{
	"id": "aa1e2304-8173-417b-8ce7-cc000a0e161b",
	"created_at": "2026-04-06T00:13:22.471339Z",
	"updated_at": "2026-04-10T03:21:52.887964Z",
	"deleted_at": null,
	"sha1_hash": "eb1fe39299ff8f1dded715909c01059bed2c5bb7",
	"title": "Emotet Wi-Fi Spreader Upgraded",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 390453,
	"plain_text": "Emotet Wi-Fi Spreader Upgraded\r\nBy Binary Defense\r\nArchived: 2026-04-05 19:15:30 UTC\r\nThis an update to an early article regarding the emerging cyberthreat of Emotet Wifi Spreader.\r\nExecutive Summary\r\nBinary Defense analysts previously discovered a stand-alone program for spreading Emotet infections over Wi-Fi networks.\r\nAlthough the spreader had been recently delivered by Emotet command and control (C2) servers, the program itself had not\r\nbeen changed for at least two years. In the last week, an updated version of the Wi-Fi spreader was observed being delivered\r\nto multiple bots. The new version changed the spreader from a stand-alone program into a full-fledged module of Emotet\r\nwith some other functionality improvements. Instead of bundling the Emotet loader with the spreader, it now downloads the\r\nloader from a server.\r\nProtocol Changes\r\nWhile the changes to the Wi-Fi spreader do not affect the key functionality of the malware, the changes are still notable as\r\nthey increase the logging capability of the spreader, allowing Emotet’s authors to get step-by-step debugging logs from\r\ninfected machines through the use of a new communication protocol.\r\nThis communication protocol uses two PHP POST arguments to provide Emotet’s authors with crucial debugging outputs.\r\nThe first argument, “id”, is set to the victim’s MachineGUID, while the second argument, “data” is set to any debug strings\r\nthat the malware generates during runtime, encoded with base64.\r\nSome of the debug strings include:\r\nWe succ connected to ipc share\r\nWNetEnumResource failed with error %d\r\nfile downloaded ok\r\nworm started\r\nFigure 1 – Example request\r\nThese requests are sent to a single gate.php file with the path hardcoded in the spreader.\r\nSpreader Changes\r\nAs stated above, the overall spreader functionality has not changed much. Instead, the authors have added in more verbose\r\ndebugging, while also making the spreader more versatile in the payloads that it downloads. Additionally, the service name\r\nhas changed in the newly updated spreader.\r\nThe only notable change to the spreader functionality is that if the spreader fails to brute-force the C$ share, the spreader\r\nwill then attempt to brute-force the ADMIN$ share.\r\nhttps://www.binarydefense.com/emotet-wi-fi-spreader-upgraded/\r\nPage 1 of 4\n\nFigure 2 – Spreader bruteforcing code\r\nAdditionally, before the spreader attempts to brute-force C$/ADMIN$, it attempts to download, from a hardcoded IP, the\r\nservice binary that it installs remotely. If this download fails, it sends the debug string “error downloading file” before\r\nquitting.\r\nService.exe Changes\r\nPulled down from a hardcoded URL, Service.exe is the executable used to install Emotet onto infected machines[CC1] .\r\nThis binary, like the old Service.exe, will only detonate if first launched as a service. Unlike the old Service.exe however,\r\nthe updated Service.exe downloads an Emotet binary from the C2 instead of containing a binary packaged inside of it.\r\nUpon startup of Service.exe, the malware connects out to the same gate.php used by the spreader and sends the debug string\r\n“remote service runned Downloading payload...”. Next, it attempts to connect to a hardcoded C2 where it pulls down the\r\nEmotet binary, saving the downloaded file as “firefox.exe.”