{ "id": "79c25060-ff11-458e-ae46-c13984804265", "created_at": "2026-04-06T00:11:12.856794Z", "updated_at": "2026-04-10T13:12:22.17268Z", "deleted_at": null, "sha1_hash": "e7b872a8d417270afd5cfd69bef191628ad0b516", "title": "Microsoft: Emotet Took Down a Network by Overheating All Computers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2350922, "plain_text": "Microsoft: Emotet Took Down a Network by Overheating All Computers\r\nBy Sergiu Gatlan\r\nPublished: 2020-04-03 · Archived: 2026-04-05 14:10:26 UTC\r\nMicrosoft says that an Emotet infection was able to take down an organization's entire network by maxing out CPUs on\r\nWindows devices and bringing its Internet connection down to a crawl after one employee was tricked to open a phishing\r\nemail attachment.\r\n\"After a phishing email delivered Emotet, a polymorphic virus that propagates via network shares and legacy protocols, the\r\nvirus shut down the organization’s core services,\" DART said.\r\n\"The virus avoided detection by antivirus solutions through regular updates from an attacker-controlled command-and-control (C2) infrastructure, and spread through the company’s systems, causing network outages and shutting down essential\r\nservices for nearly a week.\"\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-emotet-took-down-a-network-by-overheating-all-computers/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-emotet-took-down-a-network-by-overheating-all-computers/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nAll systems down within a week\r\nThe Emotet payload was delivered and executed on the systems of Fabrikam — a fake name Microsoft gave the victim in\r\ntheir case study — five days after the employee's user credentials were exfiltrated to the attacker's command and control\r\n(C\u0026C) server.\r\nBefore this, the threat actors used the stolen credentials to deliver phishing emails to other Fabrikam employees, as well as\r\nto their external contacts, with more and more systems getting infected and downloading additional malware payloads.\r\nThe malware further spread through the network without raising any red flags by stealing admin account credentials\r\nauthenticating itself on new systems, later used as stepping stones to compromise other devices.\r\nWithin 8 days since that first booby-trapped attachment was opened, Fabrikam's entire network was brought to its knees\r\ndespite the IT department's efforts, with PCs overheating, freezing, and rebooting because of blue screens, and Internet\r\nconnections slowing down to a crawl because of Emotet devouring all the bandwidth.\r\nEmotet attack flow (Microsoft DART)\r\n\"When the last of their machines overheated, Fabrikam knew the problem had officially spun out of control. 'We want to\r\nstop this hemorrhaging,' an official would later say,\" DART's case study report reads.\r\n\"He’d been told the organization had an extensive system to prevent cyberattacks, but this new virus evaded all their\r\nfirewalls and antivirus software. Now, as they watched their computers blue-screen one by one, they didn’t have any idea\r\nwhat to do next.\"\r\nBased on what the official said following the incident, although not officially confirmed, the attack described by Microsoft's\r\nDetection and Response Team (DART) matches a malware attack that impacted the city of Allentown, Pennsylvania in\r\nFebruary 2018, as ZDNet first noticed.\r\nAt the time, Mayor Ed Pawlowski said that the city had to pay nearly $1 million to Microsoft to clean out their systems, with\r\nan initial $185,000 emergency-response fee to contain the malware and up to $900,000 in additional recovery costs, as first\r\nreported by The Morning Call.\r\nEmotet infection aftermath and containment procedures\r\n\"Officials announced that the virus threatened all of Fabrikam’s systems, even its 185-surveillance camera network,\"\r\nDART's report says.\r\n\"Its finance department couldn’t complete any external banking transactions, and partner organizations couldn’t access any\r\ndatabases controlled by Fabrikam. It was chaos.\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-emotet-took-down-a-network-by-overheating-all-computers/\r\nPage 3 of 5\n\n\"They couldn’t tell whether an external cyberattack from a hacker caused the shutdown or if they were dealing with an\r\ninternal virus. It would have helped if they could have even accessed their network accounts.\r\n\"Emotet consumed the network’s bandwidth until using it for anything became practically impossible. Even emails couldn’t\r\nwriggle through.\"\r\nMicrosoft's DART — a remote team and one that would deal with the attack on site — was called in eight days after the first\r\ndevice on Fabrikam's network was compromised.\r\nDART contained the Emotet infection using asset controls and buffer zones designed to isolate assets with admin privileges.\r\nThey eventually were able to completely eradicate the Emotet infection after uploading new antivirus signatures and\r\ndeploying Microsoft Defender ATP and Azure ATP trials to detect and remove the malware.\r\nMicrosoft recommends using email filtering tools to automatically detect and stop phishing emails that spread the Emotet\r\ninfection, as well as the adoption of multi-factor authentication (MFA) to stop the attackers from taking advantage of stolen\r\ncredentials.\r\nEmotet infection chain (CISA)\r\nEmotet infections can lead to severe outcomes\r\nEmotet, originally spotted as a banking Trojan in 2014, has evolved into a malware loader used by threat actors to install\r\nother malware families including but not limited to the Trickbot banking Trojan (a known vector used in the delivery of\r\nRyuk ransomware payloads).\r\nEmotet was recently upgraded with a Wi-Fi worm module designed to help it spread to new victims via nearby insecure\r\nwireless networks.\r\nRecently, in January 2020, the Cybersecurity and Infrastructure Security Agency (CISA) warned government and private\r\norganizations, as well as home users, of increasing activity around targeted Emotet attacks.\r\nIn November 2019, the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) also warned of the\r\ndangers behind Emotet attacks, saying at the time that the malware \"provides an attacker with a foothold in a network from\r\nwhich additional attacks can be performed, often leading to further compromise through the deployment of ransomware.\"\r\nEmotet ranked first in a 'Top 10 most prevalent threats' ranking published by interactive malware analysis platform\r\nAny.Run at the end of December 2019, with triple the number of sample uploads submitted for analysis when compared to\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-emotet-took-down-a-network-by-overheating-all-computers/\r\nPage 4 of 5\n\nthe next malware in the top, the Agent Tesla info-stealer.\r\nCISA provides general best practices to limit the effect of Emotet attacks and to contain network infections within an Emotet\r\nMalware alert published two years ago and updated earlier this year.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/microsoft-emotet-took-down-a-network-by-overheating-all-computers/\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-emotet-took-down-a-network-by-overheating-all-computers/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/microsoft-emotet-took-down-a-network-by-overheating-all-computers/" ], "report_names": [ "microsoft-emotet-took-down-a-network-by-overheating-all-computers" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434272, "ts_updated_at": 1775826742, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e7b872a8d417270afd5cfd69bef191628ad0b516.pdf", "text": "https://archive.orkl.eu/e7b872a8d417270afd5cfd69bef191628ad0b516.txt", "img": "https://archive.orkl.eu/e7b872a8d417270afd5cfd69bef191628ad0b516.jpg" } }