{
	"id": "85fc9137-68ab-4e26-ae22-054e182522d5",
	"created_at": "2026-04-06T00:09:39.110623Z",
	"updated_at": "2026-04-10T03:22:08.757853Z",
	"deleted_at": null,
	"sha1_hash": "e59564dc1b7bf359584748bd3d18c82a07735784",
	"title": "Emotet Revival: Tactics and Mitigations",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1576552,
	"plain_text": "Emotet Revival: Tactics and Mitigations\r\nBy Eugene Chua\r\nPublished: 2022-08-22 · Archived: 2026-04-05 16:37:59 UTC\r\nIntroduction\r\nLast year provided further evidence that the cyber threat landscape remains both complex and challenging to\r\npredict. Between uncertain attribution, novel exploits and rapid malware developments, it is becoming harder to\r\nknow where to focus security efforts. One of the largest surprises of 2021 was the re-emergence of the infamous\r\nEmotet botnet. This is an example of a campaign that ignored industry verticals or regions and seemingly targeted\r\ncompanies indiscriminately. Only 10 months after the Emotet takedown by law enforcement agencies in January,\r\nnew Emotet activities in November were discovered by security researchers. These continued into the first quarter\r\nof 2022, a period which this blog will explore through findings from the Darktrace Threat Intel Unit. \r\nDating back to 2019, Emotet was known to deliver Trickbot payloads which ultimately deployed Ryuk\r\nransomware strains on compromised devices. This interconnectivity highlighted the hydra-like nature of threat\r\ngroups wherein eliminating one (even with full-scale law enforcement intervention) would not rule them out as a\r\nthreat nor indicate that the threat landscape would be any more secure. \r\nWhen Emotet resurged, as expected, one of the initial infection vectors involved leveraging existing Trickbot\r\ninfrastructure. However, unlike the original attacks, it featured a brand new phishing campaign.\r\nFigure 1: Distribution of observed Emotet activities across Darktrace deployments\r\nhttps://de.darktrace.com/blog/emotet-resurgence-cross-industry-campaign-analysis\r\nPage 1 of 12\n\nAlthough similar to the original Emotet infections, the new wave of infections has been classified into two\r\ncategories: Epochs 4 and 5. These had several key differences compared to Epochs 1 to 3. Within Darktrace’s\r\nglobal deployments, Emotet compromises associated to Epoch 4 appeared to be the most prevalent. Affected\r\ncustomer environments were seen within a large range of countries (Figure 1) and industry verticals such as\r\nmanufacturing and supply chain, hospitality and travel, public administration, technology and telecoms and\r\nhealthcare. Company demographics and size did not appear to be a targeting factor as affected customers had\r\nvarying employee counts ranging from less than 250, to over 5000.\r\nKey differences between Epochs 1-3 vs 4-5\r\nBased on wider security research into the innerworkings of the Emotet exploits, several key differences were\r\nidentified between Epochs 4/5 and its predecessors. The newer epochs used:\r\n·       A different Microsoft document format (OLE vs XML-based).\r\n·       A different encryption algorithm for communication. The new epochs used Elliptic Curve Cryptograph\r\n(ECC) [1] with public encryption keys contained in the C2 configuration file [2]. This was different from the\r\nprevious Rivest-Shamir-Adleman (RSA) key encryption method.\r\n·       Control Flow Flattening was used as an obfuscation technique to make detection and reverse engineering\r\nmore difficult. This is done by hiding a program’s control flow [3].\r\n·       New C2 infrastructure was observed as C2 communications were directed to over 230 unique IPs all\r\nassociated to the new Epochs 4 and 5.\r\nIn addition to the new Epoch 4 and 5 features, Darktrace detected unsurprising similarities in those deployments\r\naffected by the renewed campaign. This included self-signed SSL connections to Emotet’s new infrastructure as\r\nwell as malware spam activities to multiple rare external endpoints. Preceding these outbound communications,\r\ndevices across multiple deployments were detected downloading Emotet-associated payloads (algorithmically\r\ngenerated DLL files).