{
	"id": "7cce92cd-3d67-486a-a928-e5b6aeec7a81",
	"created_at": "2026-04-06T00:15:17.768399Z",
	"updated_at": "2026-04-10T13:12:11.891832Z",
	"deleted_at": null,
	"sha1_hash": "9b9a21d73fc8413d8a4e7bdccf77089a02e516de",
	"title": "Return of Emotet malware | Zscaler",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 54734,
	"plain_text": "Return of Emotet malware | Zscaler\r\nBy Deepen Desai\r\nPublished: 2021-11-16 · Archived: 2026-04-05 13:31:58 UTC\r\nKey Points\r\nEmotet is one of the most dangerous, prolific, and long-lasting malware Trojans that has ever existed.\r\nIn January 2021, a law enforcement action disrupted the Emotet malware and its infrastructure. It also led\r\nto the arrest of some of the threat actors involved with the malware.\r\nAfter almost a year-long hiatus, Emotet has returned to the threat landscape as of Nov 14, 2021.\r\nDistribution of the malware was via the TrickBot malware and email campaigns.\r\nAfter an almost year-long hiatus, the prolific malware Emotet has returned to the threat landscape. An early report\r\nindicated it returned on Sunday November 14, 2021 and it was being distributed via the TrickBot botnet. A later\r\nreport indicated that it was also being distributed via email campaigns.\r\nThe Emotet malware was first detected back in 2014 and it focused on banking fraud. In recent years, Emotet\r\npivoted and it became an initial access broker providing victim access for several ransomware groups.\r\nIn January 2021, law enforcement disrupted the Emotet malware and its infrastructure. It also arrested some of the\r\nthreat actors behind it. This led to the disappearance of the malware for almost a year. Some security researchers\r\nthought it was gone for good...\r\nWhile the Threatlabz team's technical analysis for the payloads involved is ongoing, the new version of the Emotet\r\nmalware is similar to its past variants in many aspects. In our quick analysis, we've observed some changes in the\r\ncommand and control data and encryption used. It also appears to be using HTTPS instead of  plain HTTP for\r\ncommand and control communication. It looks like most of the functionality is the same as earlier variants, and it\r\nwill likely pick up where it left off, providing initial access to the ransomware operators.\r\nSpam Campaigns\r\nAs we can see from the below screenshot of spam email, Emotet starts by leveraging a 'reply chain' email strategy\r\nin their spam campaigns. It has been using MS word document “.docm”, MS excel “.xlsm” and password\r\nprotected “.zip” files as attachments. \r\nImage\r\nImage 1: Reply chain email screenshots\r\nCloud Sandbox Detection\r\nImage\r\nImage 2: Zscaler Cloud sandbox detection\r\nhttps://www.zscaler.com/blogs/security-research/return-emotet-malware\r\nPage 1 of 6\n\nMITRE ATT\u0026CK TTP Mapping\r\nTactic Technique\r\nT1010 Application Window Discovery\r\nT1012 Query Registry\r\nT1018 Remote System Discovery\r\nT1055 Process Injection\r\nT1036 Masquerading\r\nT1057 Process Discovery\r\nT1082 System Information Discovery\r\nT1055 Process Injection\r\nT1083 File and Directory Discovery\r\nT1518 Security Software Discovery\r\nT1547 LSASS Driver\r\nT1218 Rundll32\r\nT1562 Disable or Modify Tools\r\nhttps://www.zscaler.com/blogs/security-research/return-emotet-malware\r\nPage 2 of 6\n\nT1564 Hidden Files and Directories\r\nIndicators of Compromise\r\nIOC