{
	"id": "d19f4666-204a-4398-b1ae-76a96ab02edf",
	"created_at": "2026-04-06T01:30:44.966617Z",
	"updated_at": "2026-04-10T13:12:26.96572Z",
	"deleted_at": null,
	"sha1_hash": "ac3ab1b4796064b6561182308f4f4c699b448607",
	"title": "Meet the white-hat group fighting Emotet, the world's most dangerous malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1204691,
	"plain_text": "Meet the white-hat group fighting Emotet, the world's most\r\ndangerous malware\r\nBy Catalin Cimpanu\r\nPublished: 2020-02-29 · Archived: 2026-04-06 01:24:55 UTC\r\nBackground image via Guido Bohne (CC-BY-SA-2.0)\r\nFor more than a year, a group of security researchers and system administrators have banded together to fight back\r\nagainst Emotet, today's most active and dangerous malware operation.\r\nBy working together, the Cryptolaemus group has seriously hindered Emotet operations. Daily, the group\r\npublishes updates on its website and Twitter account. They share so-called indicators of compromise (IOCs).\r\nThese include IP addresses for Emotet command servers, subject lines used in Emotet spam campaigns, and file\r\nhashes for Emotet-infected files.\r\nAlso: 30 years of ransomware: How one bizarre attack laid the foundations for the malware taking over the\r\nworld \r\nThe Cryptolaemus members share these details so that system and network administrators around the world can\r\nimport the IOCs into their cyber-security products and protect against possible Emotet infections, or help with\r\nearly detections before the malware can do extensive damage.\r\n\"Personally, I just want to help people and stop this threat,\" said Joseph Roosen, one of the Cryptolaemus\r\nmembers.\r\n\"When Emotet infected my network at my day job in November of 2017, it was only stopped by us having a rather\r\nrobust VLAN scheme, and therefore lateral movement was isolated and easier to clean up,\" Roosen said.\r\n\"However, the experience changed my life, though, and pissed me off at the same time.\"\r\nhttps://www.zdnet.com/article/meet-the-white-hat-group-fighting-emotet-the-worlds-most-dangerous-malware/\r\nPage 1 of 5\n\nEmotet -- from banking trojan to cybercrime empire\r\nThe reason for Roosen's anger was Emotet, a name that describes both a malware strain and the criminal operation\r\nbehind it.\r\nEmotet appeared online in 2014. It began its operations as a banking trojan. Banking trojans were all in the rage in\r\nthe mid-2010s.\r\nEmotet would infect a victim, lurk around on a system until the user would access its bank account, steal the user's\r\ncredentials, and then allow the Emotet gang to access the bank account and steal funds.\r\nSEE: Cybersecurity: Let's get tactical (ZDNet/TechRepublic special feature) | Download the free PDF\r\nversion (TechRepublic)\r\nBut by 2014, banks had already faced banking trojans in the likes of Emotet for more than a decade, and they were\r\nstarting to deploy anti-fraud measures. Multi-factor authentication systems, IP geo-fencing, and transaction alerts\r\nmade stealing funds from someone's bank account without their knowledge much harder.\r\nThe Emotet gang saw the writing on the wall, and in the spring and summer of 2016, they became one of the first\r\nmajor banking trojan operations to morph into something else.\r\nDuring 2016 and the next year, in 2017, Emotet slowly replaced most of its codebase and transformed itself from a\r\nbanking trojan into a malware loader.\r\nA \"loader\" is an incredibly simplistic malware strain. It infects a victim and then downloads (or loads) other\r\nmalware. Emotet would download its own modules, or it would download someone else's malware.\r\nBasically, Emotet shifted its entire mode of operation in only two years, from a closed group that stole money\r\nfrom people's bank accounts, into an open group that allowed other malware gangs to rent access to infected\r\ncomputers all over the world.\r\nNowadays, Emotet is one of the biggest \"loader\" operations on the market. It's effectively a cybercrime empire.\r\nThey're so big that other \"loaders\" -- like TrickBot -- rent access to its huge network of infected computers.\r\nRansomware, crypto-miners, info-stealers, and banking trojans have been seen being planted on Emotet-infected\r\nhosts.