{
	"id": "3fe22f4a-f7ba-4098-8157-34e9a104b9a0",
	"created_at": "2026-04-06T00:11:12.267596Z",
	"updated_at": "2026-04-10T03:21:40.52071Z",
	"deleted_at": null,
	"sha1_hash": "b17bb10e1edc1c2c1c8dd6e870c926207b5cba09",
	"title": "Emotet SMB Spreader is Back",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 584118,
	"plain_text": "Emotet SMB Spreader is Back\r\nArchived: 2026-04-05 15:47:43 UTC\r\nEmotet is back in business, and Bitsight's Threat Research team is continuously monitoring the evolution of this\r\ndangerous malware.\r\nNot too long ago, on June 6, our team observed the botnet Epoch4 delivering a new module to the infected\r\nsystems that turned out to be a credit card stealer targeting Google Chrome. A few days later, on June 13, the\r\nbotnet Epoch4 re-introduced the SMB spreader module. This module was used before the law enforcement\r\ntakedown in January 2021, but not since Emotet's return in November 2021.\r\nCurrently, all Emotet botnets (Epoch4 and Epoch5) are using these two modules giving the malware the capability\r\nof stealing credit card data and moving laterally upon infecting a system.\r\nGiven the dangerous nature of the SMB spreader module, we decided to share some details on how it works.\r\nHardcoded username and password lists\r\nThe spreader contains an encrypted list of usernames and an encrypted list of passwords. These two lists are\r\nencrypted using a XOR cipher with 4-byte sized keys. After decrypting the lists, the contents are parsed and\r\nplaced in two linked lists:\r\nFigure 1. Decrypting and parsing the username and password lists\r\nThe token from the logged-on user gets duplicated by calling DuplicateToken with the SecurityImpersonation\r\nlevel. Then the spreader calls ImpersonateLoggedOnUser to complete the impersonation of the logged-on user:\r\nhttps://www.bitsight.com/blog/emotet-smb-spreader-back\r\nPage 1 of 4\n\nFigure 2. Logged-on user impersonation\r\nThe spreader calls WnetOpenEnumW and WnetEnumResourceW to enumerate network resources. If the network\r\nresource is a server, its name gets saved into a list:\r\nFigure 3. Finding remote servers\r\nThe spreader iterates over the list of servers and try to connect to the IPC$ share using the hardcoded usernames\r\nand passwords:\r\nhttps://www.bitsight.com/blog/emotet-smb-spreader-back\r\nPage 2 of 4\n\nFigure 4. Bruteforcing the IPC$ share\r\nIf none of the credentials worked, the spreader tries to enumerate usernames from the target server by calling\r\nNetUserEnum. All usernames that are not present in the hardcoded username list will be added to a linked list so\r\nthat they can be bruteforced later:\r\nFigure 5. Enumerating usernames from remote servers\r\nIf the spreader finds valid credentials, it tries to connect to C$ and ADMIN$ shares. In case of successful\r\nauthentication, Emotet's loader is copied to the remote share with a random filename (derived from the machine\r\nCPU counter) and launched as a service.\r\nPaths to where loader can be copied:\r\nShare Path\r\nC$ C:\\\u003crandom\u003e.dll\r\nhttps://www.bitsight.com/blog/emotet-smb-spreader-back\r\nPage 3 of 4\n\nADMIN$ %SystemRoot%\\\u003crandom\u003e.dll\r\nThe newly created service will execute one of the following commands:\r\nShare Command\r\nC$ regsvr32.exe \"C:\\\u003crandom\u003e.dll\"\r\nADMIN$ regsvr32.exe \"%SystemRoot%\\\u003crandom\u003e.dll\"\r\nEmotet's ability to extend functionality through the usage of modules makes it easier to add new capabilities to the\r\nmalware. A module capable of stealing credit card data shows that the operators are looking for new ways to\r\nmonetize their botnet operations. The re-introduction of the SMB spreader shows the willingness of the operators\r\nto raise infections at the cost of increasing Emotet's network fingerprint.\r\nDefenders should look for suspicious authentication attempts to network shares and be sure that no users are using\r\nany of the passwords in the hardcoded password list.\r\nSHA256 spreader module:\r\n3D8F8F406A04A740B8ABB1D92490AFEF2A9ADCD9BEECB13AECF91F53AAC736B4\r\nList of usernames:\r\nhttps://raw.githubusercontent.com/bitsight-research/threat_research/main/emotet/smb_spreader/users.txt\r\nList of passwords:\r\nhttps://raw.githubusercontent.com/bitsight-research/threat_research/main/emotet/smb_spreader/passwords.txt\r\nSource: https://www.bitsight.com/blog/emotet-smb-spreader-back\r\nhttps://www.bitsight.com/blog/emotet-smb-spreader-back\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bitsight.com/blog/emotet-smb-spreader-back"
	],
	"report_names": [
		"emotet-smb-spreader-back"
	],
	"threat_actors": [],
	"ts_created_at": 1775434272,
	"ts_updated_at": 1775791300,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b17bb10e1edc1c2c1c8dd6e870c926207b5cba09.pdf",
		"text": "https://archive.orkl.eu/b17bb10e1edc1c2c1c8dd6e870c926207b5cba09.txt",
		"img": "https://archive.orkl.eu/b17bb10e1edc1c2c1c8dd6e870c926207b5cba09.jpg"
	}
}