{
	"id": "6a561baf-4616-45c3-98de-1e84098ddcde",
	"created_at": "2026-04-06T00:08:52.444228Z",
	"updated_at": "2026-04-10T13:11:52.914523Z",
	"deleted_at": null,
	"sha1_hash": "a7cedb195d2e9aac6b9d66dcf4f0e0f24975b60c",
	"title": "Conti and Emotet: A constantly destructive duo",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 34379,
	"plain_text": "Conti and Emotet: A constantly destructive duo\r\nBy Intel 471\r\nPublished: 2026-04-01 · Archived: 2026-04-05 17:26:04 UTC\r\nThe relationship between Trickbot, Emotet and Conti has been well documented, with many security researchers\r\nshowing how threat actors have used the malware combination to launch a plethora of schemes. This relationship\r\nhas come into greater focus in recent weeks, as the Conti Leaks show just how interdependent Conti affiliates are\r\non Emotet. Through a combination of information pulled from those leaks and Intel 471’s technical monitoring of\r\nEmotet campaigns, we now have a clearer understanding on how criminals are using Emotet in concert with\r\nConti.\r\nIntel 471 assesses with high confidence that Emotet malware operators’ spam targets will enter a pool of potential\r\nConti victims. Intel 471 analyzed Conti ransomware incidents from Dec. 25, 2021, to March 25, 2022, and\r\ndiscovered over a dozen targets that were recipients of Emotet malspam. While what Intel 471 measured was\r\nbased on known attacks, the true degree of correlation between Emotet spam recipients and Conti ransomware\r\nbreach victims may be greater, since not all Conti victims are publicly listed on the name-and-shame blog for a\r\nvariety of reasons, including victims opting to pay ransoms to remain anonymous. Intel 471 believes it’s likely\r\nthat Emotet is highly relied upon by Conti ransomware operators to find their current victims.\r\nThe chart below shows the dates of Emotet showing up on systems, followed by a ransomware attack where Conti\r\nwas used.\r\n[Image: Conti Chart Data black Bkgrd 14 Apr2022]\r\nThe negative numbers on the table above indicate that some victims were still receiving Emotet malspam after a\r\nransomware incident was already listed on Conti’s blog. This is an important point to highlight as it gives great\r\ninsight to the overall operation of the Conti ransomware group and Emotet operators.\r\nWhile Emotet has been linked in concert with Trickbot and Conti, Emotet does not operate under the same\r\nleadership umbrella (unlike Trickbot, which Conti “acquired” earlier this year) as the other two forms of malware.\r\nThe Emotet malspam operation is independent and massive, with some parts running in an automated manner.\r\nWhat’s likely occurring is that most Emotet spam recipients are not strictly targeted by a ransomware affiliate\r\nusing Conti. Instead, Emotet is used by Conti affiliates to gain initial access. Once access is obtained, the\r\norganization is placed into a pool of potential ransomware targets, where ransomware operators can select their\r\nnext victim based on the system information extracted by Emotet.\r\nEven though Emotet operates outside the boundaries of Conti’s leadership, the ransomware group has made it a\r\nkey part of their attack chain, specifically as part of the relaunched Emotet we observed in November 2021.\r\nThe previous Emotet operation consistently launched malspam campaigns that dropped several malware families\r\nincluding IcedID aka Bokbot, Qbot and Trickbot. However, the updated Emotet malspam operation has been\r\nobserved dropping only Cobalt Strike payloads or intermediary payloads, such as SystemBC, to drop Cobalt\r\nhttps://intel471.com/blog/conti-emotet-ransomware-conti-leaks\r\nPage 1 of 2\n\nStrike. We know due to the Conti Leaks that the group leveraged Cobalt Strike: independent journalist Brian\r\nKrebs reported that Conti invested US $60,000 in acquiring a valid Cobalt Strike license in 2021.\r\nThe leaks further revealed evidence that certain members of the Conti team were responsible for handing Trickbot\r\nand Emotet development. The leak revealed the actor “veron” aka “mors,” who directs the Emotet malware spam\r\noperation, reports to a senior manager in the Conti organization, who uses the “stern” handle. This information\r\naligns with our own observations and long-term monitoring of Emotet and TrickBot malware campaigns. In past\r\ncampaigns, only bots with the Trickbot group tag (gtag) “mors” received commands to download and execute\r\nEmotet. This suggests “mors” added the gtag to Trickbot.\r\nWhen any organization finds a successful operational process, it leans on it as much as possible. The Conti Leaks\r\nhave shown how this group conducts itself like a legitimate business, adopting well-worn practices that allow it\r\nfulfill its goals. These leaks show just how crucial Emotet has been to Conti’s ransomware schemes. While not\r\nevery instance of Emotet means that a ransomware attack is imminent, our research shows that there is a\r\nheightened chance of an attack if Emotet is spotted on organizations’ systems. By being proactive against Emotet,\r\ndefenders can save their organizations from further issues that could cause substantial damage to their operations.\r\nSource: https://intel471.com/blog/conti-emotet-ransomware-conti-leaks\r\nhttps://intel471.com/blog/conti-emotet-ransomware-conti-leaks\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://intel471.com/blog/conti-emotet-ransomware-conti-leaks"
	],
	"report_names": [
		"conti-emotet-ransomware-conti-leaks"
	],
	"threat_actors": [],
	"ts_created_at": 1775434132,
	"ts_updated_at": 1775826712,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a7cedb195d2e9aac6b9d66dcf4f0e0f24975b60c.pdf",
		"text": "https://archive.orkl.eu/a7cedb195d2e9aac6b9d66dcf4f0e0f24975b60c.txt",
		"img": "https://archive.orkl.eu/a7cedb195d2e9aac6b9d66dcf4f0e0f24975b60c.jpg"
	}
}