{
	"id": "a981391d-12a1-44df-b88c-f1a204f4b814",
	"created_at": "2026-04-06T00:22:26.795499Z",
	"updated_at": "2026-04-10T03:20:21.894682Z",
	"deleted_at": null,
	"sha1_hash": "d502393bf956055bc335f0b5b8295e7ce51fccff",
	"title": "Emotet Awakens With New Campaign of Mass Email Exfiltration",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 247506,
	"plain_text": "Emotet Awakens With New Campaign of Mass Email Exfiltration\r\nPublished: 2018-10-31 · Archived: 2026-04-05 17:14:34 UTC\r\nThe Emotet malware family just raised the stakes by adding email exfiltration to its arsenal, thereby escalating its\r\ncapabilities to cyber espionage. While it has recently made headlines for delivering ransomware payloads to\r\nUnited States infrastructure such as Water Utilities, Emotet has laid mostly dormant for the past month. In the past\r\ndays, however, the mummy has returned just in time for Halloween as we observed a new module capable of\r\nexfiltrating email content back to the botnet’s operators.\r\nThis new capability is effectively taking all existing Emotet infections with emails and sending them back to the\r\nattacker going back 180 days in mail history.\r\nThis post will examine the new threat payload enabling Emotet mass email capture, examine the exfiltration\r\nprocess, and observe its global distribution.\r\nEven protected systems can be infected by this advanced malware. Be sure to check out Telltale, our free victim\r\nnotification service if you wish to check if your organization has been infected.\r\nA Brief Overview of Emotet’s Email Harvesting Module\r\nPrevious Emotet modules already used the Outlook Messaging API to steal contact lists. This API is, essentially,\r\nan interface that allows an application to become email-ready. The most common cases of MAPI usage are Simple\r\nMAPI, included in Windows as part of the default Windows Live email client, or the full MAPI as used by\r\nOutlook and Exchange. In other words, this API gives an application access to email, if Windows is adequately\r\nconfigured.\r\nThis configuration is the first thing checked by this module. In particular, the registry key\r\nHKLM\\Software\\Clients\\Mail\\Microsoft Outlook is accessed, and the value DllPathEx —the path to the\r\nmapi32.dll module—is expected to be defined. If it is not, the module does not proceed. Note that the registry\r\nkey is pretty specific—there are other plausible keys, such as HKLM\\Software\\Clients\\Mail\\Windows Mail , that\r\nthis module simply does not care about.\r\nMore specifically, for each email, the previous module queried\r\nSender name and email;\r\nDestination name and email.\r\nThe new module ( 6cd44f2d00b43d80c08922d99d51cce804a59a54 ), however, is more thorough, and also includes\r\nemail subjects and bodies. It will crawl every email of every subfolder in the interpersonal message (IPM) root\r\nfolder, and\r\nVerify whether the email has been sent/received ( PR_MESSAGE_DELIVERY_TIME ) in the last 100e-9 *\r\n15552000000 * 10000 / 3600 / 24 = 180 days;\r\nhttps://www.kryptoslogic.com/blog/2018/10/emotet-awakens-with-new-campaign-of-mass-email-exfiltration/\r\nPage 1 of 4\n\nIf so, obtain its sender ( PR_SENDER_NAME_W , PR_SENDER_EMAIL_ADDRESS_W ), destination\r\n( PR_RECEIVED_BY_NAME_W , PR_RECEIVED_BY_EMAIL_ADDRESS_W ), subject ( PR_SUBJECT_W ) and body\r\n( PR_BODY_W ).\r\nIf the body is longer than 16384 characters, it is truncated to this size plus the string ... .\r\nA structure containing the above email information is then added to a global linked list which, upon termination, is\r\nwritten in Base64 encoding to a temporary file.\r\nHow Emotet Actors Are Harvesting Your Emails\r\nSteps (click to expand)\r\nIt is important to emphasize that this module can be deployed in any existing Emotet infected systems (See\r\nTelltale global threat tracking below) and begin to harvest emails and send them back to the actor. In other words,\r\nEmotet will likely, over the next few days, harvest countless emails across tens of thousands of actively infected\r\nsystems.\r\nHere is how the process works (see also picture above):\r\n1. An infected Emotet loads the module DLL from the command and control (C2) server, and this DLL\r\ninjects the payload binary into a new Emotet process;\r\n2. As described above, the new process scans all the emails, and saves results to a temporary file;\r\nhttps://www.kryptoslogic.com/blog/2018/10/emotet-awakens-with-new-campaign-of-mass-email-exfiltration/\r\nPage 2 of 4\n\n3. Original module DLL waits for this payload to finish (or kills it after 300 seconds), then reads the\r\ntemporary file in its entirety;\r\n4. Original DLL issues an HTTP request using the WinINet API, which will send the temporary file, if it is\r\nbigger than 116 bytes, to the C2 server.\r\nTelltale global threat tracking of Emotet (interactive)\r\nTracking of Emotet Infections Worldwide. Even the whales appear infected.\r\nConclusion\r\nEmotet was already a serious threat, incurring costs of up to 1 million dollars for a single incident, and recently\r\nunleashing ransomware on Onslow Water and Sewer Authority and other U.S. cities. The United States is by a\r\nwide margin the most affected country, which is consistent with our earlier report on Emotet. While Emotet’s\r\noperators may have simply moved to server-side extraction, harvesting data in mass provides a weaponized data-driven analytical capability which should not be underestimated, given how effective surgical email leaks have\r\nbeen in the recent past.\r\nProtecting against this actor is non-trivial. Emotet is arguably one of the most advanced botnets ever created.\r\nThese actors appear to be aware of maintaining and designing very resilient and efficient distribution systems.\r\nEnterprises should be thinking about how to immediately reduce their risk exposure and act on this actionable\r\nintelligence. We’d like to thank our information sharing friends and intelligence partners, including Tim Davies.\r\nhttps://www.kryptoslogic.com/blog/2018/10/emotet-awakens-with-new-campaign-of-mass-email-exfiltration/\r\nPage 3 of 4\n\nSource: https://www.kryptoslogic.com/blog/2018/10/emotet-awakens-with-new-campaign-of-mass-email-exfiltration/\r\nhttps://www.kryptoslogic.com/blog/2018/10/emotet-awakens-with-new-campaign-of-mass-email-exfiltration/\r\nPage 4 of 4\n\nfolder, and Verify whether the email has been sent/received ( PR_MESSAGE_DELIVERY_TIME ) in the last 100e-9 * \n15552000000 * 10000 / 3600 / 24 = 180 days; \n   Page 1 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.kryptoslogic.com/blog/2018/10/emotet-awakens-with-new-campaign-of-mass-email-exfiltration/"
	],
	"report_names": [
		"emotet-awakens-with-new-campaign-of-mass-email-exfiltration"
	],
	"threat_actors": [],
	"ts_created_at": 1775434946,
	"ts_updated_at": 1775791221,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d502393bf956055bc335f0b5b8295e7ce51fccff.pdf",
		"text": "https://archive.orkl.eu/d502393bf956055bc335f0b5b8295e7ce51fccff.txt",
		"img": "https://archive.orkl.eu/d502393bf956055bc335f0b5b8295e7ce51fccff.jpg"
	}
}