{
	"id": "76d4a148-53de-4051-a94b-1be8eacdf294",
	"created_at": "2026-04-06T00:09:15.463787Z",
	"updated_at": "2026-04-10T03:19:56.597588Z",
	"deleted_at": null,
	"sha1_hash": "e380cf9d79304a884154192c91dae93909dfbd3b",
	"title": "Emotet's back and it isn't wasting any time",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 45372,
	"plain_text": "Emotet's back and it isn't wasting any time\r\nBy Pieter Arntz\r\nPublished: 2021-12-02 · Archived: 2026-04-05 20:19:27 UTC\r\nEmotet is one of the best known, and most dangerous, malware threats of the past several years.\r\nOn several occasions it appeared to take an early retirement, but it has always came back. In January of this year, a\r\nglobal police operation dismantled Emotet’s botnet. Law enforcement then used their control of this infrastructure\r\nto send a “self-destruct” update to Emotet executables. Infected organizations were given a few months grace to\r\nclean up the the neutered malware before the remaining copies did as they’d been instructed and ate themselves in\r\nApril.\r\nHowever, that wasn’t the end of the story.\r\nLast month we reported on how another notorious bit of malware, TrickBot, was helping Emotet come back from\r\nthe dead. And then yesterday, several security researchers saw another huge spike in Emotet’s activity.\r\nBlinking light\r\nThe presence of Emotet in the threat landscape has had the appearance of a blinking red light for years. Emotet\r\nstarted out in 2014 as an information-stealing banking Trojan that scoured sensitive financial information from\r\ninfected systems (which is why Malwarebytes detects some components as Spyware.Emotet). Over the years, it\r\nevolved into a global-scale distribution infrastructure for other malware.\r\nDuring this time we have seen Emotet disappear and show up again on several occasions. In September 2019,\r\nEmotet emerged from a four month hiatus with a new spam campaign, before going back into hiding early in 2020\r\nand reappearing in July of the same year. Its use then declined, with occasional spikes, before it returned just in\r\ntime for Christmas and was then dealt a massive blow by collective law enforcement action in January this year.\r\nRecent spikes\r\nOn the December 1, 2021, our Threat Intelligence team noted a huge spike in Emotet C2 activity.\r\nOther researchers also noted spikes in the number of URLs being used to distribute the malware, and the number\r\nof malware samples.\r\nFrom all the reports and alerts by researchers and analysts we can see a few interesting trends.\r\nFirst of all, our own research shows the global distribution of Emotet has a clear focus on the US.\r\nLooking at the malware URLs that URLhaus has associated with the latest Emotet campaigns, we see a lot\r\nof compromised WordPress sites.\r\nhttps://blog.malwarebytes.com/trojans/2021/12/emotets-back-and-it-isnt-wasting-any-time/\r\nPage 1 of 2\n\nOnly yesterday we talked about how Emotet was being spread via malicious Windows App Installer\r\npackages. While this was not an entirely new method, it is not something we see every day.\r\nThe spam campaign used to spread the mails with the links leading to the App Installer packages was done\r\nby hijacking existing conversations, using stolen reply-chain emails.\r\nResearchers are seeing an uptick in the number of Emotet C2 servers.\r\nSpeculation\r\nFrom this point on the content of this post is speculation, so feel free to skip it if you have developed your own\r\ntheories. Or feel free to compare notes and leave your remarks in the comments.\r\nEmotet is growing a lot faster than any newcomer to the scene could do. This seems to indicate that old\r\nrelationships have been renewed, which usually means that the persons that tied these knots in the past are still\r\nworking on the project and bringing “old friends” back in.\r\nGiven the global distribution and the different campaigns that are ongoing it’s likely there are several different\r\naffiliates at work. And looking at their methods we can tell that these are not some “fresh out of their mother’s\r\nbasement script kiddies” either. They are using sophisticated methods and abusing vulnerabilities that haven’t\r\nbeen patched yet by quite a lot of organizations. For example, some Microsoft Exchange vulnerabilities will allow\r\nthem to hijack existing email threads, which gives the spam messages a higher credibility.\r\nI checked the hosting companies for the WordPress sites, expecting to find a lot of GoDaddy domains that might\r\nhave been compromised while their credentials were for sale. But I found a lot of different hosting companies,\r\nwhich makes WordPress the common denominator. It’s likely therefore that the attackers are exploiting vulnerable\r\nversions of WordPress plugins like OptinMonster, WP Fastest Cache, and WooCommerce Dynamic Pricing and\r\nDiscounts, all of which were recently patched. (Although there are probably others that we do not know about yet\r\ntoo.)\r\nHard fact\r\nEmotet is back! For how long is hard to predict, but they don’t behave as if they have any plans to retire again\r\nsoon.\r\nStay safe, everyone!\r\nAbout the author\r\nWas a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich\r\nmahogany and leather-bound books.\r\nSource: https://blog.malwarebytes.com/trojans/2021/12/emotets-back-and-it-isnt-wasting-any-time/\r\nhttps://blog.malwarebytes.com/trojans/2021/12/emotets-back-and-it-isnt-wasting-any-time/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://blog.malwarebytes.com/trojans/2021/12/emotets-back-and-it-isnt-wasting-any-time/"
	],
	"report_names": [
		"emotets-back-and-it-isnt-wasting-any-time"
	],
	"threat_actors": [],
	"ts_created_at": 1775434155,
	"ts_updated_at": 1775791196,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e380cf9d79304a884154192c91dae93909dfbd3b.pdf",
		"text": "https://archive.orkl.eu/e380cf9d79304a884154192c91dae93909dfbd3b.txt",
		"img": "https://archive.orkl.eu/e380cf9d79304a884154192c91dae93909dfbd3b.jpg"
	}
}