{
	"id": "90c989e3-fd3d-49ae-8064-becaead15f18",
	"created_at": "2026-04-06T00:18:19.654787Z",
	"updated_at": "2026-04-10T03:21:10.482166Z",
	"deleted_at": null,
	"sha1_hash": "e320a38742a509ce05c75103bafe5b3fb9cd8de6",
	"title": "THREAT ALERT: Emotet Targeting Japanese Organizations",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 294836,
	"plain_text": "THREAT ALERT: Emotet Targeting Japanese Organizations\r\nBy Cybereason Global SOC Team\r\nArchived: 2026-04-05 20:06:59 UTC\r\nThe Cybereason Global Security Operations Center (SOC) issues Cybereason Threat Alerts to inform customers\r\nof emerging impacting threats. The Alerts summarize these threats and provide practical recommendations for\r\nprotecting against them.\r\nWhat's Happening?\r\nThe Cybereason GSOC is investigating a significant surge of infections with the Emotet malware in Japan. In the\r\nlast quarter of 2021, for the first time since early 2021, when authorities disrupted the infrastructure of Emotet\r\noperators, the Cybereason GSOC observed global attack campaigns that involved a then-new variant of Emotet. \r\nThe surge of Emotet targeting Japanese organizations in the first quarter of 2022 is a continuation of the earlier\r\nEmotet activity, with some changes in the malware deployment process.\r\nKey Observations\r\nThe Emotet malware poses a significant threat to users’ privacy and security. There is a significantly high\r\nrate of infections with the Emotet malware in Japan in the first quarter of 2022.\r\nIn contrast to the Emotet attack scenarios that the Cybereason GSOC observed in the last quarter of 2021,\r\nthe scenarios that the Cybereason GSOC is observing at the time of writing this article do not involve\r\nPowerShell for deploying Emotet on systems.\r\nThe Cybereason XDR Platform detects and prevents the Emotet malware.\r\nAnalysis\r\nMalicious actors distribute Emotet as attachments (Microsoft Excel documents) to phishing emails. The Excel\r\ndocuments store malicious Office macros that distribute Emotet. When the Office macros execute, the macros\r\nestablish a connection to an attacker-controlled endpoint to download the Emotet malware. \r\nEmotet typically arrives from the attacker-controlled endpoint in the form of a dynamic-link library (DLL) file\r\nthat the macros store as a file with the filename extension .ocx, such as xxw1.ocx or enu.ocx. The Office macros\r\nuse the regsvr32 Windows utility to execute Emotet (the DLL file with the extension .ocx) through the\r\nDllRegisterServer DLL entry point. Emotet then copies the Emotet DLL file to a file with a random filename that\r\nis stored:\r\nIn the user’s %AppData% folder, if Emotet executes with normal user privileges, such as\r\nC:\\Users\\user\\AppData\\Local\\Jcvshzvga\\xfofujkytigar.pum.\r\nhttps://www.cybereason.com/blog/threat-alert-emotet-targeting-japanese-organizations\r\nPage 1 of 6\n\nIn the %SystemRoot%\\SYSWOW64 folder, if Emotet executes with administrative privileges, such as\r\nC:\\Windows\\SysWOW64\\Fkyrhqgbvmjinn\\nugiehweexgz.liz. \r\nEmotet then executes the copied Emotet DLL file with the regsvr32 Windows utility. We observed that regsvr32\r\nmaps the Emotet DLL under the internal name of Y.dll. Users of the Cybereason XDR Platform can view this\r\nname as the name of a module that executes in the context of regsvr32:\r\nrundll32 maps an Emotet DLL file under the internal name of Y.dll as seen in the Cybereason XDR Platform\r\nWe emphasize that in contrast to the Emotet attack scenarios that the Cybereason GSOC observed in the last\r\nquarter of 2021, the scenarios that the Cybereason GSOC is observing at the time of writing this article (the first\r\nquarter of 2022) do not involve PowerShell for deploying Emotet on systems. \r\nWhen Emotet executes on a compromised system, the malware first establishes persistence by creating system\r\nservices that start at system startup or creating registry values at the\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run registry key:\r\nEmotet (DLL file: xfofujkytigar.pum) establishes persistence on a compromised system as seen in the Cybereason\r\nXDR Platform\r\nEmotet then executes processes that conduct malicious activities, such as reconnaissance (for example,\r\nipconfig.exe or systeminfo.exe) or stealing web and email credentials from client credential databases.