{
	"id": "40fed79f-d82d-46b5-ac48-e87a49334c74",
	"created_at": "2026-04-06T00:16:45.204707Z",
	"updated_at": "2026-04-10T03:29:58.063511Z",
	"deleted_at": null,
	"sha1_hash": "ac0f7c9690fde56f9a4918ec4eb7d7784b8689d2",
	"title": "Emotet fixes bug in code, resumes spam campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 654298,
	"plain_text": "Emotet fixes bug in code, resumes spam campaign\r\nBy Jovi Umawing\r\nPublished: 2022-04-26 · Archived: 2026-04-05 20:32:54 UTC\r\nEmotet threat actors resumed their email spam campaign on Monday after stopping it late last week to fix a bug.\r\nThe bug—a flaw in how Emotet is installed onto a system after a victim opens a malicious email attachment—\r\nforced the actors to prematurely halt their campaign.\r\nEmotet is spammed around in emails claiming to contain invoices, forms, or payment details. The attachment is a\r\npassword-protected ZIP file with a shortcut link file (has the .LNK extension) inside pretending to be a Word\r\ndocument file.\r\nNormally, once users double-click the file, Emotet is loaded into memory, steals email addresses to use in future\r\ncampaigns, and drops a payload, usually another malware like ransomware or Cobalt Strike. However, the bug\r\nhappened immediately after the attachment was clicked.\r\nYou see, double-clicking the file sets off a chain. A command looks for a string hidden in the .LNK file containing\r\ncode written in Visual Basic. This code is then appended to a new VBS file before executing that file. But, the\r\nshortcut file a command statically calls to does not match the actual name of the attached shortcut file. For\r\nexample, the command code calls for “Password2.doc.lnk”, but the attached file itself is named “INVOICE 2022-\r\n04-22_1033, USA.doc”. This error breaks the infection chain.\r\nCryptolaemus (@Cryptolaemus1) has provided a more technical explanation in this Twitter thread:\r\nhttps://blog.malwarebytes.com/cybercrime/malware/2022/04/emotet-fixes-bug-in-code-resumes-spam-campaign/\r\nPage 1 of 3\n\nEmotet’s current use of .LNK files as attachments is a tried-and-tested tactic that can bypass antivirus detection\r\nand Mark-of-the-Web (MOTW) “marking.” Mark of the Web is a Windows feature that determines the origin of a\r\nfile downloaded from the Internet.\r\nOur Threat Intelligence Team has seen APT threat actors use .LNK files in their attack campaigns (the Higaisa\r\nAPTcomes to mind). It’s no surprise that other cybercriminal groups have adopted this. Proponents of Emotet and\r\nIcedIDwere just some of them.\r\nEmotet has been revolutionizing its way of reaching victims during its years of activity. Historically, it was spread\r\nvia malicious Windows App Installer packages and malformed Word documents. Emotet is a sophisticated and\r\nversatile Trojan, which has been used by other criminal groups to drop their own malware, causing multiple\r\nsystem infections. Some of the files it drops are QBot, QakBot, TrickBot, and Mimikatz (a legitimate tool used to\r\nsteal credentials).\r\nBleepingComputer shareda list of attachment names the new Emotet email spam campaign is using, courtesy of\r\nCofense, a security company specializing in email security:\r\nACH form.zip\r\nACH payment info.zip\r\nBANK TRANSFER COPY.zip\r\nElectronic form.zip\r\nform.zip\r\nForm.zip\r\nForm – Apr 25, 2022.zip\r\nPayment Status.zip\r\nPO 04252022.zip\r\nTransaction.zip\r\nIf you have received any emails bearing attachments with the above names, it would be wise to delete them\r\nimmediately to prevent the risk of accidentally opening the attachment.\r\nStay safe out there!\r\nAbout the author\r\nKnows a bit about everything and a lot about several somethings. Writes about those somethings, usually in long-form.\r\nhttps://blog.malwarebytes.com/cybercrime/malware/2022/04/emotet-fixes-bug-in-code-resumes-spam-campaign/\r\nPage 2 of 3\n\nSource: https://blog.malwarebytes.com/cybercrime/malware/2022/04/emotet-fixes-bug-in-code-resumes-spam-campaign/\r\nhttps://blog.malwarebytes.com/cybercrime/malware/2022/04/emotet-fixes-bug-in-code-resumes-spam-campaign/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://blog.malwarebytes.com/cybercrime/malware/2022/04/emotet-fixes-bug-in-code-resumes-spam-campaign/"
	],
	"report_names": [
		"emotet-fixes-bug-in-code-resumes-spam-campaign"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "873919c0-bc6a-4c19-b18d-c107e4aa3d20",
			"created_at": "2023-01-06T13:46:39.138138Z",
			"updated_at": "2026-04-10T02:00:03.227223Z",
			"deleted_at": null,
			"main_name": "Higaisa",
			"aliases": [],
			"source_name": "MISPGALAXY:Higaisa",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "30c9c492-afc6-4aa1-8fe6-cecffed946e0",
			"created_at": "2022-10-25T15:50:23.400822Z",
			"updated_at": "2026-04-10T02:00:05.350302Z",
			"deleted_at": null,
			"main_name": "Higaisa",
			"aliases": [
				"Higaisa"
			],
			"source_name": "MITRE:Higaisa",
			"tools": [
				"PlugX",
				"certutil",
				"gh0st RAT"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "c0cedde3-5a9b-430f-9b77-e6568307205e",
			"created_at": "2022-10-25T16:07:23.528994Z",
			"updated_at": "2026-04-10T02:00:04.642473Z",
			"deleted_at": null,
			"main_name": "DarkHotel",
			"aliases": [
				"APT-C-06",
				"ATK 52",
				"CTG-1948",
				"Dubnium",
				"Fallout Team",
				"G0012",
				"G0126",
				"Higaisa",
				"Luder",
				"Operation DarkHotel",
				"Operation Daybreak",
				"Operation Inexsmar",
				"Operation PowerFall",
				"Operation The Gh0st Remains the Same",
				"Purple Pygmy",
				"SIG25",
				"Shadow Crane",
				"T-APT-02",
				"TieOnJoe",
				"Tungsten Bridge",
				"Zigzag Hail"
			],
			"source_name": "ETDA:DarkHotel",
			"tools": [
				"Asruex",
				"DarkHotel",
				"DmaUp3.exe",
				"GreezeBackdoor",
				"Karba",
				"Nemain",
				"Nemim",
				"Ramsay",
				"Retro",
				"Tapaoux",
				"Trojan.Win32.Karba.e",
				"Virus.Win32.Pioneer.dx",
				"igfxext.exe",
				"msieckc.exe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434605,
	"ts_updated_at": 1775791798,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ac0f7c9690fde56f9a4918ec4eb7d7784b8689d2.pdf",
		"text": "https://archive.orkl.eu/ac0f7c9690fde56f9a4918ec4eb7d7784b8689d2.txt",
		"img": "https://archive.orkl.eu/ac0f7c9690fde56f9a4918ec4eb7d7784b8689d2.jpg"
	}
}