\r\nEmotet Resurgence Campaign\r\nhttps://de.darktrace.com/blog/emotet-resurgence-cross-industry-campaign-analysis\r\nPage 2 of 12\n\nFigure 2: Darktrace’s Detection Timeline for Emotet Epoch 4 and 5 compromises\r\n1. Initial Compromise\r\nThe initial point of entry for the resurgence activity was almost certainly via Trickbot infrastructure or a successful\r\nphishing attack (Figure 2). Following the initial intrusion, the malware strain begins to download payloads via\r\nmacro-ladened files which are used to spawn PowerShell for subsequent malware downloads.\r\nFollowing the downloads, malicious communication with Emotet’s C2 infrastructure was observed alongside\r\nactivities from the spam module. Within Darktrace, key techniques were observed and documented below.\r\n2. Establish Foothold: Binary Dynamic-link library (.dll) with algorithmically generated filenames \r\nEmotet payloads are polymorphic and contain algorithmically generated filenames . Within deployments, HTTP\r\nGET requests involving a suspicious hostname, www[.]arkpp[.]com, and Emotet related samples such as those\r\nseen below were observed:\r\n·       hpixQfCoJb0fS1.dll (SHA256 hash:\r\n859a41b911688b00e104e9c474fc7aaf7b1f2d6e885e8d7fbf11347bc2e21eaa)\r\n·       M0uZ6kd8hnzVUt2BNbRzRFjRoz08WFYfPj2.dll (SHA256 hash:\r\n9fbd590cf65cbfb2b842d46d82e886e3acb5bfecfdb82afc22a5f95bda7dd804)\r\n·       TpipJHHy7P.dll (SHA256 hash:\r\n40060259d583b8cf83336bc50cc7a7d9e0a4de22b9a04e62ddc6ca5dedd6754b)\r\nhttps://de.darktrace.com/blog/emotet-resurgence-cross-industry-campaign-analysis\r\nPage 3 of 12\n\nThese DLL files likely represent the distribution of Emotet loaders which depends on windows processes such as\r\nrundll32[.]exe and regsvr32[.]exe to execute. \r\n3. Establish Foothold: Outbound SSL connections to Emotet C2 servers \r\nA clear network indicator of compromise for Emotet’s C2 communication involved self-signed SSL using\r\ncertificate issuers and subjects which matched\r\n‘CN=example[.]com,OU=IT Department,O=Global Security,L=London,ST=London,C=GB’ , and a common JA3\r\nclient fingerprint (72a589da586844d7f0818ce684948eea). The primary C2 communications were seen involving\r\ninfrastructures classified as Epoch 4 rather than 5. Despite encryption in the communication content, network\r\ncontextual connection details were sufficient for the detection of the C2 activities (Figure 3).\r\nFigure 3: UI Model Breach logs on download and outbound SSL activities.\r\nOutbound SSL and SMTP connections on TCP ports 25, 465, 587 \r\nAn anomalous user agent such as, ‘Microsoft Outlook 15.0’, was observed being used for SMTP connections with\r\nsome subject lines of the outbound emails containing Base64-encoded strings. In addition, this JA3 client\r\nfingerprint (37cdab6ff1bd1c195bacb776c5213bf2) was commonly seen from the SSL connections. Based on the\r\nset of malware spam hostnames observed across at least 10 deployments, the majority of the TLDs were .jp, .com,\r\n.net, .mx, with the Japanese TLD being the most common (Figure 4).\r\nhttps://de.darktrace.com/blog/emotet-resurgence-cross-industry-campaign-analysis\r\nPage 4 of 12\n\nFigure 4: Malware Spam TLDs observed in outbound SSL and SMTP\r\n Plaintext spam content generated from the spam module were seen in PCAPs (Figure 5). Examples of clear\r\nphishing or spam indicators included 1) mismatched personal header and email headers, 2) unusual reply chain\r\nand recipient references in the subject line, and 3) suspicious compressed file attachments, e.g. Electronic\r\nform[.]zip.\r\nhttps://de.darktrace.com/blog/emotet-resurgence-cross-industry-campaign-analysis\r\nPage 5 of 12\n\nFigure 5: Example of PCAP associated to SPAM Module\r\n4. Accomplish Mission\r\n The Emotet resurgence also showed through secondary compromises involving anomalous SMB drive writes\r\nrelated to CobaltStrike. This consistently included the following JA3 hash\r\n(72a589da586844d7f0818ce684948eea) seen in SSL activities as well as SMB writes involving the svchost.exe\r\nfile.