{
	"id": "c841bb4c-da22-4ef8-8b04-1e106f6cb00e",
	"created_at": "2026-04-06T00:18:18.876269Z",
	"updated_at": "2026-04-10T13:12:15.442233Z",
	"deleted_at": null,
	"sha1_hash": "a5d9e90e41a1cf8eaf65cdfe5fd8249eb9a185ab",
	"title": "Emotet Resurgence Continues With New Tactics, Techniques and Procedures",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 65669,
	"plain_text": "Emotet Resurgence Continues With New Tactics, Techniques and\r\nProcedures\r\nBy Lindsey O'Donnell\r\nPublished: 2019-11-06 · Archived: 2026-04-05 13:05:42 UTC\r\nSince Emotet came out of hibernation last month, researchers are seeing the banking trojan’s authors take on a\r\nconsistent trend of new evasion tactics and social engineering techniques.\r\nThe notorious banking trojan Emotet, that mysteriously disappeared over the summer, returned last month\r\ndropping a new collection of malware including information stealers, email harvesters, self-propagation\r\nmechanisms and ransomware.\r\nBut since the malware returned from its hiatus, there was no clear novel post-infection technique or tactic that\r\nresearchers observed. Detection-evasion and obfuscation techniques, for the most part, remained the same,\r\nresearchers believed. That is until security researcher Suweera De Souza, after weeks of analysis, started seeing\r\nnew developments.\r\nDe Souza reports that the malware has taken on new obfuscation and anti-virus detection techniques, as well as\r\nnovel features such as a new export function delivered via Emotet binaries and a new list of words for the\r\ncommand-and-control (C2) servers to generate process names and keep track of installed modules.\r\nIn addition, De Souza warned that Emotet’s authors have been changing their social engineering tactics with\r\ncurrent events, sending out malicious emails purporting to be Edward Snowden’s new memoir when it came out in\r\nSeptember,  as well as more recent Halloween-themed lures. De Souza discusses the new techniques with\r\nThreatpost on this week’s Threatpost Podcast.\r\nListen to the podcast below or download direct here.\r\nBelow is a lightly-edited transcript of the podcast.\r\nLindsey O’Donnell: Hi, everyone, welcome back to the Threatpost podcast. You’ve got Lindsey O’Donnell here\r\ntoday with Threatpost and we’re going to be discussing Emotet. Emotet has been in the news recently because\r\nafter a short lived hibernation over the summer, it had recently reappeared and I’ve actually got Suweera De\r\nSouza, principal security research analyst with Netscout, who today came out with some new research around\r\nsome of the new tactics and techniques that she has observed Emotet using since its reemergence just last month,\r\nso Suweera thank you so much for joining us today.\r\nSuweera De Souza: Thank you, Lindsey. Thank you for having me.\r\nLO: Just to start, let’s take a step back here for a second and talk about Emotet’s history. The banking Trojan is is\r\nbest known for the Mauer has been around since 2014. So, you know, why is this banking Trojans still staying\r\nstrong as a viable threat in the security landscape today?\r\nhttps://threatpost.com/emotet-resurgence-continues-with-new-tactics-techniques-and-procedures/149914/\r\nPage 1 of 5\n\nSD: Yeah, so, that’s true, Emotet has been seen since 2014. In fact, it started out as a banking trojan but right now\r\nover the years, its course of action has changed. In fact, it has become more modular. And what that means is as a\r\nplatform, it has different modules that it can run. So essentially, its most popularly known module is its\r\ndownloader module, and its spam module. So it’s mainly seen downloading and distributing other malware as well\r\nas spreading itself for spam. So to answer the question as to why this is such a viable threat in today’s landscape,\r\nit’s because these authors that create Emotet, they don’t remain quiet. They are constantly evolving, constantly\r\nchanging the techniques that they use to propagate their payload, as well as they use to obfuscate their payload. So\r\nmainly, they’re looking at bypassing current AV [anti-virus] protections and trying to infect as many machines as\r\npossible.\r\nLO: So speaking of the actors, do we know anything about the developers behind Emotet and kind of who their\r\ntargets are? Is that something – in terms of targeting – that has changed as well over the years?\r\nSD: It’s still not so clear about who the actors are. I mean, they do share a lot of similarity with some of the past\r\nbanking Trojan families and that could mainly be that a lot of these malware families tend to copy each other. And\r\nthey copy each other’s code. As to their targets, it can be anyone, because when Emotet spreads, they infect a\r\nmachine, and then they steal all the email credentials that are present on that machine and essentially goes on to\r\nspam those set of email lists. So the targets can be anyone. And if on a particular machine they have email\r\ncredentials of targets based in a foreign country, you will see the malspam reaching out to those places as well.\r\nLO: If I remember correctly, it was June 2019, when Emotet started to kind of disappear, and activity declined. So\r\nwhen did you guys first see it pick up and did you have any kind of indication around why that activity decline\r\noccurred in the first place?