{
	"id": "75ab84a7-48d2-457d-a372-3abe5a67401d",
	"created_at": "2026-04-06T00:08:35.507831Z",
	"updated_at": "2026-04-10T03:20:34.361181Z",
	"deleted_at": null,
	"sha1_hash": "d4e980cdfa10353cec1bc56d303ab7495df7dc37",
	"title": "Rebirth of Emotet: New Features of the Botnet and How to Detect it",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 173912,
	"plain_text": "Rebirth of Emotet: New Features of the Botnet and How to Detect\r\nit\r\nBy The Hacker News\r\nPublished: 2022-02-28 · Archived: 2026-04-05 13:24:10 UTC\r\nOne of the most dangerous and infamous threats is back again. In January 2021, global officials took down the\r\nbotnet. Law enforcement sent a destructive update to the Emotet's executables. And it looked like the end of the\r\ntrojan's story. \r\nBut the malware never ceased to surprise. \r\nNovember 2021, it was reported that TrickBot no longer works alone and delivers Emotet. And ANY.RUN with\r\ncolleagues in the industry were among the first to notice the emergence of Emotet's malicious documents.\r\nhttps://thehackernews.com/2022/02/reborn-of-emotet-new-features-of-botnet.html\r\nPage 1 of 5\n\nFirst Emotet malicious documents\r\nAnd this February, we can see a very active wave with crooks running numerous attacks, hitting the top in the\r\nrankings. If you are interested in this topic or researching malware, you can make use of the special help\r\nof ANY.RUN, the interactive sandbox for the detection and analysis of cyber threats.\r\nLet's look at the new version's changes that this disruptive malware brought this time. \r\nEmotet history\r\nEmotet is a sophisticated, constantly changing modular botnet. In 2014 the malware was just a trivial banking\r\ntrojan. Since that it has acquired different features, modules, and campaigns: \r\n2014. Money transfer, mail spam, DDoS, and address book stealing modules.\r\n2015. Evasion functionality.\r\n2016. Mail spam, RIG 4.0 exploit kit, delivery of other trojans.\r\n2017. A spreader and address book stealer module.\r\nhttps://thehackernews.com/2022/02/reborn-of-emotet-new-features-of-botnet.html\r\nPage 2 of 5\n\nPolymorphic nature and numerous modules allow Emotet to avoid detection. The team behind the malware\r\nconstantly changes its tactics, techniques, and procedures to make the existing detection rules useless. It\r\ndownloads extra payloads using numerous steps to stay in the infected system. Its behavior makes malware nearly\r\nimpossible to get rid of. It spreads fast, creates faulty indicators, and adapts to attackers' needs.\r\nAnd on November 14, 2021, Emotet was reborn with a new version.\r\nWhy was Emotet reborn?\r\nThroughout Emotet's history, it got several breaks. But after the global police operations in January 2021, we were\r\nready that it would be gone for good. Joint enforcement arrested several gang members, took over servers, and\r\ndestroyed backups.\r\nNevertheless, the botnet got back even more robust. It's skillful at evasion techniques and uses several ways to\r\ncompromise networks making it as dangerous as it used to be.\r\nIt was tracked that Trickbot tried to download a dynamic link library (DLL) to the system. And the DLLs turned\r\nout to be Emotet, and later, researchers confirmed the fact. \r\nIn 2021 after the comeback, Emotet led the top 3 of uploads in ANY.RUN sandbox. Even after such a long break,\r\nit still got popular. All statistics on Emotet trends are available in Malware Trends Tracker, and the numbers are\r\nbased on the public submissions. \r\nTop malware uploads for the last week\r\nNo wonder now when its operations are back on rails, ANY. RUN's database gets almost 3 thousand malicious\r\nsamples per week. And it's getting clear that you need to get ready for this kind of attack anytime.\r\nWhat new features has Emotet acquired?\r\nThe trojan is already a serious threat to any company. Knowing all malware updates can help avoid such a threat\r\nand be cautious. Let's investigate what features a new version brings and how it differs from the previous ones. \r\nTemplates\r\nThe Emotet campaigns begin with a malspam email that contains Malicious Office Documents (weaponized\r\nMicrosoft Office documents) or hyperlinks attached to the phishing email, which is widely distributed and lures\r\nvictims into opening malicious attachments. The weaponized Microsoft Office document has a VBA code and\r\nAutoOpen macro for its execution. The Emotet group lures its victims to enable the macros, and this is the only\r\nuser interaction required to initiate the attack. This user interaction allows bypassing sandboxes tests and\r\nverifications.