{
	"id": "56e25914-95ec-40b4-a87b-9b3891efd1e3",
	"created_at": "2026-04-06T00:12:58.821883Z",
	"updated_at": "2026-04-10T03:23:52.316327Z",
	"deleted_at": null,
	"sha1_hash": "91d81501b9e9287c19c673845eec7e3a733d9311",
	"title": "The Evolution of Emotet: From Banking Trojan to Threat Distributor",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 65408,
	"plain_text": "The Evolution of Emotet: From Banking Trojan to Threat\r\nDistributor\r\nBy About the Author\r\nArchived: 2026-04-05 16:06:35 UTC\r\nMealybug is a cyber crime actor that has been active since at least 2014. It is identified by its use of its custom\r\nmalware, Trojan.Emotet. It appears to have changed its business model in recent times, evolving from targeting\r\nbanking customers in Europe to using its infrastructure to act as a global packing and delivery service for other\r\nthreat actors.\r\nBecause it can self-propagate, Emotet presents a particular challenge for organizations. Network worms have been\r\nexperiencing a kind of renaissance, with notable examples like WannaCry (Ransom.Wannacry) and\r\nPetya/NotPetya (Ransom.Petya). Network spreading also means that victims can become infected without ever\r\nclicking on a malicious link or downloading a malicious attachment. Once on a computer, Emotet downloads and\r\nexecutes a spreader module that contains a password list that it uses to attempt to brute force access to other\r\nmachines on the same network.\r\nEmotet’s method of self-propagation—brute forcing passwords—has additional potential to cause major\r\nheadaches for organizations as it may result in multiple failed login attempts, which can lead to users becoming\r\nlocked out of their network accounts. This has the knock-on effect of increased calls to IT helpdesks and general\r\nloss of productivity. This was a hallmark of the notorious Conficker (W32.Downadup) threat and, 10 years later,\r\nthreats continue to cause similar problems.\r\nAs well as brute forcing passwords, Emotet can also spread to additional computers using a spam module that it\r\ninstalls on infected victim machines. This module generates emails that use standard social engineering techniques\r\nand typically contain subject lines including words such as “Invoice”. Some subject lines include the name of the\r\nperson whose email account has been compromised, to make it seem less like a spam email. The emails typically\r\ncontain a malicious link or attachment which if launched will result in them becoming infected with\r\nTrojan.Emotet.\r\nMost recently, Mealybug appears to have expanded its operations to primarily become a distributor of threats for\r\nother attack groups.  \r\nEmotet becomes a global threat\r\nWhen Mealybug was first identified in 2014 it was using Emotet to spread banking Trojans, and was focused on\r\ntargeting banking customers in Germany. At the time, Mealybug was using Trojan.Emotet as the loader portion of\r\nW32.Cridex.B, a rewritten version of the Cridex banking Trojan. In 2015, Mealybug started targeting Swiss\r\nbanking customers as well and evolved Emotet into more modular malware. The new version of Emotet had\r\nseparate modules for its loader, banking data theft, email login theft, distributed denial of service (DDoS) attacks,\r\nand malicious spam.\r\nhttps://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor\r\nPage 1 of 6\n\nMealybug has primarily been engaged in using Emotet for the delivery of banking Trojans, and in 2017 it was the\r\nfirst group to deliver the IcedID (Trojan.IcedID) banking Trojan. However, also in 2017, it was observed\r\ndelivering the Trojan.Trickybot and Ransom.UmbreCrypt ransomware.  Mealybug has developed its capabilities\r\nover the years and now appears to offer an “end-to-end” service for delivery of threats. It delivers the threats,\r\nobfuscates them to reduce the chances of detection, and provides a spreader module that allows the threats to self-propagate. \r\nEmotet gets an initial foothold on a victim machine or network by sending an email containing either a malicious\r\nlink that leads to a downloader document or that has a malicious document attached. Anti-analysis tactics have\r\nbeen present in Emotet since at least 2015 and, in 2018, Emotet’s payload consists of a packed file containing the\r\nmain component and an anti-analysis module. The anti-analysis module performs multiple checks to ensure it is\r\nnot being run on a malware research machine, then loads the main component. Either PowerShell or JavaScript is\r\nused to download the Trojan, which delivers a packed payload file to the victim machine. Once on a machine, the\r\nlatest version of Emotet:\r\n1. Moves itself to its preferred directory\r\n2. Creates a LNK file pointing to itself in the start-up folder\r\n3. Collects victim machine information and sends it to the C\u0026C server\r\nIt can then download any new payloads from the C\u0026C server, and execute them. Emotet can download an updated\r\nversion of itself, or any other threat. Existing versions of Emotet download modules from the C\u0026C server that\r\ninclude:  \r\nBanking module: This module intercepts network traffic from the browser to steal banking details entered\r\nby the user. This is what gave Trojan.Emotet its reputation as a banking Trojan.