\r\nSD: So regarding Emotet’s hiatus, there’s no clear indication as to why they went quiet for that four-month period\r\nsince June. But then again, this is not new with malware campaigns and malware campaigns have been seen doing\r\nsomething similar in the past. And it’s normally around holidays or sometimes they remain quiet in order to update\r\ntheir infrastructure. But since Emotet has, you know, you started seeing the activity in September, at least on\r\nTwitter, you would see a lot of posts being made about the C2 coming live. So everyone was being on top of the\r\nC2 servers. And then towards the end of September, that’s when we started observing payloads being delivered.\r\nBut right off when it started, when it got back from its hiatus, there was no clear novel technique and eventually\r\nthroughout the weeks, we started seeing more and more development.\r\nLO: Yeah. So talk a bit about that. You outlined this really clearly in your report that came out today about some\r\nof the new TTPs and what you’re seeing in terms of these new tactics. So what were kind of the biggest takeaways\r\nfrom your reports?\r\nSD: Sure. So this report came about as I was researching, Emotet and I was also researching TrickBot at the same\r\ntime. So TrickBot for those that may not know it’s a malware campaign that’s mainly a banking trojan. And it’s\r\nalso very modular nature. What I’ve noticed was Emotet and TrickBot were being packed by the same packer. And\r\nso this led me to investigate further as to whether they were the same thing. So the payload was still very different;\r\nhttps://threatpost.com/emotet-resurgence-continues-with-new-tactics-techniques-and-procedures/149914/\r\nPage 2 of 5\n\nEmotet had their own payload and TrickBot had its own payload. But the way that both files were being packed\r\nwas the same. And this could be clear because Emotet is a known distributor of other malware and one of its\r\nbiggest malware is that it distributes is TrickBot. So it gives us an indication that, to keep up to date with the way\r\nthey pack their files to avoid AV detection, so they want to make sure that the malware they distribute are also\r\npacked with the same version of packing so as to bypass AV detections.\r\nLO: Is that relationship with between Emotet and TrickBot something that you guys had seen in the past? Or is\r\nthis more of focusing on those obfuscation techniques around TrickBot and Emotet?\r\nSD: So this was not something that was seen in the past. In the past, we did see Emotet distributing TrickBot, but\r\nyou know, TrickBot had its own sort of code obfuscation, and right now it looks like they share the same packer,\r\nbut up to a certain point. And of course, within the payload, they have similar styles of execution as in when they\r\nresolve for DLL names or Windows API call names, it uses the same technique of looking at different hash values.\r\nAnd this is the same with other banking malware families as well. But you can definitely say that they’re still both\r\nvery different. And also TrickBot is known to spread itself by the malspam, so Emotet it sells itself as a malware\r\nas a service. And TrickBot uses Emotet’s service to help spread itself. And in the time that Emotet was on hiatus\r\nTrickBot was using Ursnif to help distribute its payload.\r\nLO:  You also mentioned too in the report that, you know, Emotet’s authors are using a new list of words to\r\ngenerate process names and to keep track of installed modules. And this definitely would make sense for them,\r\nespecially as they become more modular. So can you kind of break down and go into more detail about this new\r\nlist?\r\nSD: Sure. So yes, Emotet has a list of words – that are actually quite consistent – of the binaries that are compiled\r\nwithin a certain time range. And the set of words remains consistent for up to a certain time point, after which\r\nyou’ll start to see Emotet distributing newer binaries with a different set of words. And this set of words is used to\r\ncreate a predictable process name. So it’s actually a very clever technique that the bot uses to create an identity of\r\nitself on an infected machine. So now say it’s infected a machine and uses a set of words to make a predictable\r\nname. And that that name gets relayed back to its C2 server. So now the C2 server has an identity of the bot,\r\nwhere it’s communicating from, and also has an idea about what version the bot is being run. So then accordingly\r\nit’s able to send an update binary back to the bot. And this update binary has a different set of words. So the list of\r\nwords is nothing other than for the bot to be able to track which version of itself it’s being run and for the C2 to\r\nalso track which updated bot is communicating with it, so it can send the you know, correct version. And each\r\nversion has its own list of C2 servers.\r\nLO: So it’s almost for like organizational purposes between the bots and the C2, that should be interesting to see\r\nhow that plays out for sure. Is that something that you guys have seen with other malware, or is that a new trick\r\nthat you guys are seeing emerging?