{ "id": "9ace854f-104f-4f6f-83b8-416b7bbe0f8d", "created_at": "2026-04-06T00:19:54.07843Z", "updated_at": "2026-04-10T03:35:43.34819Z", "deleted_at": null, "sha1_hash": "dba6379ff47fa7e1265386ded205f1a063d0c41d", "title": "Emotet Malware Tests New Delivery Techniques | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 272360, "plain_text": "Emotet Malware Tests New Delivery Techniques | Proofpoint US\r\nBy April 26, 2022 Axel F\r\nPublished: 2022-04-25 · Archived: 2026-04-02 12:02:26 UTC\r\nKey Findings\r\nProofpoint identified low-volume Emotet malware activity that drastically differed from typical Emotet\r\nthreat behaviors.\r\nThe activity occurred while Emotet was on a “spring break,” not conducting its typical high volume threat\r\ncampaigns. The threat actor has since resumed its typical activity.\r\nProofpoint assesses that the threat group distributing Emotet is likely testing new tactics, techniques, and\r\nprocedures (TTPs) on a small scale before adopting them in broader campaigns or to deploy them in\r\nparallel with the broad campaigns.\r\nThe messages contained OneDrive URLs that hosted a zip archive containing XLL files dropping Emotet\r\nmalware.\r\nThis activity is attributed to TA542.\r\nOverview\r\nEmotet is a prolific botnet and trojan that targets Windows platforms to distribute follow-on malware. It was\r\nconsidered one of the most prolific cybercriminal threats before its disruption by global law enforcement in\r\nJanuary 2021.\r\nIn November 2021, 10 months after its disappearance from the threat landscape, Proofpoint observed a\r\nreemergence of this notorious botnet, and since then, the group associated with Emotet, TA542, has targeted\r\nthousands of customers with tens of thousands of messages in multiple geographic regions. In some cases, the\r\nmessage volume reaches over one million per campaign.\r\nHowever, the new activity observed by Proofpoint is a departure from their typical behaviors and indicates the\r\ngroup is testing new attack techniques on a small scale before adopting them for larger volume campaigns.\r\nAlternatively, these new TTPs may indicate that TA542 may now be engaged in more selective and limited attacks\r\nin parallel to the typical massive scale email campaigns.\r\nActivity Details\r\nProofpoint detected a low volume of emails distributing Emotet malware. The sender emails appeared to be\r\ncompromised. The emails were not sent by the Emotet spam module. The subjects were simple and contained one\r\nword such as \"Salary\". The email bodies contained only OneDrive URLs and no other content. The OneDrive\r\nURLs hosted zip files containing Microsoft Excel Add-in (XLL) files.\r\nThe zip archives and XLL files used the same lures as the email subjects, such as “Salary_new.zip.” This\r\nparticular archive contained four copies of the same XLL file with names such as “Salary_and_bonuses-https://www.proofpoint.com/us/blog/threat-insight/emotet-tests-new-delivery-techniques\r\nPage 1 of 4\n\n04.01.2022.xll”. The XLL files, when executed, drop and run Emotet leveraging the Epoch 4 botnet. \r\nFigure 1: Example OneDrive URL hosting a zip archive\r\nThe identified activity differs from previously observed Emotet malware campaigns in the following ways:\r\nThe low-volume nature of the activity. Typically, Emotet distributes high-volume email campaigns to many\r\ncustomers globally, with some campaigns in recent weeks hitting one million messages total. \r\nThe use of OneDrive URLs. Typically, Emotet delivers Microsoft Office attachments or URLs (hosted on\r\ncompromised sites) linking to Office files. \r\nThe use of XLL files. Typically, Emotet uses Microsoft Excel or Word documents containing VBA or XL4\r\nmacros. XLLs are a type of dynamic link library (DLL) file for Excel and are designed to increase the\r\nfunctionality of the application.