\r\nEmail client infostealer module: This module steals email credentials from email client software.\r\nBrowser infostealer module: This module steals information such as browsing history and saved\r\npasswords.\r\nPST infostealer module: This module reads through Outlook’s message archives and extracts the sender\r\nnames and email addresses of the messages, presumably to use for spamming.\r\nAccording to Symantec telemetry for the first half of 2018, its focus now is mainly on targets in the\r\nU.S.\r\nAll information stolen by these modules is sent to the C\u0026C server. Emotet also has a DDoS module that can add\r\nthe infected machine to a botnet to carry out DDoS attacks.\r\nFigure 1. Trojan.Emotet primarily focusing on targets in the U.S.\r\nFigure 1. Trojan.Emotet primarily focusing on targets in the U.S.\r\nEmotet’s geographic targets have also increased significantly over the years. After a relatively quiet period since\r\n2015, detections of Emotet surged in the second half of 2017, and in that year Mealybug’s targets included victims\r\nin Canada, China, the UK, and Mexico. However, according to Symantec telemetry for the first half of 2018, its\r\nfocus now is mainly on targets in the U.S.\r\nFigure 2. Trojan.Emotet detections by geographical region\r\nhttps://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor\r\nPage 2 of 6\n\nFigure 2. Trojan.Emotet detections by geographical region\r\nQakbot\r\nSince February 2018, Emotet has been used to spread W32.Qakbot, a family of banking Trojans known for\r\nbehaving like network worms.\r\nLike Emotet, Qakbot can self-propagate. Qakbot attempts brute force access to spread across networks and also\r\nuses “living-off-the-land” tools to propagate. It uses PowerShell to download and run Mimikatz\r\n(Hacktool.Mimikatz), an open-source credential stealing tool that allows attackers to move rapidly across a\r\nnetwork once they have established an initial foothold.\r\nThe fact that both Emotet and Qakbot have self-spreading capabilities mean that once these threats get onto your\r\nnetwork they can spread aggressively. The fact that both attempt brute force access to spread across networks also\r\nincreases the risk of users being locked out of their devices. A spike in Qakbot detections in February 2018\r\nindicates that “double-spreading” of the threat was taking place, meaning that Mealybug was using Emotet to\r\nspread Qakbot across networks, while Qakbot was simultaneously using its own self-spreading capabilities. The\r\naccount lockout scenario is a very real danger, and a potential major headache for organizations.\r\nFigure 3. W32.Qakbot detections January 1 to May 28, 2018\r\nFigure 3. W32.Qakbot detections January 1 to May 28, 2018\r\nSymantec analysis shows that Emotet and Qakbot are packed with the same packer, but there are multiple factors\r\nthat suggest Mealybug is only providing Emotet as a delivery service for the actors behind Qakbot, and is not\r\ncontrolling the Trojan.\r\nThere does not appear to be any overlap between the C\u0026C infrastructure of the two Trojans, and analysis also\r\nrevealed differences in the code of their main components and in their anti-debugging techniques.\r\nMealybug using two different spreading mechanisms is also surprising because, as mentioned above, both Trojans\r\nattempting to brute force passwords could trigger account lockouts and stop the Trojans from spreading. It is\r\nunlikely Mealybug would use the two different spreading techniques if it was controlling both Trojans. For these\r\nreasons we believe Emotet and Qakbot are controlled by two separate groups, and that Mealybug is offering\r\nEmotet as a delivery mechanism for other threats.\r\nTalking ‘bout an evolution\r\nMealybug seems to have found its niche as a provider of delivery services for other threats. The main component\r\nof Trojan.Emotet functions as a loader, and can theoretically support any payload. While it is still primarily known\r\nfor distributing banking Trojans, it can in theory spread any threat, and there have been reports of it distributing\r\nthe Ransom.UmbreCrypt ransomware. Mealybug presumably makes its money by taking a cut of the profits made\r\nby the threat actors who use its services. From what we can see, Mealybug appears to be operating for more than\r\none attack group at a time, so we have no evidence that it offers itself as an “exclusive” distributor. In November\r\n2017, Mealybug was observed delivering the Trojan.Trickybot and W32.Qakbot threats simultaneously onto the\r\nsame machine in a few instances, and in one case within a few minutes.