\r\nSD: This is not that typical with other malware is especially using a predictable file name. Emotet has been using\r\nthis for a while, but it hasn’t been talked about as often. And it’s one thing that I thought about mentioning in this\r\npaper, because it brought to my attention that there is a reason why it’s being made predictable. And, and it’s also\r\na great way to be able to detect if such a file is present on your machine, especially if you have this list of words in\r\nyour analysis. But yes, it’s not something that’s seen done by other malware.\r\nhttps://threatpost.com/emotet-resurgence-continues-with-new-tactics-techniques-and-procedures/149914/\r\nPage 3 of 5\n\nLO:  Right. Yeah. And then you guys had also outlined how there was a new export function on Emotet binaries –\r\nwhat’s that all about?\r\nSD: This was a style in which the packer was created. So the export function was nothing other than we saw these\r\nexecutable is having an export function call. And typically an executable file having export functions is not as\r\ncommon, though it is normal for them to have it, and is usually seen in DLLs. So that was one abnormality. And\r\nalso what was unique with this packer was the similar packer was seen with Emotet as well as with TrickBot.\r\nYeah, and I think the reason they changed the style in which they packed their files is mostly to evade antivirus\r\ndetection or any other security detections. Oftentimes you have a lot of signatures that will try to emulate a file\r\nfrom the entry point of the malware binary rather than from its export function, for example. Or you have\r\nsignatures that detect on the static properties at the entry point or file. So it’s pretty easy to evade detection.\r\nLO: In terms of delivery mechanisms or targeting are you guys seeing any changes there since Emotet came back\r\nout of sleep, anything new there?\r\nSD: So in its delivery mechanisms it hasn’t changed drastically, it still uses updated spam templates. And these are\r\ntemplates that it obtains based on its being able to steal messages from an infected machine. So after using the\r\nstolen messages it’s able to create different spam templates. And what was commonly heard about before was,\r\nwhere these templates had an ongoing conversation. So it looked like a response to an existing email thread, but\r\nwhat we noticed was that the Emotet authors, they adapt to the current times, let’s say. And so they try to make\r\nsure that, to increase the chance for a user to click on the attachments, it adapts to the current times. So recently\r\nwhat we saw was the Halloween theme. So you saw attachments having documents with the Halloween theme,\r\nthere was a “trick or treat” message in it. And earlier in September when it first came out from its hiatus, a week\r\nafter it came out with a document lure claiming to be Edward Snowden’s new book, so they’re definitely not\r\nbeing quiet. They’re using different social engineering definitely. So anything that could get a user to download it.\r\nLO: Right definitely sounds like they’re keeping up with the times of any holidays around or new books in the\r\ncase of Snowden. So how can potential victims protect themselves from the Emotet threat moving forward?\r\nSD: Yes. I mean, that’s something we have to always keep in mind. And so Emotet, you know, these authors,\r\nthey’re always looking at the news. So they know the vulnerabilities out there, what’s the newest vulnerability and\r\nhow they can try and take advantage of it. And this is clear in some of the modules that they propagate. And so\r\nwhen we analyze these modules we see like, especially in their worm module, where its able to propagate itself\r\nthrough the network and try to infect as many hosts. So as a user, I think having an updated system is really\r\nimportant. So as for these vulnerabilities to not take effect. And then for the social engineering part, you know, it’s\r\nreally hard. They’re getting more and more clever in their tactics and how they lure people to click on\r\nattachments. I think what would help is just staying on top of trends and following advisories. And just I think\r\nbeing more vigilant about emails in general, since it is still such a primary mode of communication.\r\nLO: Right, for sure. Well, we will be tracking the Emotet threat as it continues over the next few months. Suweera\r\nthank you so much for coming on to the Threatpost podcast.\r\nSD: Thank you. Thank you for having me.\r\nhttps://threatpost.com/emotet-resurgence-continues-with-new-tactics-techniques-and-procedures/149914/\r\nPage 4 of 5\n\nLO: And once again, this is Lindsey O’Donnell here with Suweera De Souza, principal security research analyst,\r\ncatch us next week on the Threatpost podcast.\r\nSource: https://threatpost.com/emotet-resurgence-continues-with-new-tactics-techniques-and-procedures/149914/\r\nhttps://threatpost.com/emotet-resurgence-continues-with-new-tactics-techniques-and-procedures/149914/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://threatpost.com/emotet-resurgence-continues-with-new-tactics-techniques-and-procedures/149914/"
	],
	"report_names": [
		"149914"
	],
	"threat_actors": [],
	"ts_created_at": 1775434698,
	"ts_updated_at": 1775826735,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a5d9e90e41a1cf8eaf65cdfe5fd8249eb9a185ab.pdf",
		"text": "https://archive.orkl.eu/a5d9e90e41a1cf8eaf65cdfe5fd8249eb9a185ab.txt",
		"img": "https://archive.orkl.eu/a5d9e90e41a1cf8eaf65cdfe5fd8249eb9a185ab.jpg"
	}
}