\r\nEmotet distributes using malicious email campaigns that usually consist of Office Documents. And the malware\r\ngets very creative with templates of its maldocs. The botnet constantly changes them: it imitates programs'\r\nhttps://thehackernews.com/2022/02/reborn-of-emotet-new-features-of-botnet.html\r\nPage 3 of 5\n\nupdates, messages, files. And the content embeds the obfuscated VBA macro and makes different execution\r\nchains. The authors behind the malware trick users into enabling macros to start the attack. \r\nAnd a new version also has a twist. In summer 2020, Emotet used a doc with Office 365 message. The image\r\nremains unchanged, but it switched to the XLS format. Also, in this new version, the first time was used in\r\nhexadecimal and octal formats to represent the IP address from which the second stage was downloaded. A later\r\ntechnique was changed again, and crooks don't use the HEX encoded IP to download the payload.\r\nEmotet templates in February\r\nNew techniques\r\nEmotet keeps raising the bar as a polymorphic creature by attaining new techniques. The latest malware version\r\nhas come up with some minor changes in the tactics: it leverages MSHTA again. In general, Macro 4.0 leverages\r\nExcel to run either CMD, Wscript, or Powershell, which starts another process such as MSHTA or one mentioned\r\nabove that downloads the main payload and runs it by rundll32. \r\nThe botnet is keen on masking malicious strings and content like URLs, IPs, commands, or even shellcodes. But\r\nsometimes, you can grab the list of URLs and IPs from the file's script. You can definitely find it by yourself in\r\nANY. RUN's Static Discovering – just give it a try!\r\nURLs list from the Emotet's fake PNG file\r\nCompanions\r\nWe know that Emotet usually drops other malware to worsen the infection. In November, it was identified that the\r\nbotnet delivered the Trickbot banking trojan on the compromised hosts.\r\nCurrently, we can notice that Emotet works with Cobalt Strike. It is a C2 framework used by penetration testers\r\nand criminals as well. Having Cobalt Strike in the scenario means that the time between the initial infection and a\r\nransomware attack shortens significantly.\r\nA list of Cobalt Strike IOCs from Emotet infection\r\nProcess tree\r\nThe chain of execution also got some modifications. In most cases, we can notice a CMD child process, a\r\nPowerShell, and Rundll32, and various samples prove that authors prefer to mix processes, constantly changing\r\nhttps://thehackernews.com/2022/02/reborn-of-emotet-new-features-of-botnet.html\r\nPage 4 of 5\n\ntheir order. The main goal behind it is to avoid detection by rulesets that identify a threat by child processes of an\r\napplication.\r\nEmotet process tree\r\nCommand-line\r\nEmotet switched from EXE files to DLL a long time ago, so the main payload ran under the Rundll32. Abundant\r\nuse of Powershell and CMD remains unchanged:\r\nEmotet command-line\r\nHow to detect and protect against Emotet? \r\nIf you need a fast and convenient way to get complete information on the Emotet sample – use modern tools.\r\nANY.RUN interactive sandbox allows monitoring processes in real-time and receiving all necessary data\r\nimmediately. \r\nSuricata rulesets successfully identify different malicious programs, including Emotet. Moreover, with the Fake\r\nnet feature to reveal C2 links of a malicious sample. This functionality also helps gather malware's IOCs.\r\nEmotet samples come and go, and it's hard to keep up with them. So, we advise you to check out fresh samples\r\nthat are updated daily in our public submissions. \r\nEmotet proves to be a beast among the most dangerous cyber threats in the wild. The malware improves its\r\nfunctionality and works on evading detection. That is why it is essential to rely on effective tools like ANY.RUN. \r\nEnjoy malware hunting!\r\nFound this article interesting? This article is a contributed piece from one of our valued partners. Follow us on\r\nGoogle News, Twitter and LinkedIn to read more exclusive content we post.\r\nSource: https://thehackernews.com/2022/02/reborn-of-emotet-new-features-of-botnet.html\r\nhttps://thehackernews.com/2022/02/reborn-of-emotet-new-features-of-botnet.html\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://thehackernews.com/2022/02/reborn-of-emotet-new-features-of-botnet.html"
	],
	"report_names": [
		"reborn-of-emotet-new-features-of-botnet.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434115,
	"ts_updated_at": 1775791234,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d4e980cdfa10353cec1bc56d303ab7495df7dc37.pdf",
		"text": "https://archive.orkl.eu/d4e980cdfa10353cec1bc56d303ab7495df7dc37.txt",
		"img": "https://archive.orkl.eu/d4e980cdfa10353cec1bc56d303ab7495df7dc37.jpg"
	}
}