\r\nDarktrace Detection\r\n The key DETECT models used to identify Emotet Resurgence activities were focused on determining possible\r\nC2. These included:\r\n·       Suspicious SSL Activity\r\n·       Suspicious Self-Signed SSL\r\n·       Rare External SSL Self-Signed\r\nhttps://de.darktrace.com/blog/emotet-resurgence-cross-industry-campaign-analysis\r\nPage 6 of 12\n\n·       Possible Outbound Spam\r\nFile-focused models were also beneficial and included:\r\n·       Zip or Gzip from Rare External Location\r\n·       EXE from Rare External Location\r\nDarktrace’s detection capabilities can also be shown through a sample of case studies identified during the Threat\r\nResearch team’s investigations.\r\nCase Studies \r\nDarktrace’s detection of Emotet activities was not limited by industry verticals or company sizing. Although there\r\nwere many similar features seen across the new epoch, each incident displayed varying techniques from the\r\ncampaign. This is shown in two client environments below:\r\nWhen investigating a large customer environment within the public administration sector, 16 different devices\r\nwere detected making 52,536 SSL connections with the example[.]com issuer. Devices associated with this issuer\r\nwere mainly seen breaching the same Self-Signed and Spam DETECT models. Although anomalous incoming\r\noctet-streams were observed prior to this SSL, there was no clear relation between the downloads and the Emotet\r\nC2 connections. Despite the total affected devices occupying only a small portion of the total network, Darktrace\r\nanalysts were able to filter against the much larger network ‘noise’ and locate detailed evidence of compromise to\r\nnotify the customer.\r\nDarktrace also identified new Emotet activities in much smaller customer environments. Looking at a company in\r\nthe healthcare and pharmaceutical sector, from mid-March 2022 a single internal device was detected making an\r\nHTTP GET request to the host arkpp[.]com involving the algorithmically-generated DLL, TpipJHHy7P.dll with\r\nthe SHA256 hash: 40060259d583b8cf83336bc50cc7a7d9e0a4de22b9a04e62ddc6ca5dedd6754b (Figure 6). \r\nhttps://de.darktrace.com/blog/emotet-resurgence-cross-industry-campaign-analysis\r\nPage 7 of 12\n\nFigure 6: A screenshot from VirusTotal, showing that the SHA256 hash has been flagged as\r\nmalicious by other security vendors.\r\nAfter the sample was downloaded, the device contacted a large number of endpoints that had never been contacted\r\nby devices on the network. The endpoints were contacted over ports 443, 8080, and 7080 involving Emotet related\r\nIOCs and the same SSL certificate mentioned previously. Malware spam activities were also observed during a\r\nsimilar timeframe.\r\n The Emotet case studies above demonstrate how autonomous detection of an anomalous sequence of activities -\r\nwithout depending on conventional rules and signatures - can reveal significant threat activities. Though possible\r\nstaged payloads were only seen in a proportion of the affected environments, the following outbound C2 and\r\nmalware spam activities involving many endpoints and ports were sufficient for the detection of Emotet.\r\n If present, in both instances Darktrace’s Autonomous Response technology, RESPOND, would recommend or\r\nimplement surgical actions to precisely target activities associated with the staged payload downloads, outgoing\r\nC2 communications, and malware spam activities. Additionally, restriction to the devices’ normal pattern of life\r\nwill prevent simultaneously occurring malicious activities while enabling the continuity of normal business\r\noperations.\r\n Conclusion \r\n·       The technical differences between past and present Emotet strains emphasizes the versatility of malicious\r\nthreat actors and the need for a security solution that is not reliant on signatures.\r\n·       Darktrace’s visibility and unique behavioral detection continues to provide visibility to network activities\r\nrelated to the novel Emotet strain without reliance on rules and signatures. Key examples include the C2\r\nconnections to new Emotet infrastructure.\r\n·       Looking ahead, detection of C2 establishment using suspicious DLLs will prevent further propagation of the\r\nEmotet strains across networks.