\r\nNevertheless, Proofpoint analysts attribute this activity with high confidence to threat actor TA542 because since\r\n2014 the actor closely controlled the Emotet malware and is not rented it to other actors. \r\nAdditional Context\r\nProofpoint observed the activity at a time when the widespread Emotet malware campaigns were on pause (a\r\n“spring break”) between April 4, 2022, and April 19, 2022. Emotet has since resumed its high-volume campaigns.\r\nProofpoint researchers assess that while on the break, TA542 continued development and testing of new attack\r\nhttps://www.proofpoint.com/us/blog/threat-insight/emotet-tests-new-delivery-techniques\r\nPage 2 of 4\n\nvectors, specifically OneDrive URLs and XLL files, in preparation for using them on a wider scale. Alternatively,\r\nthese new TTPs may indicate that TA542 may now be engaged in more selective and limited scale attacks in\r\nparallel to the typical mass scale email campaigns.\r\nFigure 2: Plot of Emotet email volumes since November 2021\r\nAdditionally, it is notable that TA542 is interested in new techniques that do not rely on macro-enabled documents\r\nas Microsoft is making it increasingly difficult for threat actors to use macros as an infection vector. In February,\r\nMicrosoft announced it would begin blocking Visual Basic for Application (VBA) macros obtained from the\r\ninternet by default in April. This follows Microsoft’s announcement to disable XL4 macros in 2021. Typically,\r\nthreat actors including TA542 that use macro-enabled attachments rely on social engineering to convince a\r\nrecipient the content is trustworthy, and enabling macros is necessary to view it.\r\nIndicators of Compromise (IOC)\r\nIndicator Description\r\nhttps[:]//1drv[.]ms/u/s!AnTRAbuGZ8jie3V-jtcrv7-8xx0\r\nExample URL leading to\r\nzipped XLL\r\n2da9fa07fef0855b4144b70639be4355507612181f9889960253f61eddaa47aa  SHA256 Salary_new.zip\r\nhttps://www.proofpoint.com/us/blog/threat-insight/emotet-tests-new-delivery-techniques\r\nPage 3 of 4\n\nf83e9f85241d02046504d27a22bfc757ea6ff903e56de0a617c8d32d9f1f8411 \r\nSHA256\r\nSalary_and_bonuses-01.01.2022.xll\r\n8ee2296a2dc8f15b374e72c21475216e8d20d4e852509beb3cff9e454f4c28d1\r\nSHA256 Emotet Payload\r\nezesqrmrsbhftab.lft\r\nSubscribe to the Proofpoint Blog\r\nSource: https://www.proofpoint.com/us/blog/threat-insight/emotet-tests-new-delivery-techniques\r\nhttps://www.proofpoint.com/us/blog/threat-insight/emotet-tests-new-delivery-techniques\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/emotet-tests-new-delivery-techniques" ], "report_names": [ "emotet-tests-new-delivery-techniques" ], "threat_actors": [ { "id": "e8e18067-f64b-4e54-9493-6d450b7d40df", "created_at": "2022-10-25T16:07:24.515213Z", "updated_at": "2026-04-10T02:00:05.018868Z", "deleted_at": null, "main_name": "Mummy Spider", "aliases": [ "ATK 104", "Gold Crestwood", "Mummy Spider", "TA542" ], "source_name": "ETDA:Mummy Spider", "tools": [ "Emotet", "Geodo", "Heodo" ], "source_id": "ETDA", "reports": null }, { "id": "506404b2-82fb-4b7e-b40d-57c2e9b59f40", "created_at": "2023-01-06T13:46:38.870883Z", "updated_at": "2026-04-10T02:00:03.128317Z", "deleted_at": null, "main_name": "MUMMY SPIDER", "aliases": [ "TA542", "GOLD CRESTWOOD" ], "source_name": "MISPGALAXY:MUMMY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2ac83159-1d9d-4db4-a176-97be6b7b07c9", "created_at": "2024-06-19T02:03:08.024653Z", "updated_at": "2026-04-10T02:00:03.672512Z", "deleted_at": null, "main_name": "GOLD CRESTWOOD", "aliases": [ "Mummy Spider ", "TA542 " ], "source_name": "Secureworks:GOLD CRESTWOOD", "tools": [ "Emotet" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434794, "ts_updated_at": 1775792143, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/dba6379ff47fa7e1265386ded205f1a063d0c41d.pdf", "text": "https://archive.orkl.eu/dba6379ff47fa7e1265386ded205f1a063d0c41d.txt", "img": "https://archive.orkl.eu/dba6379ff47fa7e1265386ded205f1a063d0c41d.jpg" } }