{
	"id": "7f33206e-59e6-43b2-9137-6d5a803f5dad",
	"created_at": "2026-04-06T00:18:31.988854Z",
	"updated_at": "2026-04-10T13:11:56.405702Z",
	"deleted_at": null,
	"sha1_hash": "bda966802ce63c0835a3d5bc42564b9e0da10401",
	"title": "New Wave of Emotet - When Project X Turns Into Y",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3115182,
	"plain_text": "New Wave of Emotet - When Project X Turns Into Y\r\nArchived: 2026-04-05 21:37:23 UTC\r\nBy: Max Malyutin – Orion Threat Research and Intelligence Team Leader\r\nPrologue\r\nEmotet first appeared in June 2014 as a banking trojan and has mainly been used since to target the financial\r\nsector. In 2021, Emotet was classified as the most widely seen malware by law enforcement and judicial\r\nauthorities. Back in January 2021, law enforcement and judicial authorities took down the Emotet botnet. On\r\nNovember 15, 2021, Emotet returned as reported by the Cryptolaemus team.\r\nCynet Orion Threat Research and Intelligence Team are closely tracking Emotet TTPs (tactics, techniques, and\r\nprocedures) on a daily basis, and have seen some rapid and drastic changes since its return. On February 21, 2022,\r\nwe observed a new Emotet campaign where it utilizes new attack methods and TTPs. We have detected a mass\r\nmalicious email distribution and a high volume of traffic on two main botnets Epoch 4 and Epoch 5.\r\nWhile investigating, we found the use of a new artifact which did not exist in previous campaigns, “Y.dll”. In the\r\nprevious Emotet campaign, on November 15, the malware was branded “Project X” – an alias given due to the\r\ninternal use of the name X.dll. Likewise, we decided to name the new Emotet variant “Project Y”.\r\nEmotet campaigns start with a malspam email and in most cases, it utilizes a thread hijacking method to deceive\r\nusers into trusting the email. Thread hijacking is a method in which the email’s subject title begins with “RE:”,\r\npretending to be a legitimate email reply. This email’s contents are stolen from previous Emotet infections. In\r\nsome cases, Emotet malspam campaigns contain attachments in the form of Word or Excel documents. We have\r\nalso observed password-protected zip archives being sent as attachment in such malspam emails.\r\nA Brief History of Emotet\r\nEmotet threat group members collaborated in the past with Trickbot’s operators by deploying each other’s\r\npayloads during infections. Before the takedown, the Emotet kill-chain flow consisted of dropping Trickbot’s\r\npayload which led to ransomware infection by Ryuk (CONTI). The first indication of the return of Emotet on Nov\r\n15, 2021, was discovered by cyber security researchers that noticed that Trickbot payloads are dropping Emotet’s\r\nloader. After a month, on December 15, we discovered that Emotet started deploying Cobalt Strike beacons on the\r\ncompromised hosts. This is new behavior of Emotet might indicate that additional new capabilities and strategies\r\nmight be used as well.\r\nSummary\r\nSince the return, Emotet struck with a diverse arsenal of TTPs, such as malicious documents, in both Word and\r\nExcel formats, that contain either VBA or XLM macros. Likewise, we also observed different LOLBins abused by\r\nEmotet such as mshta, PowerShell, wscript, rundll32, and more. We will cover the changes (TTPs) Emotet\r\nhttps://www.cynet.com/attack-techniques-hands-on/new-wave-of-emotet-when-project-x-turns-into-y/\r\nPage 1 of 12\n\nunderwent since its return in November 15 in a separate article. In the current article, we will review the recent\r\n(February 21, 2022) Emotet campaign’s infection activity which consists of new TTPs and the new Y.dll payload.\r\nInitial Access and Execution Flow:\r\nInitial access was delivered via malspam email with an attachment of password-protected zip that contains an\r\nExcel malicious document. We have observed two types of Excel documents, one has protected VBA macro and\r\nthe second has XLM version 4.0 macros. In both cases, the user needs to enable macros to start the infection.