{
	"id": "f0acb810-61ca-4e53-af00-7b32d6ec4a4c",
	"created_at": "2026-04-10T03:21:55.229966Z",
	"updated_at": "2026-04-10T13:11:48.126387Z",
	"deleted_at": null,
	"sha1_hash": "a5bb8e92382484cb2df4d738d2516f98317913fb",
	"title": "The Many Faces of Emotet",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 595396,
	"plain_text": "The Many Faces of Emotet\r\nBy Posted on\r\nArchived: 2026-04-10 02:37:37 UTC\r\nYou’ve probably heard the recent news of Microsoft’s attempt to take down the Trickbot botnet. An interesting\r\ncorrelation with this event (though perhaps not directly related..) is the sudden uptick of Emotet email spam\r\nshortly after the Microsoft news hit. Emotet has the functionality to drop other strains of malware on machines\r\nthat it compromises, and lately Trickbot has been one of the main ones dropped by Emotet. Perhaps these actors\r\nare flexing that Microsoft’s attempts did nothing; or perhaps they fear this is only the beginning of botnet take\r\ndowns and are increasing their efforts before they are fully taken down.\r\nA recent bleeping computer article mentions a new malicious document template that is pretending to be a\r\n‘Windows Update’. It uses this to try to trick people into essentially ‘enabling macros’, which allows the\r\nsuccessful execution of the Emotet malware.\r\nHowever, it is odd that this is the approach in helping people avoid infection. You should not be getting to the\r\npoint where you download a suspicious attachment, execute it, and see the fake Windows Update document asking\r\nyou to Enable Editing/Enable Content. Although there are many different iterations of Emotet, there does appear\r\nto be a set of characteristics that all Emotet spam share to some degree. This article will be going over the most\r\nrecent email spam templates we’ve seen from Emotet so that you can identify the spam without downloading and\r\nexecuting a malware file.\r\nEmotet Spam Templates\r\nWe’ve broken down the latest Emotet spam campaign into pieces that anyone can understand and identify. A few\r\nmonths back we wrote a similar article on how to spot Emotet; this article will have more relevant information on\r\ncurrent Emotet trends. Although Emotet has been shown to consistently change email templates, usually it is only\r\nenough to bypass spam filters and will still retain a familiar Emotet ‘feel’. Emotet spam will not always contain all\r\nthe characteristics which we will describe below, but we can be sure at least a subset will be present.\r\n1. Emotet’s Payload is either an Attachment or Link\r\nhttps://spamauditor.org/2020/10/the-many-faces-of-emotet/\r\nPage 1 of 4\n\nThe redacted sections are mostly going to be domain of the recipient, or a ‘spoofed’ sender. Emotet\r\nloves to make you think the email is from somebody you know, or that knows you.\r\nFairly straightforward, the two ways the malware file will reach your computer will be via attachment or link. The\r\n.doc attachment is likely to be identified and blocked by common email antivirus scanners. The password\r\nprotected zip file is the actors’ method of evading these antivirus scans. With regards to links, in the current\r\ncampaign we are noticing that the ‘real’ URL when you hover over the link is different than what the link\r\nrepresents. This ‘fake’ link method is commonly used by spammers to trick people into believing they are clicking\r\na familiar link. Always check where the link goes, either by hovering over it or right clicking and copying the\r\nlink’s location to paste somewhere (but not into your browser!).\r\n2. Emotet may Pretend to be part of an Existing Thread\r\nEmotet spam may pretend to be part of an already existing conversation with you. You might recognize the ‘—-\r\nOriginal Message—-‘ line of the email, as it is a common method for Emotet to add this section. Emotet may also\r\njust copy and paste a real email reply chain that you might have had with someone in the past (third example in\r\nthe above picture).\r\nEmotet also likes to create a fake ‘Reply’ or ‘Forward’ message by adding that to the beginning of the Subject line.\r\nIf you have more expertise with email headers, you’ll be able to see why these are not genuine Reply or Forward\r\nemail chains.\r\nhttps://spamauditor.org/2020/10/the-many-faces-of-emotet/\r\nPage 2 of 4\n\nThe Emotet malware has many capabilities, and one of them is data exfiltration. When Emotet compromises a\r\ncomputer, it has been seen to steal data such as your email address and name, your email contact list, and emails in\r\nyour ‘Sent’ folder. With this data, these actors will eventually send spam (using a different compromised machine)\r\nwith your name in the ‘From’, delivering malware to people on your contact list. This leads to our next point…\r\n3. Emotet may send an Email where the From:Name appears to be Someone you know\r\nEmotet will sometimes ‘spoof’ the ‘From name’ (the name of the sender in the From line, not to be confused with\r\nthe ‘domain’ or ’email address’ portion of the From line). Typically the name that is spoofed will be the name of\r\nsomeone whose machine was previously infected with the Emotet malware. It is likely that you will recognize this\r\nname, or have engaged in email communication with this person some time in the past. The first example of the\r\nabove picture shows that sometimes the whole email address will be in the ‘From name’ (disguised as the address\r\nby putting brackets \u003c\u003e around it). Many mobile applications for email will only show you the ‘From name’\r\nportion, hiding the actual email address. This method can potentially trick people into thinking they have received\r\nan email from someone they know, when in reality the actual sender is a different email address. It is a big red flag\r\nif you see two \u003cemail1@address\u003e\u003cemail2@address\u003e in the From line of your email.\r\n4. The latest Trend is that the Subject will contain the Recipient’s Domain\r\nThis particular trend will very likely change if it hasn’t already. We have seen a variety of different subject\r\npatterns such as Coronavirus News or Fake Invoices. The latest wave of Emotet spam has the ‘To name’ portion\r\ncopied into the Subject line.\r\nConcluding Remarks\r\nA typical Emotet spam message will always have either an attachment or link. Afterwards, it will have some\r\ncombination of the characteristics described in this article. However, be warned that there will be some cases with\r\nvery little identifying characteristics, as seen below.\r\nhttps://spamauditor.org/2020/10/the-many-faces-of-emotet/\r\nPage 3 of 4\n\nRemain vigilant, and keep up to date with the latest Emotet trends in order to avoid getting compromised!\r\nSource: https://spamauditor.org/2020/10/the-many-faces-of-emotet/\r\nhttps://spamauditor.org/2020/10/the-many-faces-of-emotet/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://spamauditor.org/2020/10/the-many-faces-of-emotet/"
	],
	"report_names": [
		"the-many-faces-of-emotet"
	],
	"threat_actors": [],
	"ts_created_at": 1775791315,
	"ts_updated_at": 1775826708,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a5bb8e92382484cb2df4d738d2516f98317913fb.pdf",
		"text": "https://archive.orkl.eu/a5bb8e92382484cb2df4d738d2516f98317913fb.txt",
		"img": "https://archive.orkl.eu/a5bb8e92382484cb2df4d738d2516f98317913fb.jpg"
	}
}