\r\nemotet-infographic.png\r\nImage: Sophos\r\nNowadays, an Emotet infection means much more than many other malware infections. An Emotet infection\r\nusually means that Emotet has also expanded its reach from the initial point of entry to your entire network.\r\nEmotet now comes with a plethora of modules that allow it to spread inside a network once it gets a foothold\r\ninside it. Its lateral movement tools are so advanced it's now pioneering a novel method of spreading via Wi-Fi\r\nconnections, something not seen in any other malware operation.\r\nhttps://www.zdnet.com/article/meet-the-white-hat-group-fighting-emotet-the-worlds-most-dangerous-malware/\r\nPage 2 of 5\n\nEmotet is a litmus test for the infosec (information security) community. If a security researcher is playing down\r\nan Emotet infection, then they've most likely lost touch with what's what in the malware world. All good security\r\nresearchers will tell you that Emotet is one of the most dangerous infections you can get, right next to TrickBot,\r\nanother similar banking-trojan-turned-downloader operation.\r\nAnybody else depressed by the fact everyone in #threatintel can see that #emotet is\r\ncoming back online and yet none of use can do anything to stop it? When it does go\r\nactive it will start compromising systems and inflicting millions of dollars in damages.\r\nMaybe its just me 🤷‍♂️\r\n— Nick Biasini (@infosec_nick) August 23, 2019\r\nAuthorities in Germany and the Netherlands currently treat Emotet the same way as they do ransomware attacks.\r\nWhen a company gets infected with Emotet, cyber-security authorities in those two countries tell the victim\r\ncompany to shut down its entire network and immediately take it off the internet. Emotet infections left to run\r\nwild eventually turn into data breaches and ransomware infections.\r\nGetting together to fight Emotet\r\nIt was in June 2018 when the idea of an anti-Emotet group came to be. In a Twitter group chat, a US-based system\r\nadministrator named JayTHL asked \"Any interest in a dedicated Emotet working group?\"\r\nAlmost all in the chat said yes.\r\n\"Before you know it, we are chatting daily about Emotet TTPs (Tactics, Techniques, and Procedures) and sharing\r\nintel,\" Roosen told ZDNet in an interview.\r\n\"Eventually, after things got going, we started to add more members and made a joint effort to publish our IoCs\r\ninstead of doing it as individual piecemeal stuff,\" Roosen added.\r\nThat's how a formal group came to be.\r\nWhen it came to naming it, they had the perfect title.\r\n\"This name -- Cryptolaemus -- is based on the genus of beetles that are known to be 'Mealybug destroyers',\"\r\nRoosen said.\r\n\"Back in the summer of 2018, Symantec had published a threat intel blog claiming that the name for the Emotet\r\nactors was 'Mealybug',\" Roosen said.\r\n\"None of us had heard of this before and scratched our heads as to where this came from. It quickly became\r\nsomewhat of a joke to us that we were the destroyers of Mealybug(s), and thus, the Cryptolaemus name was\r\nborn.\"\r\nThe Cryptolaemus name idea came from a security researcher going on Twitter by @ps66uk, a trained biologist,\r\nshowing how diverse the group was becoming.\r\nhttps://www.zdnet.com/article/meet-the-white-hat-group-fighting-emotet-the-worlds-most-dangerous-malware/\r\nPage 3 of 5\n\nNow, the Cryptolaemus team lists over 20 members on its website, but their ranks are far larger. Many can't\r\ndisclose their affiliation with the group due to non-disclosure agreements they've signed. Some work as IT\r\nadministrators for big corporations while others work at cyber-security firms. Most work on contracts that don't\r\nallow them to share threat intel freely on the internet.\r\nHowever, many are doing it anyway.\r\nTaking down Emotet one water drop at a time\r\nThey're doing it because they want to see Emotet shut down and its mastermind -- an individual known only as\r\nIvan -- arrested and behind bars.\r\nBut bringing down Emotet is not an easy feat. Emotet is one of the most sophisticated malware operations known\r\nto date. It operates from three distinct botnets, not just one, created for this very same reason -- to make takedowns\r\nharder.