\r\nFor example, as we discussed in a previous research, Emotet uses the keyword scomma in the command line to\r\nexecute WebBrowserPassView, a tool that steals web credentials from browser credential databases.\r\nhttps://www.cybereason.com/blog/threat-alert-emotet-targeting-japanese-organizations\r\nPage 2 of 6\n\nMost of the processes that Emotet executes have random names and are children processes of the regsvr32\r\nprocess that executes Emotet:\r\nEmotet executes\r\nprocesses that conduct malicious activities (Emotet executes the WebBrowserPassView tool) as seen in the\r\nCybereason XDR Platform\r\nCybereason Recommendations\r\nThe Cybereason XDR Platform detects and prevents the Emotet malware. Cybereason recommends the following:\r\nSecurely handle email messages and attachments that originate from external sources. This includes\r\ninvestigating email message content to identify phishing attempts.\r\nhttps://www.cybereason.com/blog/threat-alert-emotet-targeting-japanese-organizations\r\nPage 3 of 6\n\nUse secure passwords, regularly rotate passwords, and use multi-factor authentication where possible. \r\nIn the Cybereason XDR Platform, enable Application Control to block the execution of malicious files.\r\nThreat Hunting with Cybereason: The Cybereason MDR team provides its customers with custom hunting\r\nqueries for detecting specific threats - to find out more about threat hunting and Managed Detection and\r\nResponse with the Cybereason Defense Platform, contact a Cybereason Defender here.\r\nFor Cybereason customers: More details available on the NEST including custom threat hunting\r\nqueries for detecting this threat:\r\nhttps://www.cybereason.com/blog/threat-alert-emotet-targeting-japanese-organizations\r\nPage 4 of 6\n\nThe Cybereason XDR Platform detects the Emotet malware\r\nAbout the Researcher:\r\nAleksandar Milenkoski, Senior Malware and Threat Analyst, Cybereason\r\nGlobal SOC\r\nAleksandar Milenkoski is a Senior Malware and Threat Analyst with the Cybereason Global SOC team. He is\r\ninvolved primarily in reverse engineering and threat research activities. Aleksandar has a PhD in system security.\r\nFor his research activities, he has been awarded by SPEC (Standard Performance Evaluation Corporation), the\r\nBavarian Foundation for Science, and the University of Würzburg, Germany. Prior to Cybereason, his work\r\nfocused on research in intrusion detection and reverse engineering security mechanisms of the Windows operating\r\nsystem.\r\nhttps://www.cybereason.com/blog/threat-alert-emotet-targeting-japanese-organizations\r\nPage 5 of 6\n\nAbout the Author\r\nCybereason Global SOC Team\r\nThe Cybereason Global SOC Team delivers 24/7 Managed Detection and Response services to customers on\r\nevery continent. Led by cybersecurity experts with experience working for government, the military and multiple\r\nindustry verticals, the Cybereason Global SOC Team continuously hunts for the most sophisticated and pervasive\r\nthreats to support our mission to end cyberattacks on the endpoint, across the enterprise, and everywhere the battle\r\nmoves.\r\nAll Posts by Cybereason Global SOC Team\r\nSource: https://www.cybereason.com/blog/threat-alert-emotet-targeting-japanese-organizations\r\nhttps://www.cybereason.com/blog/threat-alert-emotet-targeting-japanese-organizations\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.cybereason.com/blog/threat-alert-emotet-targeting-japanese-organizations"
	],
	"report_names": [
		"threat-alert-emotet-targeting-japanese-organizations"
	],
	"threat_actors": [],
	"ts_created_at": 1775434699,
	"ts_updated_at": 1775791270,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e320a38742a509ce05c75103bafe5b3fb9cd8de6.pdf",
		"text": "https://archive.orkl.eu/e320a38742a509ce05c75103bafe5b3fb9cd8de6.txt",
		"img": "https://archive.orkl.eu/e320a38742a509ce05c75103bafe5b3fb9cd8de6.jpg"
	}
}