\r\nAfter updating the C2 with the download status, if Emotet was successfully downloaded, Service.exe sends “payload\r\ndownloaded ok” to the C2 before executing the dropped file.\r\nFigure 3 – Download and execute code\r\nBy downloading the Emotet loader directly from the C2, Service.exe can ensure that it has the most recent loader, without\r\nneeding to package it inside itself. Additionally, this method helps to avoid detections that may flag off of the Emotet loader,\r\nbut not the service executable.\r\nNotable Artifacts\r\nWhile analyzing the spreader/Service.exe combo, Binary Defense analysts uncovered some interesting and notable artifacts\r\nthat lend some insight into the development process for the spreader. While looking at strings for the spreader executable,\r\nBinary Defense noticed that the hardcoded URL used by Service.exe to pull down the Emotet loader was also present in the\r\nspreader executable. Additionally, the drop name for the Emotet loader (firefox.exe) was also present. However, both were\r\nunused. This hints that it is possible that the spreader and service combo were once a single file.\r\nhttps://www.binarydefense.com/emotet-wi-fi-spreader-upgraded/\r\nPage 2 of 4\n\nFigure 4 – Strings\r\nIOCs\r\nDisplay Name: AsusService Service Name: ASUS system Service\r\n8a4239737f41b7f1730e6b6fdd2ecc3f1a4862bb6ab17f8a3d5eeba59423a8a0\r\n69[.]43[.]168[.]245\r\n/UUUU030G182K9N73VR35HW/service.exe\r\n/UUUU030G182K9N73VR35HW/gate.php\r\nC:A\r\n%T\r\n3c72f2fe57a0a6f1566bcc809b1039fafb483d5cb15efe8a03c3d68d5db2589f\r\n69[.]43[.]168[.]245\r\n/OWP3940LD8UWMAZ26XCSQWV182K9/service.exe\r\n/OWP3940LD8UWMAZ26XCSQWV182K9/gate.php\r\nC:m\r\n%T\r\nYARA rule\r\nrule Emotet_WiFi_Spreader {\r\nmeta:\r\n  title = \"Emotet Wi-Fi Spreader identification\"\r\n  author = \"\u003cjames.quinn@binarydefense.com\u003e\"\r\n strings:\r\n// 00401174 83 c4 0c    ADD    ESP,0xc\r\n//00401177 89 5d e4    MOV    dword ptr [EBP + local_20],EBX\r\n//0040117a 8d 85 e0    LEA    EAX=\u003elocal_824,[EBP + 0xfffff7e0]\r\n//     f7 ff ff\r\n//00401180 89 5d f0    MOV    dword ptr [EBP + local_14],EBX\r\n//00401183 89 45 f4    MOV    dword ptr [EBP + local_10],EAX\r\n//00401186 8d 45 e0    LEA    EAX=\u003elocal_24,[EBP + -0x20]\r\n//00401189 6a 01      PUSH    0x1\r\n//0040118b ff 75 08    PUSH    dword ptr [EBP + param_3]\r\n//0040118e ff 75 0c    PUSH    dword ptr [EBP + param_4]\r\n//00401191 50       PUSH    EAX\r\n//00401192 ff 15 64    CALL    dword ptr [\r\n\u003eMPR.DLL::WNetAddConnection2W]\r\n//     01 41 00\r\n//00401198 83 f8 35    CMP    EAX,0x35\r\n//0040119b 75 0e      JNZ    LAB_004011ab\r\n \r\n$WNetAddConnection2W = { 83 c4 0c 89 5d e4 8d 85 e0 f7 ff ff 89 5d f0 89 45\r\nf4 8d 45 e0 6a 01 ff 75 08 ff 75 0c 50 ff 15 ?? ?? ?? ?? 83 f8 35 75 }\r\n  $s1 = \"We succ connected to ipc share\"\r\ncondition:\r\n  all of them\r\n}\r\nSURICATA rule:\r\nalert tcp $HOME_NET any -\u003e $EXTERNAL_NET [80,443,8080,7080,21,50000,995](msg:\"BDS MALICIOUS Emotet\r\nWorming Traffic Likely\";content:\"d29ybSBzdGFydGVk\";content:\"POST\";http_method;classtype:spreader;sid:7;rev:1)\r\nhttps://www.binarydefense.com/emotet-wi-fi-spreader-upgraded/\r\nPage 3 of 4\n\nSource: https://www.binarydefense.com/emotet-wi-fi-spreader-upgraded/\r\nhttps://www.binarydefense.com/emotet-wi-fi-spreader-upgraded/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.binarydefense.com/emotet-wi-fi-spreader-upgraded/"
	],
	"report_names": [
		"emotet-wi-fi-spreader-upgraded"
	],
	"threat_actors": [],
	"ts_created_at": 1775434402,
	"ts_updated_at": 1775791312,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/eb1fe39299ff8f1dded715909c01059bed2c5bb7.pdf",
		"text": "https://archive.orkl.eu/eb1fe39299ff8f1dded715909c01059bed2c5bb7.txt",
		"img": "https://archive.orkl.eu/eb1fe39299ff8f1dded715909c01059bed2c5bb7.jpg"
	}
}