{ "id": "6eddf004-3a26-46bb-9202-f7e880bfb5e4", "created_at": "2026-04-06T00:11:45.96177Z", "updated_at": "2026-04-10T03:35:52.865656Z", "deleted_at": null, "sha1_hash": "93e4ce0d8a68200769cb07c054f532f5ab7a7688", "title": "Emotet’s Takedown: Have We Seen the Last of the Malware?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 71538, "plain_text": "Emotet’s Takedown: Have We Seen the Last of the Malware?\r\nBy Lindsey O'Donnell\r\nPublished: 2021-02-03 · Archived: 2026-04-05 17:59:44 UTC\r\nA week after law enforcement agencies said they took down Emotet, there has been no sign of the prolific\r\nmalware.\r\nSherrod DeGrippo, senior director of threat research and detection with Proofpoint, shares insights on the global\r\nlaw enforcement and private-sector takedown of the major cybercrime tools such as Emotet.\r\nLast fall, agencies targeted TrickBot’s infrastructure to disrupt the prolific malware, and last week, they took down\r\nservers supporting the Emotet malware.\r\nThreatpost discusses with DeGrippo how effective these law enforcement operations are when it comes to fully\r\nwiping out malware? TrickBot returned just months after the disruption effort, for instance. DeGrippo said that no\r\nactivity involving Emotet has been detected since the takedown effort occurred last week.\r\n“I think that it was so splashy and such big news and had video and had all of this collaborative action across\r\nworking groups, the community law enforcement, it seems to have been much more effective,” she told\r\nThreatpost.\r\n“And I am hopeful that we will continue to see Emotet off the threat landscape,” she said. “I honestly think at this\r\npoint, it’s going to take so much work and will be so much risk to get Emotet back up… I don’t know that it even\r\nwill be worth it to them at this point, because it’s so dangerous, and it has so much visibility on it.”\r\nIn this week’s Threatpost podcast, DeGrippo talks about how these law enforcement operations are carried out –\r\nand what makes a malware takedown successful versus a flop.\r\nDownload the podcast direct here, or listen below.\r\nBelow is a lightly edited transcript of this week’s Threatpost podcast.\r\nLindsey Welch: This is Lindsey Welch with Threatpost and I am here today with Sherrod DeGrippo. Sherrod is\r\nthe senior director of threat research and detection with Proofpoint. Sherrod thanks so much for joining me today.\r\nSherrod DeGrippo: Thanks for having me, Lindsay. It’s great to talk with you again.\r\nLW: You too. We’ve talked in the past about malware families and kind of what you’re looking out for, from your\r\nperspective, in terms of threat intel. Today, we’re talking about some of the biggest malware takedowns over the\r\npast few months. And this is pretty timely, because just last week, the Emotet malware, which we’ve talked about\r\na ton in the past, and which is one of the most prolific malware strains out there globally, it was dealt a blow,\r\nthanks to a takedown by an international law enforcement consortium. So Sherrod, I know from your perspective\r\nhttps://threatpost.com/emotets-takedown-have-we-seen-the-last-of-the-malware/163636/\r\nPage 1 of 5\n\nthat you’ve been tracking Emotet for a while now. And the malware itself has been around since 2014. So this is\r\nthis is a pretty big deal, right?\r\nSD: It is a very, very big deal. And it’s something that I think that if most threat researchers, especially on my\r\nteam, if they had a wish list, Emotet getting taken down would probably be number one on a lot of people’s\r\nwishlists. So the fact that this has actually happened, and here we are, a week later, still having seen zero activity\r\nin terms of actually sending that threat, trying to deliver that threat through email vectors, certainly; we don’t see\r\nit. So you know, congratulations to the groups that worked on getting this done and everyone that contributed\r\nbecause we’ve gone a week, and there’s been nothing. So we’re all sort of holding our breath. But this is looking\r\npretty good so far.\r\nLW: Yeah, yeah, I think that is very true that this was kind of on the top wish list of many security researchers but\r\nalso defense teams, and reading about the the takedown by law enforcement agencies, was there anything that\r\nreally stuck out to you beyond the fact that we have now not seen Emotet in the past week since it’s occurred?