{
	"id": "8d05a579-d458-41b4-87e2-af69196594a4",
	"created_at": "2026-04-06T00:13:12.612236Z",
	"updated_at": "2026-04-10T13:11:48.858071Z",
	"deleted_at": null,
	"sha1_hash": "c83210fdf31ba8e79539e61206476af3fea4721b",
	"title": "Increase in Emotet Activity and Cobalt Strike Deployment",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 61423,
	"plain_text": "Increase in Emotet Activity and Cobalt Strike Deployment\r\nBy eSentire Threat Response Unit (TRU)\r\nArchived: 2026-04-05 13:38:36 UTC\r\nAdversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters\r\nand Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.\r\nWe have discovered some of the most dangerous threats and nation state attacks in our space – including the\r\nKaseya MSP breach and the more_eggs malware.\r\nOur Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced\r\nThreat Analytics driven by our Threat Response Unit – the TRU team.\r\nIn TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We\r\noutline how we responded to the confirmed threat and what recommendations we have going forward.\r\nHere’s the latest from our TRU Team…\r\nWhat did we find?\r\nWe found Emotet, a former banking malware, now focused on loading or delivering follow-on malware.\r\nEmotet was disrupted in early 2021 but made a comeback in November 2021.\r\nHistorically, Emotet has installed malware such as Trickbot or Qakbot, which in turn have led to\r\nhands-on-keyboard adversaries and ransomware deployment.\r\nIn December 2021, researchers closely monitoring Emotet reported instances of the malware deploying the\r\nCobalt Strike intrusion tool.\r\nIn February 2022, other researchers have reported Cobalt Strike deployment within 5 hours of an Emotet\r\ninfection originating from the Epoch 5 botnet.\r\nThe direct deployment of the intrusion tool is a concern considering its use in hands-on-intrusions linked to\r\nransomware deployment and extortion attacks.\r\nDeploying the tool directly expedites network intrusion actions, requiring defenders to act swiftly to\r\ncontain patient zero or risk the attacker expanding the scope of their access.\r\neSentire security teams have identified and disrupted multiple Emotet infections across our customers in\r\nrecent weeks, none of which escalated to Cobalt Strike deployment.\r\nThese incidents followed the typical Emotet trajectory with macro-laced office files arriving via email\r\nresulting in code execution through VBScript and PowerShell.\r\nHow did we find it?\r\nRecent activity has been identified through a mix of threat hunting activity and detections from BlueSteel,\r\nour machine-learning PowerShell classifier.\r\nhttps://www.esentire.com/blog/increase-in-emotet-activity-and-cobalt-strike-deployment\r\nPage 1 of 5\n\nWhat did we do?\r\nIn instances where Emotet activity was identified, our team of 24/7 SOC Cyber Analysts isolated the\r\nhost(s) and worked with the customer to remediate the threat.\r\nTRU deployed additional detection content based on the analysis of recent incident observations.\r\nWhat can you learn from this TRU positive?\r\nGiven the threat of the direct deployment of Cobalt Strike, rapid identification and containment of hosts\r\ninfected with Emotet is critical now more than ever.\r\nInfected systems should be examined for presence of Cobalt Strike or other follow-on malware. Emotet\r\nstores a copy of itself and Cobalt Strike in C:\\Users\\user\\AppData\\Local\\Temp\\random-directory-name\\.\r\nRecommendations from our Threat Response Unit (TRU) Team:\r\nLoader malware attempts to install other malware, so the first priority should be to identify and investigate the\r\npresence of follow-on malware on systems. In addition, we recommend:\r\nEmploy email filtering and protection measures.\r\nBlock or quarantine email attachments such as EXEs, Password Protected ZIPs, JavaScript, Visual\r\nBasic scripts.\r\nImplement anti-spoofing measures such as DMARC and SPF.\r\nEmploy an MFA solution to reduce impact of compromised credentials.\r\nTrain users to identify and report suspicious emails and documents, even if opened.\r\nProtect your endpoints against malware.\r\nEnsure antivirus signatures are up to date.\r\nUse a Next-Gen AV (NGAV) or Endpoint Detection and Response (EDR) product to detect and\r\ncontain threats.\r\nLimit or disable macros across the organization. See UK's National Cyber Centre guidance on\r\nMacro Security.\r\nAsk Yourself…\r\nIs your malware identification and remediation process agile enough to disrupt follow-on attacks stemming\r\nfrom loader malware?\r\nIf you’re not currently engaged with a Managed Detection and Response provider, we highly recommend you\r\npartner with us for security services in order to disrupt threats before they impact your business.\r\nWant to learn more? Connect with an eSentire Security Specialist.\r\nTo learn how your organization can build cyber resilience and prevent business disruption with eSentire’s Next\r\nLevel MDR, connect with an eSentire Security Specialist now.\r\nhttps://www.esentire.com/blog/increase-in-emotet-activity-and-cobalt-strike-deployment\r\nPage 2 of 5\n\nGET STARTED\r\nABOUT ESENTIRE’S THREAT RESPONSE UNIT (TRU)\r\nThe eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your\r\norganization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7\r\nSecurity Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and\r\nworks as an extension of your security team to continuously improve our Managed Detection and Response\r\nservice. By providing complete visibility across your attack surface and performing global threat sweeps and\r\nproactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending\r\nyour organization against known and unknown threats.\r\nhttps://www.esentire.com/blog/increase-in-emotet-activity-and-cobalt-strike-deployment\r\nPage 3 of 5\n\nBack to blog\r\nTake Your Cybersecurity Program to the Next Level with eSentire MDR.\r\nBUILD A QUOTE\r\nin this blog\r\nWhat did we find?How did we find it?What did we do?What can you learn from this TRU positive?\r\nRecommendations from our Threat Response Unit (TRU) Team:\r\nhttps://www.esentire.com/blog/increase-in-emotet-activity-and-cobalt-strike-deployment\r\nPage 4 of 5\n\nSource: https://www.esentire.com/blog/increase-in-emotet-activity-and-cobalt-strike-deployment\r\nhttps://www.esentire.com/blog/increase-in-emotet-activity-and-cobalt-strike-deployment\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.esentire.com/blog/increase-in-emotet-activity-and-cobalt-strike-deployment"
	],
	"report_names": [
		"increase-in-emotet-activity-and-cobalt-strike-deployment"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434392,
	"ts_updated_at": 1775826708,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c83210fdf31ba8e79539e61206476af3fea4721b.pdf",
		"text": "https://archive.orkl.eu/c83210fdf31ba8e79539e61206476af3fea4721b.txt",
		"img": "https://archive.orkl.eu/c83210fdf31ba8e79539e61206476af3fea4721b.jpg"
	}
}