{
	"id": "a5120764-34f4-490c-a614-6a916555370a",
	"created_at": "2026-04-06T00:08:48.523531Z",
	"updated_at": "2026-04-10T03:21:43.802758Z",
	"deleted_at": null,
	"sha1_hash": "a7210e3fefb290a9b9bbd841906d11cd444fdace",
	"title": "Microsoft, Italy, and the Netherlands warn of increased Emotet activity",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 360482,
	"plain_text": "Microsoft, Italy, and the Netherlands warn of increased Emotet\r\nactivity\r\nBy Written by Catalin Cimpanu, ContributorContributor Sept. 23, 2020 at 1:31 p.m. PT\r\nArchived: 2026-04-05 17:08:25 UTC\r\nSecurity\r\nTwo weeks after cyber-security agencies from France, Japan, and New Zealand published warnings about an\r\nuptick in Emotet activity, new alerts have been published this past week by agencies in Italy and the Netherlands,\r\nbut also by Microsoft.\r\nThese new warnings come as Emotet activity has continued to increase, dwarfing any other malware operation\r\nactive today.\r\n\"It has been very heavy for [Emotet] spam lately,\" Joseph Roosen, a member of Cryptolaemus, a group of security\r\nresearchers who track Emotet malware campaigns, told ZDNet during an interview today.\r\n\"I received about 400 emails at my [dayjob] Monday when it is normally only about a dozen or less than 100 on a\r\ngood day,\" Roosen said, putting the recent spike in perspective.\r\n\"This has been the case the last two weeks.\"\r\nEmotet returned in July but is now spamming at full capacity\r\nEmotet, by far today's largest malware botnet, has been dormant for most of this year, from February until\r\nJuly, when it made its comeback.\r\nThe Emotet crew was hoping for a quick return to full capacity, but its comeback was spoiled and delayed for\r\nalmost a month by a vigilante who kept hacking into Emotet's infrastructure and replacing its malware with\r\nanimated GIFs.\r\nhttps://www.zdnet.com/article/microsoft-italy-and-the-netherlands-warn-of-increased-emotet-activity/\r\nPage 1 of 3\n\nUnfortunately, that didn't last long, and Emotet operators eventually found a way to stop the hacker and are now\r\nback in full control over their botnet, which they are now using to churn out more and more spam every day.\r\nThese spam emails come with malicious files attached, which infect the host with the Emotet malware. The\r\nEmotet gang then sells access to these infected hosts to other cybercrime gangs, including ransomware operators.\r\nMany times, and especially in large corporate environments, an Emotet infection can turn into a ransomware\r\nattack within hours.\r\nThat's why cyber-security agencies and CERT teams in France, Japan, New Zealand, Italy, and the Netherlands are\r\ntreating Emotet spam campaigns with so much fear and respect, and why they're releasing alerts to the companies\r\nin their respective countries to bolster defenses for Emotet's spam trickery.\r\nAnd Emotet has a large bag of tricks when it comes to its spam operations.\r\nRoosen, who's been tracking the botnet for years now, says that Emotet is currently favoring the use of a technique\r\ncalled \"email chains\" or \"hijacked treads.\"\r\nThe technique relies on the Emotet gang first stealing an existing email chain from an infected host and then\r\nanswering the email chain with its own reply (using a spoofed identity), but by also adding a malicious document,\r\nhoping to trick existing email chain participants into opening the file and infecting themselves.\r\nEmotet has been using this technique since October 2018 and has favored it across the years, using it many times\r\nbefore.\r\nThe technique is quite clever and effective and has also been detailed in a report published today by Palo Alto\r\nNetworks.\r\nemotet-email-chains.jpg\r\nImage: Palo Alto Networks\r\nBut the alerts from Microsoft and Italian authorities also warn of another recent change in Emotet spam\r\ncampaigns, which are now also leveraging password-protected ZIP files instead of Office documents.\r\nThe idea is that by using password-protected files, email security gateways can't open the archive to scan its\r\ncontent, and won't see traces of Emotet malware inside.\r\nRoosen told ZDNet that Emotet has been using this technique sparingly since mid-2019, but recently they started\r\nto increase its prevalence among the Emotet spam campaigns, hence why Microsoft and others are now reacting to\r\nits sudden appearance.\r\nEmotet joined the password-protected attachment bandwagon with a campaign starting\r\nFriday. The campaign slowed down over the weekend (typical of Emotet) but was back\r\ntoday in even larger volumes of emails in English, as well as in some European\r\nlanguages. pic.twitter.com/POppQ51uMX\r\n— Microsoft Security Intelligence (@MsftSecIntel) September 22, 2020\r\nhttps://www.zdnet.com/article/microsoft-italy-and-the-netherlands-warn-of-increased-emotet-activity/\r\nPage 2 of 3\n\nThe most dangerous iOS, Android malware and smartphone vulnerabilities of 2019\r\nSecurity\r\nSource: https://www.zdnet.com/article/microsoft-italy-and-the-netherlands-warn-of-increased-emotet-activity/\r\nhttps://www.zdnet.com/article/microsoft-italy-and-the-netherlands-warn-of-increased-emotet-activity/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.zdnet.com/article/microsoft-italy-and-the-netherlands-warn-of-increased-emotet-activity/"
	],
	"report_names": [
		"microsoft-italy-and-the-netherlands-warn-of-increased-emotet-activity"
	],
	"threat_actors": [],
	"ts_created_at": 1775434128,
	"ts_updated_at": 1775791303,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a7210e3fefb290a9b9bbd841906d11cd444fdace.pdf",
		"text": "https://archive.orkl.eu/a7210e3fefb290a9b9bbd841906d11cd444fdace.txt",
		"img": "https://archive.orkl.eu/a7210e3fefb290a9b9bbd841906d11cd444fdace.jpg"
	}
}