\r\nShown in figure 1-2:\r\nThe document with the XLM macros\r\nFigure 1: Shows the Emotet malicious document XLM macro, hidden sheets and AutoOpen function\r\nFigure 1.1: Shows XLM macro code that utilizes native API functions to download and execute Emotet payload\r\nThe document with the VBA macros\r\nhttps://www.cynet.com/attack-techniques-hands-on/new-wave-of-emotet-when-project-x-turns-into-y/\r\nPage 2 of 12\n\nFigure 2: Shows the Emotet malicious document with a new fake message that deceives the user to enable the\r\nVBA macros\r\nFigure 2.1: Shows the protected malicious VBA macro code\r\nhttps://www.cynet.com/attack-techniques-hands-on/new-wave-of-emotet-when-project-x-turns-into-y/\r\nPage 3 of 12\n\nFigure 2.2: Shows obfuscated VBA macro code from the Workbook_Open function\r\nAfter the user enables the macros to run (User Execution, T1204), the infection continues with the execution by\r\nabusing LOLBins. Same as before, each document has its unique flow as explained below:\r\nThe document with the XLM macros\r\nAs shown in figure 3, the execution continues with the abuse of the LOLBin (Living Off the Land Binaries),\r\nregsvr32:\r\nFigure 3: Execution flow of the XLM macros document\r\nWe observed a repeated pattern in the regsvr32 command lines in all the samples that we analyzed.\r\nIn case the document is not opened with an Administrator privilege, as part of the execution, the payload is copied\r\nand executed from the %LOCALAPPDATA% directory:\r\nregsvr32.exe /s ..\\{random_payload_name}.ocx\r\n└── regsvr32.exe /s “C:\\Users\\{user_name}\\AppData\\Local\\{random_directory}\\{random_payload_name}.\r\n{random_extension}”\r\nIn case the document is opened with an Administrator privilege, as part of the execution, the payload is copied and\r\nexecuted from the SysWoW64 directory in %WINDIR%:\r\nregsvr32.exe /s ..\\{random_payload_name}.ocx\r\n└── regsvr32.exe /s “regsvr32.exe /s C:\\Windows\\SysWOW64\\{random_directory}\\{random_payload_name}.\r\n{random_extension}”\r\nhttps://www.cynet.com/attack-techniques-hands-on/new-wave-of-emotet-when-project-x-turns-into-y/\r\nPage 4 of 12\n\nAll the patterns above can be used for both threat hunting and detection purposes.\r\nThe document with the VBA macros\r\nAs shown in figure 3, the execution continues with the abuse of the various LOLBins:\r\nFigure 4: Execution flow of the VBA macros document\r\nAlso here, we observed a repeated pattern in the command lines of the LOLBins that take part in the execution\r\nflow.\r\nwscript c:\\programdata\\{random_payload_name}.vbs\r\n├── powershell.exe -command …\r\n└── cmd.exe /c start /B c:\\windows\\syswow64\\regsvr32.exe /s c:\\programdata\\{random_payload_name}.dll\r\n———-└── regsvr32.exe /s c:\\programdata\\{random_payload_name}.dll\r\n———————└── regsvr32.exe /s “C:\\Users\\{user_name}\\AppData\\Local\\{random_directory}\\\r\n{random_payload_name}.{random_extension}”\r\nThe VBScript code, which is executed by wscript, and the PowerShell command are shown in figures 5 and 6:\r\nFigure 5: Shows the VBS (Visual Basic Script) file contents that are is obfuscated by the replace method and\r\nconcatenation. This is the code that eventually executes the PowerShell command\r\nhttps://www.cynet.com/attack-techniques-hands-on/new-wave-of-emotet-when-project-x-turns-into-y/\r\nPage 5 of 12\n\nFigure 6: Shows the PowerShell command that executed as a one-liner via the PowerShell process\r\nThe above PowerShell command is responsible for both downloading the Emotet payload from a list of\r\ncompromised URLs. The execution of the Emotet payload is performed by the CMD process.\r\nPersistence and Privilege Escalation\r\nAfter the Emotet payload is copied to a new location (%WINDIR%/SysWoW64 or %APPDATALOCAL%), it\r\nattempts to create persistence on the compromised host. The payload utilizes different persistence techniques and\r\nthe differences between them is based on the user privilege.\r\nIn the unprivileged case, the payload achieves persistence by creating a Run key in the Registry (Boot or Logon\r\nAutostart Execution: Registry Run Keys, T1547.001), as shown in figures 7.1 and 7.2:\r\nFigure 7.1: Shows the Registry Run key with the payload execution command\r\nhttps://www.cynet.com/attack-techniques-hands-on/new-wave-of-emotet-when-project-x-turns-into-y/\r\nPage 6 of 12\n\nFigure 7.2: Shows the Emotet payload in the %APPDATALOCAL% path\r\nIn the Administrator-privileged case, the payload achieves persistence by creating a service (Create or Modify\r\nSystem Process: Windows Service, T1543.003), as shown in figures 8.1 and 8.2:\r\nFigure 8.1: Shows the service’s key in the Registry which contains the payload execution command\r\nhttps://www.cynet.com/attack-techniques-hands-on/new-wave-of-emotet-when-project-x-turns-into-y/\r\nPage 7 of 12\n\nFigure 8.2: Shows the Emotet payload in the SysWoW64 path\r\nDifferences between Project X and Project Y\r\nIn the previous campaign, Emotet’s core module was named X.dll. In the new campaign (February 21, 2022) We\r\nhave observed a different name for the core module, Y.dll. The core module comes with the export function\r\nDllRegisterServer. This naming convention could be an indicator for new Emotet variants. We are still\r\ninvestigating this assumption.