Notes\r\nc7574aac7583a5bdc446f813b8e347a768a9f4af858404371eae82ad2d136a01\r\nReference\r\nsample\r\n81.0.236[.]93:443\r\n94.177.248[.]64:443\r\n66.42.55[.]5:7080\r\n103.8.26[.]103:8080\r\n185.184.25[.]237:8080\r\n45.76.176[.]10:8080\r\n188.93.125[.]116:8080\r\n103.8.26[.]102:8080\r\n178.79.147[.]66:8080\r\n58.227.42[.]236:80\r\n45.118.135[.]203:7080\r\n103.75.201[.]2:443\r\n195.154.133[.]20:443\r\n45.142.114[.]231:8080\r\n212.237.5[.]209:443\r\n207.38.84[.]195:8080\r\n104.251.214[.]46:8080\r\n138.185.72[.]26:8080\r\nConfigured\r\nC2s\r\nhttps://www.zscaler.com/blogs/security-research/return-emotet-malware\r\nPage 3 of 6\n\n51.68.175[.]8:8080\r\n210.57.217[.]132:8080\r\n \r\n51.178.61[.]60:443\r\n168.197.250[.]14:80\r\n45.79.33[.]48:8080\r\n196.44.98[.]190:8080\r\n177.72.80[.]14:7080\r\n51.210.242[.]234:8080\r\n185.148.169[.]10:8080\r\n142.4.219[.]173:8080\r\n78.47.204[.]80:443\r\n78.46.73[.]125:443\r\n37.44.244[.]177:8080\r\n37.59.209[.]141:8080\r\n191.252.103[.]16:80\r\n54.38.242[.]185:443\r\n85.214.67[.]203:8080\r\n54.37.228[.]122:443\r\n207.148.81[.]119:8080\r\n195.77.239[.]39:8080\r\n66.42.57[.]149:443\r\n195.154.146[.]35:443\r\n-----BEGIN PUBLIC KEY-----\r\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQF90tsTY3Aw9HwZ6N9y5+be9Xoov\r\nECDH \u0026\r\nECDSA\r\nKey\r\nhttps://www.zscaler.com/blogs/security-research/return-emotet-malware\r\nPage 4 of 6\n\npqHyD6F5DRTl9THosAoePIs/e5AdJiYxhmV8Gq3Zw1ysSPBghxjZdDxY+Q==\r\n-----END PUBLIC KEY-----\r\n \r\n-----BEGIN PUBLIC KEY-----\r\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE86M1tQ4uK/Q1Vs0KTCk+fPEQ3cuw\r\nTyCz+gIgzky2DB5Elr60DubJW5q9Tr2dj8/gEFs0TIIEJgLTuqzx+58sdg==\r\n-----END PUBLIC KEY-----\r\n-----BEGIN PUBLIC KEY-----\r\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2DWT12OLUMXfzeFp+bE2AJubVDsW\r\nNqJdRC6yODDYRzYuuNL0i2rI2Ex6RUQaBvqPOL7a+wCWnIQszh42gCRQlg==\r\n-----END PUBLIC KEY-----\r\n \r\n-----BEGIN PUBLIC KEY-----\r\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE9C8agzYaJ1GMJPLKqOyFrlJZUXVI\r\nlAZwAnOq6JrEKHtWCQ+8CHuAIXqmKH6WRbnDw1wmdM/YvqKFH36nqC2VNA==\r\n-----END PUBLIC KEY-----\r\nECDH \u0026\r\nECDSA\r\nKey\r\n015a96c0567c86af8c15b3fe4e19098ae9d0ea583e6bc0bb71c344fc993a26cf\r\nSpam\r\nattachment\r\nhttps://evgeniys[.]ru/sap-logs/D6/\r\nhttp://crownadvertising[.]ca/wp-includes/OxiAACCoic/\r\nhttps://cars-taxonomy.mywebartist[.]eu/-/BPCahsAFjwF/\r\nhttp://immoinvest.com[.]br/blog_old/wp-admin/luoT/\r\nhttps://yoho[.]love/wp-content/e4laFBDXIvYT6O/\r\nhttps://www.168801[.]xyz/wp-content/6J3CV4meLxvZP/\r\nMalicious\r\nURLs used\r\nin spam\r\ncampaign,\r\nembedded\r\ninside\r\n“.docm” or\r\n“.xlsm”\r\nfiles\r\nhttps://www.zscaler.com/blogs/security-research/return-emotet-malware\r\nPage 5 of 6\n\nhttps://www.pasionportufuturo[.]pe/wp-content/XUBS/\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/security-research/return-emotet-malware\r\nhttps://www.zscaler.com/blogs/security-research/return-emotet-malware\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/return-emotet-malware"
	],
	"report_names": [
		"return-emotet-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434517,
	"ts_updated_at": 1775826731,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9b9a21d73fc8413d8a4e7bdccf77089a02e516de.pdf",
		"text": "https://archive.orkl.eu/9b9a21d73fc8413d8a4e7bdccf77089a02e516de.txt",
		"img": "https://archive.orkl.eu/9b9a21d73fc8413d8a4e7bdccf77089a02e516de.jpg"
	}
}