\r\nFurthermore, Ivan is believed to reside in Russia, a country that hasn't been too forthcoming in helping take down\r\nlocal cybercrime operations.\r\n\"I'd love it if they were arrested, but if they just give up, I'll be happy too,\" said James Quinn, a malware analyst at\r\nBinary Defense and a Cryptolaemus member.\r\nMaking Emotet and Ivan give up, or tap out, is what Cryptolaemus members have in mind. Most know that an\r\narrest or a takedown is far away.\r\nInstead, they hope that by sharing daily Emotet IOCs they can cut into Emotet's infection rate and into Ivan's\r\nprofits.\r\nRight now, Cryptolaemus members have regular meetings in Slack and Telegram channels, where they discuss\r\nnew ways to hinder Emotet. Some spend their time reverse-engineering Emotet malware payloads, others track the\r\nbotnet's command and control servers, while others crack encryption and other Emotet-related protocols.\r\nTheir efforts have not gone unnoticed. Today, the group's work is often closely followed by law enforcement and\r\ncyber-security firms alike. But Cryptolaemus' biggest fan is the Emotet gang itself.\r\n\"I am quite sure they are aware and reading our daily reports,\" Roosen said.\r\n\"We have seen them change tactics minutes after our posts, often enough that it is more than simple coincidence. I\r\nam quite sure they are part of the many reading our posts as soon as they go live,\" the researcher added.\r\n\"We have even joked that they are now calling the three botnets as Epoch 1, Epoch 2, and Epoch 3 internally\r\n[based on the names we assigned them].\"\r\nA stalemate\r\nRight now, the fight between Cryptolaemus and Emotet appears to be a stalemate; however, the group's efforts are\r\nwidely appreciated and respected in the infosec community, where, slowly but surely, the group's members have\r\nhttps://www.zdnet.com/article/meet-the-white-hat-group-fighting-emotet-the-worlds-most-dangerous-malware/\r\nPage 4 of 5\n\nbecome de-facto Emotet experts, whose opinions are always highly valued.\r\nBut while the Cryptolaemus group may never get their wish to see Ivan in handcuffs, the group is still pretty\r\nhappy at how things turned out.\r\n\"Honestly, seeing the amount of cooperation in the group is really cool, because some of us literally work for\r\ndirect competitors of each other, but we're still able to work together and push out IOCs, which is rare to see in the\r\nindustry,\" Quinn said.\r\n\"I learn something new every day it seems, and I am helping the world,\" Roosen said. \"To me, this is a win-win! I\r\nam truly touched by people reaching out to us explaining how we have helped them in their battles with Emotet.\r\n\"I think we have had some minor victories in this fight with the Emotet actors, but our greatest single\r\naccomplishment is the open collaboration and sharing amongst different entities in the industry,\" Roosen added.\r\n\"Because we are viewed as a neutral party, people will work together with us more freely, and through that\r\ncollaboration, we have accomplished great things together.\"\r\nSource: https://www.zdnet.com/article/meet-the-white-hat-group-fighting-emotet-the-worlds-most-dangerous-malware/\r\nhttps://www.zdnet.com/article/meet-the-white-hat-group-fighting-emotet-the-worlds-most-dangerous-malware/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.zdnet.com/article/meet-the-white-hat-group-fighting-emotet-the-worlds-most-dangerous-malware/"
	],
	"report_names": [
		"meet-the-white-hat-group-fighting-emotet-the-worlds-most-dangerous-malware"
	],
	"threat_actors": [
		{
			"id": "dcba8e2b-93e0-4d6e-a15f-5c44faebc3b1",
			"created_at": "2022-10-25T16:07:23.816991Z",
			"updated_at": "2026-04-10T02:00:04.758143Z",
			"deleted_at": null,
			"main_name": "Lurk",
			"aliases": [],
			"source_name": "ETDA:Lurk",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775439044,
	"ts_updated_at": 1775826746,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ac3ab1b4796064b6561182308f4f4c699b448607.pdf",
		"text": "https://archive.orkl.eu/ac3ab1b4796064b6561182308f4f4c699b448607.txt",
		"img": "https://archive.orkl.eu/ac3ab1b4796064b6561182308f4f4c699b448607.jpg"
	}
}