{
	"id": "cfed19dc-917b-4945-9327-3954bf4eb7bc",
	"created_at": "2026-04-06T03:37:06.568256Z",
	"updated_at": "2026-04-10T03:35:43.339479Z",
	"deleted_at": null,
	"sha1_hash": "d4f8ca8c15a948ae0aa2cbb858e71c45dc761360",
	"title": "Authorities Ramp Up Efforts to Capture the Mastermind Behind Emotet",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 755455,
	"plain_text": "Authorities Ramp Up Efforts to Capture the Mastermind Behind\r\nEmotet\r\nBy The Hacker News\r\nPublished: 2024-06-03 · Archived: 2026-04-06 02:11:56 UTC\r\nLaw enforcement authorities behind Operation Endgame are seeking information related to an individual who\r\ngoes by the name Odd and is allegedly the mastermind behind the Emotet malware. \r\nOdd is also said to go by the nicknames Aron, C700, Cbd748, Ivanov Odd, Mors, Morse, and Veron over the past\r\nfew years, according to a video released by the agencies.\r\n\"Who is he working with? What is his current product?,\" the video continues, suggesting that he is likely not\r\nacting alone and may be collaborating with others on malware other than Emotet.\r\nThe threat actor(s) behind Emotet has been tracked by the cybersecurity community under the monikers Gold\r\nCrestwood, Mealybug, Mummy Spider, and TA542.\r\nOriginally conceived as a banking trojan, it evolved into a broader-purpose tool capable of delivering other\r\npayloads, along the lines of malware such as TrickBot, IcedID, QakBot, and others. It re-emerged in late 2021,\r\nalbeit as part of low-volume campaigns, following a law enforcement operation that shutdown its infrastructure.\r\nhttps://thehackernews.com/2024/06/authorities-ramp-up-efforts-to-capture.html\r\nPage 1 of 3\n\nAs recently as March 2023, attack chains distributing an updated version of the malware were found to leverage\r\nMicrosoft OneNote email attachments in an attempt to bypass security restrictions. No new Emotet-related\r\nactivity has been observed in the wild since the start of April 2023.\r\nThe call follows a sweeping coordination effort that saw four arrests and over 100 servers associated with\r\nmalware loader operations such as IcedID, SystemBC, PikaBot, SmokeLoader, Bumblebee, and TrickBot taken\r\ndown in an effort to stamp out the initial access broker (IAB) ecosystem that feeds ransomware attacks.\r\nGermany's Federal Criminal Police Office (aka the Bundeskriminalamt) has also revealed the identities of eight\r\ncyber criminals who are believed to have played crucial roles in the SmokeLoader (aka Dofoil and Smoke) and\r\nTrickBot malware operations. They have all since been added to the E.U. Most Wanted List.\r\n\"All these malicious services were in the arsenal of such Russian cybercrime organizations as BlackBasta, Revil,\r\nConti and helped them attack dozens of Western companies, including medical institutions,\" the National Police of\r\nUkraine (NPU) said in a statement.\r\nCyber attacks involving the malware families have relied on compromised accounts to target victims and\r\npropagate malicious emails, with the botnet operators using stolen credentials obtained using remote access\r\ntrojans (RATs) and information stealers to gain initial access into networks and organizations.\r\nhttps://thehackernews.com/2024/06/authorities-ramp-up-efforts-to-capture.html\r\nPage 2 of 3\n\nData shared by Swiss cybersecurity firm PRODAFT with The Hacker News in the wake of the operation shows\r\nthat criminal actors on underground forums like XSS.IS are on alert, with the moderator – codenamed bratva –\r\nurging others to be careful and check if their virtual private servers (VPSes) went down between May 27 and 29,\r\n2024.\r\nBratva has also been found sharing the names of the eight people that the Bundeskriminalamt revealed, while\r\nnoting that Operation Endgame is one of the \"far-going consequences of leaked Conti [ransomware] logs.\"\r\nOther actors took to the forum to wonder out loud as to who might have leaked the chats and raised the possibility\r\nof a \"rat\" who is working with law enforcement. They also claimed that Romania and Switzerland would not share\r\ndata about criminal actors residing within their borders unless it's an \"extreme threat\" like terrorism.\r\n\"[The] FBI can raid anything under saying its [sic] 'terrorism,\" one user who goes by the alias phant0m said.\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nSource: https://thehackernews.com/2024/06/authorities-ramp-up-efforts-to-capture.html\r\nhttps://thehackernews.com/2024/06/authorities-ramp-up-efforts-to-capture.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://thehackernews.com/2024/06/authorities-ramp-up-efforts-to-capture.html"
	],
	"report_names": [
		"authorities-ramp-up-efforts-to-capture.html"
	],
	"threat_actors": [
		{
			"id": "e8e18067-f64b-4e54-9493-6d450b7d40df",
			"created_at": "2022-10-25T16:07:24.515213Z",
			"updated_at": "2026-04-10T02:00:05.018868Z",
			"deleted_at": null,
			"main_name": "Mummy Spider",
			"aliases": [
				"ATK 104",
				"Gold Crestwood",
				"Mummy Spider",
				"TA542"
			],
			"source_name": "ETDA:Mummy Spider",
			"tools": [
				"Emotet",
				"Geodo",
				"Heodo"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "506404b2-82fb-4b7e-b40d-57c2e9b59f40",
			"created_at": "2023-01-06T13:46:38.870883Z",
			"updated_at": "2026-04-10T02:00:03.128317Z",
			"deleted_at": null,
			"main_name": "MUMMY SPIDER",
			"aliases": [
				"TA542",
				"GOLD CRESTWOOD"
			],
			"source_name": "MISPGALAXY:MUMMY SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2ac83159-1d9d-4db4-a176-97be6b7b07c9",
			"created_at": "2024-06-19T02:03:08.024653Z",
			"updated_at": "2026-04-10T02:00:03.672512Z",
			"deleted_at": null,
			"main_name": "GOLD CRESTWOOD",
			"aliases": [
				"Mummy Spider ",
				"TA542 "
			],
			"source_name": "Secureworks:GOLD CRESTWOOD",
			"tools": [
				"Emotet"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775446626,
	"ts_updated_at": 1775792143,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d4f8ca8c15a948ae0aa2cbb858e71c45dc761360.pdf",
		"text": "https://archive.orkl.eu/d4f8ca8c15a948ae0aa2cbb858e71c45dc761360.txt",
		"img": "https://archive.orkl.eu/d4f8ca8c15a948ae0aa2cbb858e71c45dc761360.jpg"
	}
}