{
	"id": "c18daf0b-6592-40a3-9ccb-f4588043f1ca",
	"created_at": "2026-04-06T00:18:49.733783Z",
	"updated_at": "2026-04-10T03:22:08.867355Z",
	"deleted_at": null,
	"sha1_hash": "a550e392a02c1e88699ff41e4f9023d3fcf809f3",
	"title": "Emotet launches major new spam campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 908175,
	"plain_text": "Emotet launches major new spam campaign\r\nBy ESET Research\r\nArchived: 2026-04-05 18:00:49 UTC\r\nESET Research\r\nThe recent spike in Emotet activity shows that it remains an active threat\r\n09 Nov 2018  •  , 3 min. read\r\nA week after adding a new email content harvesting module, and following a period of low activity, the malicious\r\nactors behind Emotet have launched a new, large-scale spam campaign.\r\nWhat is Emotet?\r\nEmotet is a banking Trojan family notorious for its modular architecture, persistence techniques, and worm-like\r\nself-propagation. It is distributed through spam campaigns employing a variety of seemingly legitimate guises for\r\ntheir malicious attachments. The Trojan is often used as a downloader or dropper for potentially more-damaging,\r\nsecondary payloads. Due to its high destructive potential, Emotet was the subject of a US-CERT security notice in\r\nJuly 2018.\r\nhttps://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/\r\nPage 1 of 8\n\nThe new campaign\r\nAccording to our telemetry, the latest Emotet activity was launched on November 5, 2018, following a period of\r\nlow activity. Figure 1 shows a spike in the Emotet detection rate in the beginning of November 2018, as seen in\r\nour telemetry data.\r\nFigure 1 - Overview of ESET product detections of Emotet in the past two weeks\r\nBreaking those detections down by country, as seen in Figure 2, this latest Emotet campaign appears to be most\r\nactive the Americas, the UK, Turkey and South Africa.\r\nhttps://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/\r\nPage 2 of 8\n\nFigure 2 – Distribution of ESET detections of Emotet in November 2018 (including both file and network\r\ndetections)\r\nIn the November 2018 campaign, Emotet makes use of malicious Word and PDF attachments posing as invoices,\r\npayment notifications, bank account alerts, etc., seemingly coming from legitimate organizations. Alternately, the\r\nemails contain malicious links instead of attachments. The email subjects used in the campaign suggest a targeting\r\nof English and German-speaking users. Figure 3 shows Emotet activity in November 2018 from the perspective of\r\ndocument detections. Figures 4, 5 and 6 are example emails and attachments from this campaign.\r\nFigure 3 - Distribution of ESET detections of Emotet-related documents in November 2018\r\nFigure 4 - Example of a spam email used in the latest Emotet campaign\r\nhttps://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/\r\nPage 3 of 8\n\nFigure 5 - Example of a malicious Word document used in the latest Emotet campaign\r\nFigure 6 - Example of a malicious PDF used in the latest Emotet campaign\r\nThe compromise scenario in this November 2018 campaign starts with the victim opening a malicious Word or\r\nPDF file attached to a spam email seemingly coming from a legitimate and familiar organization.\r\nhttps://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/\r\nPage 4 of 8\n\nFollowing the instructions in the document, the victim enables macros in Word or clicks on the link in the PDF.\r\nThe Emotet payload is subsequently installed and launched, establishes persistence on the computer and reports\r\nthe successful compromise to its C\u0026C server. In turn, it receives instructions on which attack modules and\r\nsecondary payloads to download.