{
	"id": "271d740a-d513-4ac5-a26c-78137b2acb78",
	"created_at": "2026-04-06T00:16:12.976439Z",
	"updated_at": "2026-04-10T03:24:23.559399Z",
	"deleted_at": null,
	"sha1_hash": "a9bda686b01f9c53b3a9d6a239a29ee778872e99",
	"title": "Emotet starts dropping Cobalt Strike again for faster attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2244466,
	"plain_text": "Emotet starts dropping Cobalt Strike again for faster attacks\r\nBy Lawrence Abrams\r\nPublished: 2021-12-15 · Archived: 2026-04-05 13:35:36 UTC\r\nRight in time for the holidays, the notorious Emotet malware is once again directly installing Cobalt Strike beacons for rapid\r\ncyberattacks.\r\nFor those not familiar with Emotet, it is considered one of the most widespread malware infections and is distributed\r\nthrough phishing emails that include malicious attachments.\r\nHistorically, once a device becomes infected, Emotet will steal a victim's email to use in future campaigns and then drops\r\nmalware payloads, such as TrickBot and Qbot.\r\nhttps://www.bleepingcomputer.com/news/security/emotet-starts-dropping-cobalt-strike-again-for-faster-attacks/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/emotet-starts-dropping-cobalt-strike-again-for-faster-attacks/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nHowever, earlier this month, Emotet began to test installing Cobalt Strike beacons on infected devices instead of their\r\nregular payloads.\r\nCobalt Strike is a legitimate pentesting tool that threat actors commonly use to spread laterally through an organization and\r\nultimately deploy ransomware on a network.\r\nThis test was brief, and the threat actors soon went back to distributing their typical payloads.\r\nEmotet resumes Cobalt Strike installs\r\nLast week, the Emotet threat actors suspended their phishing campaigns, and since then, researchers have not seen any\r\nfurther activity from the group.\r\n\"Spamming stopped last week on Thursday, and since then, they have been quiet with very little of ANYTHING going on\r\nuntil today.\" Joseph Roosen of the Cryptolaemus Emotet group told BleepingComputer.\r\nHowever, Cryptolaemus is now warning that starting today, the threat actors have once again begun installing Cobalt Strike\r\nbeacons to devices already infected by Emotet.\r\nRoosen told BleepingComputer that Emotet is now downloading the Cobalt Strike modules directly from its command and\r\ncontrol server and then executing them on the infected device.\r\nWith Cobalt Strike beacons directly installed by Emotet, threat actors who use them to spread laterally through a network,\r\nsteal files, and deploy malware will have immediate access to compromised networks.\r\nThis access will speed up the delivery of attacks, and with it being right before the holidays, it could lead to numerous\r\nbreaches since enterprises now have limited staff to monitor for and respond to attacks.\r\nC2 communications disguised as jQuery\r\nIn a sample of the Cobalt Strike beacon shared with BleepingComputer, the malware will communicate with the attacker's\r\ncommand and control servers through a fake 'jquery-3.3.1.min.js' file.\r\nEach time the malware communicates with the C2, it will attempt to download the jQuery file, which will have a variable\r\nchanged with new instructions each time, as shown by the highlighted text in the image below.\r\nhttps://www.bleepingcomputer.com/news/security/emotet-starts-dropping-cobalt-strike-again-for-faster-attacks/\r\nPage 3 of 4\n\nCobalt Strike C2 traffic disguised as a jQuery JavaScript file\r\nAs most of the file is legitimate jQuery source code, and only some content is changed, it blends into legitimate traffic and\r\nmakes it easier to bypass security software.\r\nThe rapid deployment of Cobalt Strike through Emotet is a significant development that should be on the radars of all\r\nWindows and network admins and security professionals.\r\nWith this increased distribution of beacons to already infected devices, it is anticipated that we will see an increased number\r\nof corporate breaches and ultimately ransomware attacks right before or during the holidays.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/emotet-starts-dropping-cobalt-strike-again-for-faster-attacks/\r\nhttps://www.bleepingcomputer.com/news/security/emotet-starts-dropping-cobalt-strike-again-for-faster-attacks/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/emotet-starts-dropping-cobalt-strike-again-for-faster-attacks/"
	],
	"report_names": [
		"emotet-starts-dropping-cobalt-strike-again-for-faster-attacks"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434572,
	"ts_updated_at": 1775791463,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a9bda686b01f9c53b3a9d6a239a29ee778872e99.pdf",
		"text": "https://archive.orkl.eu/a9bda686b01f9c53b3a9d6a239a29ee778872e99.txt",
		"img": "https://archive.orkl.eu/a9bda686b01f9c53b3a9d6a239a29ee778872e99.jpg"
	}
}