\r\nSD: Sure, I think that most people that work on malware, certainly the majority of my team, you know, this is\r\nsomething that they’re very interested in. This is something they want to know about, whether it’s part of the\r\nlandscape that we work on at that moment or not. So this was huge news across the industry, certainly in threat\r\nresearch communities. The things that stood out to me about the actual law enforcement actions, to be honest, I\r\nmean, there was a lot of spectator excitement watching some of the videos that were, you know, shocking,\r\nfascinating – seeing inside of what is purported to be the actual law enforcement action against operators of the\r\nbotnet, potentially looking at video of the back ends, seeing lots of PCs with no case on them, which brought back\r\na lot of memories. So I think that it’s really fascinating. This is something you know, we hear about law\r\nenforcement action in the past against TrickBot and others. And this really seems different. First of all, we see\r\nthese videos, we’ve gotten quite a bit of information and fascinating looks inside with those videos. And then on\r\ntop of that, the difference here is that this really seems to have worked. And so it just has a feeling that’s a little bit\r\ndifferent. I hope that I’m not jinxing anything. I hope this doesn’t come back to bite me. But this seems very real\r\nand very effective. So it’s reverberating throughout the industry. People are kind of shocked.\r\nLW: Yeah, I really, I thought it was really interesting that there was kind of that video footage accompanying this\r\ntakedown. And it was kind of cool to see officers seize computer equipment and the gold bars and kind of foreign\r\ncurrency.\r\nSD: Looking inside, it was really interesting. One of the things that caught my attention that I’ve mentioned to\r\nsome people is, if you go back and watch the videos, there’s a lot of prescription medicine boxes; silver bars or\r\ngold bars; lots and lots of currency, U.S. currency, euros. The thing that we’re thinking too, essentially part of\r\nwhat enabled this is that they were located in Ukraine, which, when when an actor is located physically in Russia\r\nor the infrastructure is heavily located in Russia, typically we kind of say, “Look, they’re never getting caught\r\nthere, there will be no law enforcement action, and Russia just doesn’t allow it.” You just kind of have to say,\r\n“look, if you’re in Russia, you’re protected.” The joke is, you know, among my team is sort of the biggest mistake\r\nthey made was being located in Ukraine. So the fact that we went that far is really impressive.\r\nLW: Right. Yeah, that’s, that’s a good point. And I mean, to your point, too, about takedown efforts in general and\r\nwhy they’re so interesting, at least for me as a reporter to cover and for you as a security researcher to kind of look\r\nhttps://threatpost.com/emotets-takedown-have-we-seen-the-last-of-the-malware/163636/\r\nPage 2 of 5\n\ninto how they play out. I feel like there’s a lot of you know, news and research out there about the campaigns\r\nthemselves and the malware and the hacks and exploits. But there’s not a lot of follow up like this about actual\r\naction being taken. And I’m very curious if you think that will be different, or, if this will change at all.\r\nSD: I hope so. I hope that we continue to get a better and better look into these. I’ve mentioned before on Twitter\r\nthat I am fascinated by indictment documents, when those come out, they are absolutely brimming with really\r\nhelpful information, specifically victim information. Fin7, a really well known financial threat actor, very\r\nsophisticated threat actor has multiple indictments and multiple court filings that allow you to see who those\r\nvictims were that allow you to see IP addresses, infrastructure, that allow you to understand the actual daily work\r\nprocesses, the tools that are being used. And those can be really, really helpful in understanding the landscape, the\r\nculture, the entire crimeware system. And so I’m hoping that as this Emotet investigation is processed, that we\r\nwill start seeing more of that information released, and that we’ll start to see the court filings – whatever court\r\nthose end up happening in if it’s multiple, if it’s one – so that we can see inside even more, and then also possibly\r\nuse that for further detection.\r\nLW: Right, right. Yeah, I imagine those resources would be kind of invaluable to the security research community\r\nand defense teams – not just for particular cybercrime groups, but also, you know, for the TTPs that could be\r\nadopted or are being used by other similar cybercrime groups as well.\r\nSD: Absolutely, you can definitely pick up a lot of that. And in my role at Proofpoint, I’m responsible for\r\ndetection. Emotet, over the years, as long as I’ve been in this role, because Emotet has been around, even longer\r\nthan I’ve been at my current job. It has been something that literally has kept me up at night. Literally, I see the\r\ncampaigns coming in. I see my team working on that detection. They’re amazing. We have an amazing team\r\nfocused, previously focused on Emotet. And I would go to bed at night sometimes thinking when I wake up in the\r\nmorning, are we going to have new Emotet, are they going to change their techniques? Are they going to try to\r\nevade us? What are they going to do? And I quite literally am able to sleep a little better.