{
	"id": "38453887-621d-427d-b1f4-6edd7f7c76d2",
	"created_at": "2026-04-06T00:12:34.973116Z",
	"updated_at": "2026-04-10T13:12:01.15877Z",
	"deleted_at": null,
	"sha1_hash": "ec2f590a4b14c60ead7d932c2fc41553f47f1008",
	"title": "Emotet Returns: New TTPs and .lnk File Attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 678298,
	"plain_text": "Emotet Returns: New TTPs and .lnk File Attacks\r\nBy cybleinc\r\nPublished: 2022-04-27 · Archived: 2026-04-05 23:34:00 UTC\r\nOn 2024-04-22, the @malware_traffic posted on their Twitter handle that the epoch4 Emotet server started spamming and\r\ndelivering zipped .lnk files to its victims through spam email, as shown in Figure 1. The .lnk file further executes VBScript\r\nor PowerShell script to download the Emotet payload in the victims’ machine. The use of a .lnk file and PowerShell or\r\nVBScript is a new combination that has not been used by the Emotet before.\r\nFigure 1 – Spam Email\r\nSee Cyble in Action\r\nWorld's Best AI-Native Threat Intelligence\r\nhttps://blog.cyble.com/2022/04/27/emotet-returns-with-new-ttps-and-delivers-lnk-files-to-its-victims/\r\nPage 1 of 6\n\nThe Cyble Research Labs has already published a blog about Emotet TTPs in  February 2022. During this time, the Emotet\r\nwas delivered to users with a spam email containing an MS excel attachment.\r\nTechnical Analysis\r\nInfection Chain-1\r\nSHA256: 115d7891a2abbe038c12ccc9ed3cfeedfdd1242e51bcc67bfa22c7cc2567fb10\r\nThe initial infection starts when the user extracts the password-protected zip file and executes the link file in the machine.\r\nUpon execution, the .lnk file has commands to drop a malicious VB script file in the Temp location of the target machine, as\r\nshown in the below figure.\r\nhttps://blog.cyble.com/2022/04/27/emotet-returns-with-new-ttps-and-delivers-lnk-files-to-its-victims/\r\nPage 2 of 6\n\nFigure 2 – Command to Drop VBScript\r\nThe dropped VB script further executes with the help of WScript.exe, downloads the Emotet payload from the remote\r\nserver, and executes it using regsvr32.exe. The payload URLs are encoded using base64 and decoded during runtime for\r\ndownloading the Emotet payload. The below Figure shows the VBS file.\r\nFigure 3 – Downloads and Executes Payload\r\nThe below Figure depicts the execution flow of Emotet malware through WScript.\r\nhttps://blog.cyble.com/2022/04/27/emotet-returns-with-new-ttps-and-delivers-lnk-files-to-its-victims/\r\nPage 3 of 6\n\nFigure 4 – Execution FlowThrough WScript\r\nInfection Chain-2\r\nSHA256:09f44c33ba0a5f1e22cd5b8b0d40c9808e2668ee9050ac855a6ae0744bc9e924\r\nOn 2024-04-26, the Emotet campaigns started using .lnk and PowerShell combinations for delivering the payloads. In this\r\ncampaign, the .lnk file drops a PowerShell file in the Temp folder, which further downloads the Emotet payload from the\r\nremote server and executes it using regsvr32.exe. The below Figure shows the PowerShell command used by the malware.\r\nFigure 5 – Downloads and Execute Emotet Payload\r\nThe below Figure depicts the execution flow of Emotet malware through PowerShell.\r\nFigure 6 – Execution FlowThrough PowerShell\r\nConclusion\r\nEmotet is a sophisticated and long-lasting malware that has impacted users globally. Threat Actors are constantly adapting\r\ntheir techniques to stay one step of cybersecurity entities – Emotet is one such example. Cyble Research Labs is\r\ncontinuously monitoring the activity of Emotet and other malware and will keep our readers updated.