\r\n·       Darktrace’s AI detection and response will outpace conventional post compromise research involving the\r\nanalysis of Emotet strains through static and dynamic code analysis, followed by the implementation of rules and\r\nsignatures.\r\nThanks to Paul Jennings and Hanah Darley for their contributions to this blog.\r\nAppendices\r\nModel breaches\r\n·       Anomalous Connection / Anomalous SSL without SNI to New External \r\n·       Anomalous Connection / Application Protocol on Uncommon Port \r\n·       Anomalous Connection / Multiple Connections to New External TCP Port \r\nhttps://de.darktrace.com/blog/emotet-resurgence-cross-industry-campaign-analysis\r\nPage 8 of 12\n\n·       Anomalous Connection / Multiple Failed Connections to Rare Endpoint \r\n·       Anomalous Connection / Multiple HTTP POSTs to Rare Hostname \r\n·       Anomalous Connection / Possible Outbound Spam \r\n·       Anomalous Connection / Rare External SSL Self-Signed \r\n·       Anomalous Connection / Repeated Rare External SSL Self-Signed      \r\n·       Anomalous Connection / Suspicious Expired SSL \r\n·       Anomalous Connection / Suspicious Self-Signed SSL\r\n·       Anomalous File / Anomalous Octet Stream (No User Agent) \r\n·       Anomalous File / Zip or Gzip from Rare External Location \r\n·       Anomalous File / EXE from Rare External Location\r\n·       Compromise / Agent Beacon to New Endpoint \r\n·       Compromise / Beacon to Young Endpoint \r\n·       Compromise / Beaconing Activity To External Rare \r\n·       Compromise / New or Repeated to Unusual SSL Port \r\n·       Compromise / Repeating Connections Over 4 Days \r\n·       Compromise / Slow Beaconing Activity To External Rare \r\n·       Compromise / SSL Beaconing to Rare Destination \r\n·       Compromise / Suspicious Beaconing Behaviour \r\n·       Compromise / Suspicious Spam Activity \r\n·       Compromise / Suspicious SSL Activity \r\n·       Compromise / Sustained SSL or HTTP Increase \r\n·       Device / Initial Breach Chain Compromise \r\n·       Device / Large Number of Connections to New Endpoints \r\n·       Device / Long Agent Connection to New Endpoint \r\n·       Device / New User Agent \r\n·       Device / New User Agent and New IP \r\nhttps://de.darktrace.com/blog/emotet-resurgence-cross-industry-campaign-analysis\r\nPage 9 of 12\n\n·       Device / SMB Session Bruteforce \r\n·       Device / Suspicious Domain \r\n·       Device / Suspicious SMB Scanning Activity \r\nhttps://de.darktrace.com/blog/emotet-resurgence-cross-industry-campaign-analysis\r\nPage 10 of 12\n\nhttps://de.darktrace.com/blog/emotet-resurgence-cross-industry-campaign-analysis\r\nPage 11 of 12\n\nFor Darktrace customers who want to know more about using Darktrace to triage Emotet, refer here for an\r\nexclusive supplement to this blog.\r\nReferences\r\n[1] https://blog.lumen.com/emotet-redux/\r\n[2] https://blogs.vmware.com/security/2022/03/emotet-c2-configuration-extraction-and-analysis.html\r\n[3] https://news.sophos.com/en-us/2022/05/04/attacking-emotets-control-flow-flattening/\r\nSource: https://de.darktrace.com/blog/emotet-resurgence-cross-industry-campaign-analysis\r\nhttps://de.darktrace.com/blog/emotet-resurgence-cross-industry-campaign-analysis\r\nPage 12 of 12\n\nthe healthcare HTTP GET and pharmaceutical request to the sector, host arkpp[.]com from mid-March involving 2022 a single the algorithmically-generated internal device DLL, was detected TpipJHHy7P.dll making an with\nthe SHA256 hash: 40060259d583b8cf83336bc50cc7a7d9e0a4de22b9a04e62ddc6ca5dedd6754b   (Figure 6).\n  Page 7 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://de.darktrace.com/blog/emotet-resurgence-cross-industry-campaign-analysis"
	],
	"report_names": [
		"emotet-resurgence-cross-industry-campaign-analysis"
	],
	"threat_actors": [],
	"ts_created_at": 1775434179,
	"ts_updated_at": 1775791328,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e59564dc1b7bf359584748bd3d18c82a07735784.pdf",
		"text": "https://archive.orkl.eu/e59564dc1b7bf359584748bd3d18c82a07735784.txt",
		"img": "https://archive.orkl.eu/e59564dc1b7bf359584748bd3d18c82a07735784.jpg"
	}
}