combinations.\r\nSince Talos was observing infections over a monthslong timeframe, we were able to make an assessment\r\nregarding the average lifespan of the credentials we saw Emotet distributing. In all, the average lifespan of a single\r\nset of stolen outbound email credentials was 6.91 days. However, when we looked more closely at the distribution,\r\n75 percent of the credentials stolen and used by Emotet lasted under one day. Ninety-two percent of the\r\ncredentials stolen by Emotet disappeared within one week. The remaining 8 percent of Emotet's outbound email\r\ninfrastructure had a much longer lifespan.\r\nIn fact, we found some outbound credentials that were utilized by Emotet for the entire duration of our sample\r\ndata. Below is a graph illustrating the volume of credentials having a longer lifespan with days along the X-axis\r\nvs. the number of stolen SMTP credentials along the Y-axis. There are quite a few stolen outbound email\r\ncredentials that Emotet has been using over a period of many months. Talos is reaching out to the affected\r\nnetworks in an attempt to remediate some of the current worst offenders.\r\nhttps://blog.talosintelligence.com/2019/09/emotet-is-back-after-summer-break.html\r\nPage 3 of 7\n\nEmotet's recipients\r\nAs opposed to simply drafting new attack messages, stealing old email messages and jumping into the middle of\r\nan existing email conversation is a fairly expensive thing to do. Looking at all the email Emotet attempted to send\r\nduring the month of April 2019, we found Emotet included stolen email conversations only approximately 8.5\r\npercent of the time. Since Emotet has reemerged, however, we have seen an increase in this tactic with stolen\r\nemail threads appearing in almost one quarter of Emotet's outbound emails.\r\nEmotet also apparently has a considerable database of potential recipients to draw from. Looking at all of the\r\nintended recipients of Emotet's attack messages in April 2019, we found that 97.5 percent of Emotet's recipients\r\nreceived only a single message. There was however, one victim, who managed to receive ten Emotet attack\r\nmessages during that same period. Either Emotet has something against that guy in particular, or more likely, it is\r\nsimply an artifact about the method Emotet uses to distribute victim email addresses to its outbound spam\r\nemitters.\r\nhttps://blog.talosintelligence.com/2019/09/emotet-is-back-after-summer-break.html\r\nPage 4 of 7\n\nA word about passwords\r\nEmotet's stolen outbound email credentials contained over 176,000 unique passwords, so we decided to have a\r\nlook at the passwords by themselves, without regard to the username or mail server IP. Below is a list of the most\r\ncommon passwords, and on the left hand side is the number of unique outbound SMTP credentials found utilizing\r\nthat particular password.\r\nIt comes as no surprise that perennially problematic passwords such as \"123456\" and \"password\" (along with\r\nnumerous variations of those) appear with a significant degree of prominence. However, there are other passwords\r\nin the set that are much more unique in terms of \"Why would so many different accounts use that same strange\r\npassword?\" Most likely these are victims of Emotet who themselves controlled a large number of distinct email\r\nboxes while also committing the cybersecurity cardinal sin of reusing the same password across many different\r\naccounts.\r\nhttps://blog.talosintelligence.com/2019/09/emotet-is-back-after-summer-break.html\r\nPage 5 of 7\n\nConclusion\r\nEmotet has been around for years, this reemergence comes as no surprise. The good news is, the same advice for\r\nstaying protected from Emotet remains. To avoid Emotet taking advantage of your email account, be sure to use\r\nstrong passwords and opt in to multi-factor authentication, if your email provider offers that as an option. Be wary\r\nof emails that seem to be unexpected replies to old threads, emails that seem suspiciously out of context, or those\r\nmessages that come from familiar names but unfamiliar email addresses. As always, you can rely on Snort rules to\r\nkeep your system and network protected, as well. Previous Snort rules Talos has released will still protect from\r\nthis wave of Emotet, and there is always the opportunity for new coverage in the future.\r\nThis is also a good opportunity to recognize that security researchers and practitioners can never take their foot off\r\nthe gas. When a threat group goes silent, it's unlikely they'll be gone forever. Rather, this opens up the opportunity\r\nfor a threat group to return with new IOCs, tactics, techniques and procedures or new malware variants that can\r\navoid existing detection. Just as we saw earlier this year with the alleged breakup of the threat actors behind\r\nGandcrab, it's never safe to assume a threat is gone for good.\r\nIoCs\r\nIndicators of compromise related to Emotet's latest activity can be found here.\r\nCoverage\r\nAdditional ways our customers can detect and block this threat are listed below.\r\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors.\r\nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious\r\nwebsites and detects malware used in these attacks.\r\nhttps://blog.talosintelligence.com/2019/09/emotet-is-back-after-summer-break.html\r\nPage 6 of 7\n\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention\r\nSystem (NGIPS), andMeraki MX can detect malicious activity associated with this threat.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nSource: https://blog.talosintelligence.com/2019/09/emotet-is-back-after-summer-break.html\r\nhttps://blog.talosintelligence.com/2019/09/emotet-is-back-after-summer-break.html\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://blog.talosintelligence.com/2019/09/emotet-is-back-after-summer-break.html"
	],
	"report_names": [
		"emotet-is-back-after-summer-break.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434766,
	"ts_updated_at": 1775791292,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/91aff21663c4fee11ac9257e67e50c44b084dbd5.pdf",
		"text": "https://archive.orkl.eu/91aff21663c4fee11ac9257e67e50c44b084dbd5.txt",
		"img": "https://archive.orkl.eu/91aff21663c4fee11ac9257e67e50c44b084dbd5.jpg"
	}
}