\r\nOur Recommendations\r\nhttps://blog.cyble.com/2022/04/27/emotet-returns-with-new-ttps-and-delivers-lnk-files-to-its-victims/\r\nPage 4 of 6\n\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the best practices given below:  \r\nDon’t keep important files in common locations such as the Desktop, My Documents, etc.\r\nUse strong passwords and enforce multi-factor authentication wherever possible.\r\nTurn on the automatic software update feature on your computer, mobile, and other connected devices wherever\r\npossible and pragmatic.\r\nUse a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and\r\nmobile.   \r\nRefrain from opening untrusted links and email attachments without verifying their authenticity.\r\nConduct regular backup practices and keep those backups offline or in a separate network. \r\nMITRE ATT\u0026CK® Techniques\r\nTactic\r\nTechnique\r\nID\r\nTechnique Name\r\nInitial Access\r\nT1566\r\nT1566.001\r\n– Phishing\r\n– Phishing: Spearphishing Attachment\r\nExecution T1059 – Command and Scripting Interpreter\r\nCredential Access\r\nT1573\r\nT1571\r\nT1110.001\r\n– Encrypted Channel\r\n– Non-Standard Port\r\n– Brute Force: Password Guessing\r\nDiscovery T1087   – Account Discovery\r\nCollection T1560 – Archive Collected Data\r\nPrivilege\r\nEscalation\r\nT1547.001\r\n– Boot or Logon Autostart Execution: Registry Run Keys /\r\nStartup Folder\r\nIndicators of Compromise (IOCs)\r\nIndicators\r\nIndicator\r\nType\r\nDescription\r\n95e0286c6c38320d9673b6492f9e2284 MD5 Datos-2504.lnk\r\n7ae2cf1d20de3a965b1c5f41368aa29e12eba450 SHA1 Datos-2504.lnk\r\n115d7891a2abbe038c12ccc9ed3cfeedfdd1242e51bcc67bfa22c7cc2567fb10 SHA256 Datos-2504.lnk\r\n3952caf999263773be599357388159e0 MD5 SRW735125373WM.lnk\r\n76c39a3a4823beab79e497bfcdbc2367188d95c4 SHA1 SRW735125373WM.lnk\r\n09f44c33ba0a5f1e22cd5b8b0d40c9808e2668ee9050ac855a6ae0744bc9e924 SHA256 SRW735125373WM.lnk\r\nhxxps://creemo.pl/wp-admin/ZKS1DcdquUT4Bb8Kb/ URL Emotet Dropper URL\r\nhxxp://filmmogzivota.rs/SpryAssets/gDR/ URL Emotet Dropper URL\r\nhttps://blog.cyble.com/2022/04/27/emotet-returns-with-new-ttps-and-delivers-lnk-files-to-its-victims/\r\nPage 5 of 6\n\nhxxp://demo34.ckg.hk/service/hhMZrfC7Mnm9JD/ URL Emotet Dropper URL\r\nhxxp://focusmedica.in/fmlib/IxBABMh0I2cLM3qq1GVv/ URL Emotet Dropper URL\r\nhxxp://cipro.mx/prensa/siZP69rBFmibDvuTP1L/ URL Emotet Dropper URL\r\nhxxp://colegiounamuno.es/cgi-bin/E/ URL Emotet Dropper URL\r\nhxxp://focusmedica.in/fmlib/IxBABMh0I2cLM3qq1GVv/ URL Emotet Dropper URL\r\nSource: https://blog.cyble.com/2022/04/27/emotet-returns-with-new-ttps-and-delivers-lnk-files-to-its-victims/\r\nhttps://blog.cyble.com/2022/04/27/emotet-returns-with-new-ttps-and-delivers-lnk-files-to-its-victims/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.cyble.com/2022/04/27/emotet-returns-with-new-ttps-and-delivers-lnk-files-to-its-victims/"
	],
	"report_names": [
		"emotet-returns-with-new-ttps-and-delivers-lnk-files-to-its-victims"
	],
	"threat_actors": [],
	"ts_created_at": 1775434354,
	"ts_updated_at": 1775826721,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ec2f590a4b14c60ead7d932c2fc41553f47f1008.pdf",
		"text": "https://archive.orkl.eu/ec2f590a4b14c60ead7d932c2fc41553f47f1008.txt",
		"img": "https://archive.orkl.eu/ec2f590a4b14c60ead7d932c2fc41553f47f1008.jpg"
	}
}