\r\nBoth X.dll and Y.dll core modules are unpacked inside regsvr32 memory and can be extracted from it, as shown in\r\nthe figure below:\r\nFigure 9: Shows the unpacked Emotet payload inside the memory\r\nhttps://www.cynet.com/attack-techniques-hands-on/new-wave-of-emotet-when-project-x-turns-into-y/\r\nPage 8 of 12\n\nWe have compared both core modules, X.dll and Y.dll, and found some differences, as shown in figures 10-11:\r\nFigure 10: Shows X.dll with the time stamp 31.01.2022\r\nFigure 11: Shows the Y.dll with the time stamp 21.02.2022\r\nAs can be seen in figures 12-13, both core modules are exporting the DllRegisterServer function, which is\r\nexecuted by the regsvr32 as part of the execution flow:\r\nhttps://www.cynet.com/attack-techniques-hands-on/new-wave-of-emotet-when-project-x-turns-into-y/\r\nPage 9 of 12\n\nFigure 12: Shows the DllRegisterServer export function inside X.dll\r\nFigure 13: Shows the DllRegisterServer export function inside Y.dll\r\nMITRE Techniques\r\nSpearphishing Attachment – T1566.001\r\nWindows Command Shell – T1059.003\r\nPowerShell – T1059.001\r\nVisual Basic – T1059.005\r\nhttps://www.cynet.com/attack-techniques-hands-on/new-wave-of-emotet-when-project-x-turns-into-y/\r\nPage 10 of 12\n\nDynamic Data Exchange – T1559.002\r\nNative API – T1106\r\nMalicious File – T1204.002\r\nRegistry Run Keys / Startup Folder – T1547.001\r\nWindows Service – T1543.003\r\nService Execution – T1569.002\r\nRegsvr32 – T1218.010\r\nIndicators of Compromise\r\nMD5 hash Type\r\n57595f82e73bed372c669e907d4db642\r\n4af61ef4287eb683eb2869e1fba61fd9\r\nf5e7d2c7e4568efb55d999bfd3e5e0ac\r\n3a3bfc5e4f8573b0ef10ac5693d76d78\r\na7f7aef892b99248f072d55802e657a5\r\n464618b1bb56d13bd7d4c703ec9d3c1f\r\n4014333649b5c8a189ec8308cfdb54d9\r\nDLL\r\n492ebe377b5974b4a9f47e9831cc6555\r\n824f883a79f90cc31272bed6f56f2c7d\r\n8ba05c5653ab14ae48058c70e401fbd3\r\ne397e14490f1d0d71aa7d6c9f2b5331b\r\n45e49c0baa32799b15259b3367e58770\r\ncf99fabd8a930ede37f007139d4370f2\r\n6df575e25cc88a6e3a9306dbf2efe39c\r\nXLS\r\n7baad56cc483132b8b9cb7a14722c3b1 VBS\r\nDistribution URLs\r\nhttps://www.cynet.com/attack-techniques-hands-on/new-wave-of-emotet-when-project-x-turns-into-y/\r\nPage 11 of 12\n\nhttp://explorationit[.]com/screwing/AxLm/\r\nhttp://www[.]beholdpublications[.]com/home/BABxyyWZx8Vu/\r\nhttp://myclassroomtime[.]com/mongery/ZlPsROtQiXIujmJmAA/\r\nhttp://www[.]ajaxmatters[.]com/c7g8t/zbBYgukXYxzAF2hZc/\r\nhttp://animalsandusfujairah[.]com/wp-admin/JWO58zeUOwSI/\r\nhttp://vipwatchpay[.]com/Isoetales/5wy8L0TQ1xCZEr/\r\nhttps://duvarkagitlarimodelleri[.]com/42hhp/gZXakh7/\r\nhttps://havuzkaydiraklari[.]com/wp-includes/YqYdLFA/\r\nhttps://dalgahavuzu[.]com/pwkfky/LF0WU/\r\nhttps://kinetekturk[.]com/e2ea69p/9U52O7jTobF8J/\r\nEmotet C2 servers\r\n150.95.20[.]209\r\n213.190.4[.]223\r\n135.148.121[.]246\r\n103.96.220[.]147\r\n134.209.156[.]68\r\n79.143.181[.]160\r\n50.30.40[.]196\r\n156.67.219[.]84\r\n175.107.196[.]192\r\n103.134.85[.]85\r\n207.38.84[.]195\r\n46.41.130[.]218\r\nSource: https://www.cynet.com/attack-techniques-hands-on/new-wave-of-emotet-when-project-x-turns-into-y/\r\nhttps://www.cynet.com/attack-techniques-hands-on/new-wave-of-emotet-when-project-x-turns-into-y/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cynet.com/attack-techniques-hands-on/new-wave-of-emotet-when-project-x-turns-into-y/"
	],
	"report_names": [
		"new-wave-of-emotet-when-project-x-turns-into-y"
	],
	"threat_actors": [],
	"ts_created_at": 1775434711,
	"ts_updated_at": 1775826716,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bda966802ce63c0835a3d5bc42564b9e0da10401.pdf",
		"text": "https://archive.orkl.eu/bda966802ce63c0835a3d5bc42564b9e0da10401.txt",
		"img": "https://archive.orkl.eu/bda966802ce63c0835a3d5bc42564b9e0da10401.jpg"
	}
}