\r\nLW: Yeah, it’s definitely like, I’m sure it’s some peace of mind for you and for others as well. I guess one question\r\nI have, and this also points to law enforcement takedown efforts, overall. But you mentioned the TrickBot\r\ntakedown operation last fall and TrickBot returned after I think it was one or two months after that. Do you see\r\nthis being the end of Emotet as we know it? Or what’s kind of the course of action here? For attackers in terms of\r\ngetting their infrastructure set up? Or, you know, kind of making some sort of comeback?\r\nSD: Sure. I think that TrickBot – I hope I don’t regret saying this in the future – But I feel like the TrickBot and\r\nEmotet takedowns, while they were just a few months apart are very, very different. TrickBot came back very\r\nquickly. We were seeing it as soon as three weeks after that action, continuing to ramp up the efforts from being\r\nout of commission for a couple of weeks. So we track them as TA547, one of the main TrickBot actors and\r\nTrickBot is one of those pieces of malware that is distributed amongst multiple actors. The takedown action was\r\nagainst the botnet. It was not against the authors, the back end, it was a really different focus. And I think that that\r\nis what allowed it to come back up so quickly is that it was really dispersed. It was really distributed, and multiple\r\nactors had been using it and still continue to use it to this day. We see a TrickBot campaign once or twice a week\r\nnow. So we saw eight in January, I would imagine that we’ll continue to see one or two a week for the next several\r\nmonths.\r\nhttps://threatpost.com/emotets-takedown-have-we-seen-the-last-of-the-malware/163636/\r\nPage 3 of 5\n\nEmotet, we haven’t seen any sending since this action happened approximately a week ago. I think that it was so\r\nsplashy and such big news and had video and had all of this collaborative action across working groups, the\r\ncommunity law enforcement, it seems to have been much more effective. And I am hopeful that we will continue\r\nto see Emotet off the threat landscape. And I honestly think at this point, it’s going to take so much work and will\r\nbe so much risk to get Emotet back up, if they didn’t get all of those human actors. I don’t know that it even will\r\nbe worth it to them at this point, because it’s so dangerous, and it has so much visibility on it.\r\nLW: Right. And, you know, speaking of these, these takedown operations, and different types of operations, would\r\nlove to know kind of your insight into what goes into the takedown of different malware, infrastructure and\r\nservers or botnets or attackers themselves? What really needs to happen from law enforcement agencies, what do\r\nthey need to know? And what are the specific methods that they need to take to really kind of put the nail in the\r\ncoffin here?\r\nSD: Sure. So it’s been quite a while since I’ve been in a federal position. I’ve been in the private sector for quite a\r\nlong time. But essentially, the things that law enforcement needs to do are really varied. And I think that with\r\ncyber operations, it really comes down to a lot of jurisdictional responsibility, these agents will do their work in\r\none location and then need to get deputized to be able to travel to another location or involve an internationally\r\ndeputized law enforcement agency. So the coordination across those agencies, from my point of view, that actually\r\nis the more difficult piece of this, as opposed to a lot of the technical capabilities. It’s a bit controversial but\r\ninsofar as my one and only hot take that I’ll try to give you today, I really think that law enforcement, when it\r\ncomes to Emotet, when it comes to TrickBot, those are definitely worth it. They’re huge. They have millions, if\r\nnot billions, of dollars of victims, in terms of money that that has been siphoned out. But unless it’s these really\r\nbig, heavily impactful takedowns, I don’t always see this as the best use of law enforcement. It’s so difficult to\r\nmake this happen. It takes so much energy and effort, Emotet was worth it. But every little crime gang operating\r\nout of Eastern Europe is not going to be worth it for law enforcement to go after, which is why as security\r\nprofessionals, we have to make sure that we’re doing our due diligence.\r\nWe can’t just say, “Oh, you know, well, they’re gonna get arrested.” And that’s our solution, like, law enforcement\r\nis not security. So it’s one of those things where we still have to do the same kind of work differently than law\r\nenforcement is focusing on.\r\nLW: Right. That’s a really good point. I mean, where does the onus lie in terms of preventing these types of\r\nhacks? And you’re absolutely right, in my opinion, that part of it does still rest on kind of the security community\r\nand defense teams to make sure that these these don’t, because there will always be cyber criminals, right. I mean,\r\nyou’re right, you can’t really weed out every single one.