\r\nhttps://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor\r\nPage 3 of 6\n\nMealybug’s shift from distributing its own banking Trojan to a relatively small number of targets, to acting\r\nprimarily as a global distributor of other groups’ threats is interesting, and backs up an observation we made in the\r\nISTR that threat actors are evolving and refining their techniques and business model to maximize profits. In the\r\nISTR we outlined how some threat actors appeared to be turning to coin mining as it became hugely profitable due\r\nto the rise in the value of cryptocurrencies. It appears Mealybug has decided that it can best maximize its returns\r\nthrough taking a role as distributor.\r\nIt may be that Mealybug was finding it harder to make money exclusively from banking Trojans so it had to\r\nchange its approach. The growth in popularity and use by banks of two-factor authentication (2FA) has made it\r\nmore difficult to compromise accounts by stealing credentials, and awareness and protection has improved as\r\nonline banking has matured.\r\nChallenges for organizations\r\nMealybug activity presents a number of challenges for organizations, including:\r\nIts worm-like capabilities mean it can spread rapidly across organizations.\r\nEmotet’s network-spreading capabilities mean that computers can become infected without any user\r\ninteraction.\r\nBrute forcing passwords increases the chances of users being locked out of their machines in victim\r\norganizations, causing headaches for IT teams and affecting productivity.\r\nBest practices\r\nEmphasize multiple, overlapping, and mutually supportive defensive systems to guard against single point\r\nfailures in any specific technology or protection method.  This includes deployment of endpoint, email, and\r\nweb gateway protection technologies as well as firewalls and vulnerability assessment solutions.  Always\r\nkeep these security solutions up-to-date with the latest protection capabilities.   \r\nEmploy two-factor authentication (such as Symantec VIP) to provide an additional layer of security and\r\nprevent any stolen or cracked credentials from being used by attackers.\r\nEducate employees and urge them to exercise caution around emails from unfamiliar sources and around\r\nopening attachments that haven’t been solicited. \r\nRequire everyone in your organization to have long, complex passwords that are changed frequently.\r\nEncourage users to avoid reusing the same passwords on multiple websites, and sharing passwords with\r\nothers should be forbidden.\r\nProtection\r\nSymantec has had protection for Mealybug attacks since the initial identification of the group’s activities in 2014\r\nand blocks such activities at every level of Mealybug’s attack chain.\r\nDetections by stage\r\nEmail:\r\nhttps://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor\r\nPage 4 of 6\n\nSymantec Email Security products block malicious emails associated with Emotet.\r\nEmbedded link stage:\r\nWeb Attack: Emotet Download 2\r\nMacro downloader stage:\r\nW97M.Downloader!g20\r\nMain module file stage:\r\nW32.Emotet.B\r\nTrojan.Emotet\r\nTrojan.Emotet!g1\r\nTrojan.Emotet!g2\r\nTrojan.Emotet!g3\r\nTrojan.Emotet!gen4\r\nTrojan.Emotet!g5\r\nMain module loaded stage:\r\nTrojan.Emotet!gm\r\nC\u0026C communication stage:\r\nSystem Infected: Trojan.Emotet Activity 3\r\nSystem Infected: Emotet Activity 2\r\nSystem Infected: Trojan.Emotet Activity 4\r\nSpam and stealer and spreader module stage:\r\nRansom.Crypto!im\r\nEmotet spreader infection stage:\r\nSONAR.SuspPE!gen39\r\nSONAR.Heur.RGC!g571\r\nTargeted Attack Analytics\r\nSymantec’s new Targeted Attack Analytics (TAA), available in our ATP Product can detect attacks where an\r\nexecutable spreads to multiple machines across a network via credential theft, brute forcing, or an exploit. TAA\r\ndetects Emotet’s malicious activity due to patterns in its spreading behavior. In particular, TAA will detect when\r\nfiles are dropped by Emotet’s spreader module on multiple machines in an organization.\r\nThreat intelligence\r\nhttps://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor\r\nPage 5 of 6\n\nCustomers of the DeepSight Intelligence Managed Adversary and Threat Intelligence (MATI) service have\r\nreceived multiple reports on Emotet.  These reports detail methods of detecting and thwarting activities of the\r\ngroup that leverages this Trojan.\r\nSource: https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor\r\nhttps://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE",
		"ETDA"
	],
	"references": [
		"https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor"
	],
	"report_names": [
		"evolution-emotet-trojan-distributor"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434378,
	"ts_updated_at": 1775791432,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/91d81501b9e9287c19c673845eec7e3a733d9311.pdf",
		"text": "https://archive.orkl.eu/91d81501b9e9287c19c673845eec7e3a733d9311.txt",
		"img": "https://archive.orkl.eu/91d81501b9e9287c19c673845eec7e3a733d9311.jpg"
	}
}