\r\nThe modules extend the initial payload’s functionality with one or more of credential-stealing, network\r\npropagation, sensitive information harvesting, port forwarding, and other capabilities. As for the secondary\r\npayloads, this campaign has seen Emotet dropping TrickBot and IcedId on compromised machines.\r\nConclusion\r\nThis recent spike in Emotet activity just goes to show that Emotet continues to be an active threat – and an\r\nincreasingly worrying one due to the recent module updates. ESET systems detect and block all Emotet\r\ncomponents under detection names listed in the IoCs section.\r\nIndicators of Compromise (IoCs)\r\nExample hashes\r\nNote that new builds of Emotet binaries are released approximately every two hours, so hashes may not be the\r\nlatest available.\r\nEmotet\r\nSHA-1 ESET detection name\r\n51AAA2F3D967E80F4C0D8A86D39BF16FED626AEF Win32/Kryptik.GMLY trojan\r\nEA51627AF1F08D231D7939DC4BA0963ED4C6025F Win32/Kryptik.GMLY trojan\r\n3438C75C989E83F23AFE6B19EF7BEF0F46A007CF Win32/Kryptik.GJXG trojan\r\n00D5682C1A67DA31929E80F57CA26660FDEEF0AF Win32/Kryptik.GMLC trojan\r\nModules\r\nSHA-1 ESET detection name\r\n0E853B468E6CE173839C76796F140FB42555F46B Win32/Kryptik.GMFS trojan\r\n191DD70BBFF84D600142BA32C511D5B76BF7E351 Win32/Emotet.AW trojan\r\nBACF1A0AD9EA9843105052A87BFA03E0548D2CDD Win32/Kryptik.GMFS trojan\r\nA560E7FF75DC25C853BB6BB286D8353FE575E8ED Win32/Kryptik.GMFS trojan\r\n12150DEE07E7401E0707ABC13DB0E74914699AB4 Win32/Kryptik.GMFS trojan\r\nhttps://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/\r\nPage 5 of 8\n\nSHA-1 ESET detection name\r\nE711010E087885001B6755FF5E4DF1E4B9B46508 Win32/Agent.TFO trojan\r\nSecondary payloads\r\nTrickBot\r\nSHA-1 ESET detection name\r\nB84BDB8F039B0AD9AE07E1632F72A6A5E86F37A1 Win32/Kryptik.GMKM trojan\r\n9E111A643BACA9E2D654EEF9868D1F5A3F9AF767 Win32/Kryptik.GMKM trojan\r\nIcedId\r\nSHA-1 ESET detection name\r\n0618F522A7F4FE9E7FADCD4FBBECF36E045E22E3 Win32/Kryptik.GMLM trojan\r\nC\u0026C servers (active as of November 9, 2018)\r\n187.163.174[.]149:8080\r\n70.60.50[.]60:8080\r\n207.255.59[.]231:443\r\n50.21.147[.]8:8090\r\n118.69.186[.]155:8080\r\n216.176.21[.]143:80\r\n5.32.65[.]50:8080\r\n96.246.206[.]16:80\r\n187.163.49[.]123:8090\r\n187.207.72[.]201:443\r\n210.2.86[.]72:8080\r\n37.120.175[.]15:80\r\n77.44.98[.]67:8080\r\n49.212.135[.]76:443\r\nhttps://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/\r\nPage 6 of 8\n\n187.163.174[.]149:8080\r\n216.251.1[.]1:80\r\n189.130.50[.]85:80\r\n159.65.76[.]245:443\r\n192.155.90[.]90:7080\r\n210.2.86[.]94:8080\r\n198.199.185[.]25:443\r\n23.254.203[.]51:8080\r\n67.237.41[.]34:8443\r\n148.69.94[.]166:50000\r\n107.10.139[.]119:443\r\n186.15.60[.]167:443\r\n133.242.208[.]183:8080\r\n181.229.155[.]11:80\r\n69.198.17[.]20:8080\r\n5.9.128[.]163:8080\r\n104.5.49[.]54:8443\r\n139.59.242[.]76:8080\r\n181.27.126[.]228:990\r\n165.227.213[.]173:8080\r\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nhttps://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/\r\nPage 7 of 8\n\nSource: https://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/\r\nhttps://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/"
	],
	"report_names": [
		"emotet-launches-major-new-spam-campaign"
	],
	"threat_actors": [],
	"ts_created_at": 1775434729,
	"ts_updated_at": 1775791328,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a550e392a02c1e88699ff41e4f9023d3fcf809f3.pdf",
		"text": "https://archive.orkl.eu/a550e392a02c1e88699ff41e4f9023d3fcf809f3.txt",
		"img": "https://archive.orkl.eu/a550e392a02c1e88699ff41e4f9023d3fcf809f3.jpg"
	}
}