\r\nSD: Yeah. And I think that’s really important. I think it’s really important to recognize the role of the community\r\nand the various organized groups that worked on this, Emotet was the friends we made along the way, it really is\r\none of those things where it’s one of the nicest communities you could ever find those those people participating\r\nin that were fans, they are fantastic people, and I’m sure that they’ll stay together in their friendships.\r\nBut I also think it’s really important to say the real blame here lies with the organized criminals in Ukraine. So I\r\nreally want to make sure that we’re not saying things like, well, you shouldn’t have clicked on that, or you\r\nshouldn’t have downloaded that. You shouldn’t. But maybe they shouldn’t do crime either.\r\nhttps://threatpost.com/emotets-takedown-have-we-seen-the-last-of-the-malware/163636/\r\nPage 4 of 5\n\nLW: Yeah, exactly, that’s a good point. Well, beyond Emotet. What are some other malware families that we\r\nshould really kind of be keeping our eyes on? I know Agent Tesla has been one that’s really been kind of\r\nhammering companies hard over the past year and has come out with various new tactics and whatnot. What are\r\nyou seeing from your standpoint?\r\nSD: Oh, that’s funny that you when you started talking, the first thing I was gonna say was Agent Tesla. It’s a\r\nkeylogger that has evolved and evolved to have lots of really cool features and capabilities. We’re seeing an Agent\r\nTesla every day, for the most part in terms of campaign volumes.\r\nAlso, when we’re talking things that are big and bad, like Emotet and TrickBot, you know, Dridex and Ursnif. I\r\nmean, they’re number two and three on my wish list, probably Ursnif is number two and Dridex is number three. I\r\nthink that if we see more law enforcement action, those are the best targets for them to go after those are large\r\nbanking Trojans, they are distributed very well. So Agent Tesla is definitely a threat. Ursnif and Dridox have been\r\naround a lot longer and are up in that sort of legendary air with Emotet. So I would love to see if they’re next on\r\nthe list.\r\nLW: Yeah, and I know with Dridex, at least in the US, law enforcement also seems to be keeping their their eyes\r\non that one. I mean, was it 2019 or something where US authorities were were offering like $5 million for\r\ninformation on the alleged leader of a company associated with Dridex.\r\nSD: I’ll be interested to see if we end up with law enforcement action against Dridex or Ursnif. If I was running\r\nsome cyber intelligence law enforcement agency worldwide and just had all that access, I think I’d probably go\r\nafter Ursnif next.\r\nLW: Absolutely. Yeah. Well, Sherrod, thank you so much for coming on today to the Threatpost podcast to talk a\r\nlittle bit about Emotet and what other malware families we should be on the lookout for.\r\nSD: Thanks for having me, Lindsey. It’s always great to talk to you.\r\nLW: You too. And to all of our listeners, once again, this is Lindsey Welch talking with Sherrod DeGrippo with\r\nProofpoint. Thank you for tuning in. And be sure to catch us next week on the Threatpost podcast.\r\nWant more in-depth security interviews and infosec insights? Check out our podcast microsite, where we go\r\nbeyond the headlines on the latest news.\r\nSource: https://threatpost.com/emotets-takedown-have-we-seen-the-last-of-the-malware/163636/\r\nhttps://threatpost.com/emotets-takedown-have-we-seen-the-last-of-the-malware/163636/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://threatpost.com/emotets-takedown-have-we-seen-the-last-of-the-malware/163636/" ], "report_names": [ "163636" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "02e5c3b8-54b4-4170-b200-7f1fd361b5a9", "created_at": "2022-10-25T16:07:24.557505Z", "updated_at": "2026-04-10T02:00:05.032451Z", "deleted_at": null, "main_name": "Scully Spider", "aliases": [ "Scully Spider", "TA547" ], "source_name": "ETDA:Scully Spider", "tools": [ "DanaBot", "Lumma Stealer", "LummaC2", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "Rhadamanthys", "Rhadamanthys Stealer", "Stealc" ], "source_id": "ETDA", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "72bc3519-a265-4136-b85a-d5e331f085b1", "created_at": "2023-01-06T13:46:39.313045Z", "updated_at": "2026-04-10T02:00:03.28438Z", "deleted_at": null, "main_name": "TA547", "aliases": [], "source_name": "MISPGALAXY:TA547", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434305, "ts_updated_at": 1775792152, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/93e4ce0d8a68200769cb07c054f532f5ab7a7688.pdf", "text": "https://archive.orkl.eu/93e4ce0d8a68200769cb07c054f532f5ab7a7688.txt", "img": "https://archive.orkl.eu/93e4ce0d8a68200769cb07c054f532f5ab7a7688.jpg" } }