{
	"id": "c9f6da13-69f9-4b7b-a452-a709124257c9",
	"created_at": "2026-04-06T00:15:28.883003Z",
	"updated_at": "2026-04-10T03:24:23.968162Z",
	"deleted_at": null,
	"sha1_hash": "ec7536fb344dc0ccc72c78c85fde5e4a79ca5b57",
	"title": "All You Need to Know About Emotet in 2022",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 815546,
	"plain_text": "All You Need to Know About Emotet in 2022\r\nBy The Hacker News\r\nPublished: 2022-11-26 · Archived: 2026-04-05 18:17:41 UTC\r\nFor 6 months, the infamous Emotet botnet has shown almost no activity, and now it's distributing malicious spam.\r\nLet's dive into details and discuss all you need to know about the notorious malware to combat it.\r\nWhy is everyone scared of Emotet?\r\nEmotet is by far one of the most dangerous trojans ever created. The malware became a very destructive program\r\nas it grew in scale and sophistication. The victim can be anyone from corporate to private users exposed to spam\r\nemail campaigns.\r\nThe botnet distributes through phishing containing malicious Excel or Word documents. When users open these\r\ndocuments and enable macros, the Emotet DLL downloads and then loads into memory.\r\nIt searches for email addresses and steals them for spam campaigns. Moreover, the botnet drops additional\r\npayloads, such as Cobalt Strike or other attacks that lead to ransomware.\r\nThe polymorphic nature of Emotet, along with the many modules it includes, makes the malware challenging to\r\nidentify. The Emotet team constantly changes its tactics, techniques, and procedures to ensure that the existing\r\ndetection rules cannot be applied. As part of its strategy to stay invisible in the infected system, the malicious\r\nsoftware downloads extra payloads using multiple steps. \r\nhttps://thehackernews.com/2022/11/all-you-need-to-know-about-emotet-in.html\r\nPage 1 of 4\n\nAnd the results of Emotet behavior are devastating for cybersecurity specialists: the malware is nearly impossible\r\nto remove. It spreads quickly, generates faulty indicators, and adapts according to attackers' needs.\r\nHow has Emotet upgraded over the years?\r\nEmotet is an advanced and constantly changing modular botnet. The malware started its journey as a simple\r\nbanking trojan in 2014. But since then, it has acquired a bunch of different features, modules, and campaigns:\r\n2014. Money transfer, mail spam, DDoS, and address book stealing modules.\r\n2015. Evasion functionality.\r\n2016. Mail spam, RIG 4.0 exploit kit, delivery of other trojans.\r\n2017. A spreader and address book stealer module.\r\n2021. XLS malicious templates, uses MSHTA, dropped by Cobalt Strike.\r\n2022. Some features remained the same, but this year also brought several updates.\r\nThis tendency proves that Emotet isn't going anywhere despite frequent \"vacations\" and even the official\r\nshutdown. The malware evolves fast and adapts to everything.\r\nWhat features has a new Emotet 2022 version acquired? \r\nAfter almost half a year of a break, the Emotet botnet returned even stronger. Here is what you need to know\r\nabout a new 2022 version: \r\nIt drops IcedID, a modular banking trojan. \r\nThe malware loads XMRig, a miner that steals wallet data.\r\nThe trojan has binary changes. \r\nEmotet bypasses detection using a 64-bit code base.\r\nA new version uses new commands:\r\nInvoke rundll32.exe with a random named DLL and the export PluginInit\r\nEmotet's goal is to get credentials from Google Chrome and other browsers.\r\nIt's also targeted to make use of the SMB protocol to collect company data \r\nLike six months ago, the botnet uses XLS malicious lures, but it adopted a new one this time:\r\nhttps://thehackernews.com/2022/11/all-you-need-to-know-about-emotet-in.html\r\nPage 2 of 4\n\nThe Emotet's Excel lure\r\nHow to detect Emotet?\r\nThe main Emotet challenge is to detect it in the system quickly and accurately. Besides that, a malware analyst\r\nshould understand the botnet's behavior to prevent future attacks and avoid possible losses. \r\nWith its long story of development, Emotet stepped up in the anti-evasion strategy. Through the evolution of the\r\nprocess execution chain and malware activity inside the infected system changes, the malware has modified\r\ndetection techniques drastically. \r\nFor example, in 2018, it was possible to detect this banker by looking at the name of the process – it was one of\r\nthese: \r\neventswrap, implrandom, turnedavatar, soundser, archivesymbol, wabmetagen, msrasteps, secmsi,\r\ncrsdcard, narrowpurchase, smxsel, watchvsgd, mfidlisvc, searchatsd, lpiograd, noticesman, appxmware,\r\nsansidaho\r\nLater, in the first quarter of 2020, Emotet started to create specific key into the registry - it writes into the key\r\nHKEY_CURRENT_USER\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER value\r\nwith the length 8 symbols (letters and characters). \r\nOf course, Suricata rules always identify this malware, but detection systems often continue beyond the first wave\r\nbecause rules need to update.\r\nhttps://thehackernews.com/2022/11/all-you-need-to-know-about-emotet-in.html\r\nPage 3 of 4\n\nAnother way to detect this banker was its malicious documents - crooks use specific templates and lures, even\r\nwith grammatical errors in them. One of the most reliable ways to detect Emotet is by the YARA rules.\r\nTo overcome malware's anti-evasion techniques and capture the botnet – use a malware sandbox as the most\r\nconvenient tool for this goal. In ANY.RUN, you can not only detect, monitor, and analyze malicious objects but\r\nalso get already extracted configurations from the sample.\r\nThere are some features that you use just for Emotet analysis: \r\nreveal C2 links of a malicious sample with the FakeNet \r\nuse Suricata and YARA rulesets to successfully identify the botnet\r\nGet data about C2 servers, keys, and strings extracted from the sample's memory dump\r\ngather fresh malware's IOCs\r\nThe tool helps to perform successful investigations quickly and precisely, so malware analysts can save valuable\r\ntime. \r\nANY.RUN sandbox has prepared incredible deals for Black Friday 2022! Now is the best time to boost your\r\nmalware analysis and save some money! Check out special offers for their premium plans but for a limited time –\r\nfrom 22-29 November, 2022. \r\nEmotet has not demonstrated full functionality and consistent follow-on payload delivery. Use modern tools like\r\nANY.RUN online malware sandbox to improve your cybersecurity and detect this botnet effectively. Stay safe and\r\ngood threat hunting!\r\nFound this article interesting? This article is a contributed piece from one of our valued partners. Follow us on\r\nGoogle News, Twitter and LinkedIn to read more exclusive content we post.\r\nSource: https://thehackernews.com/2022/11/all-you-need-to-know-about-emotet-in.html\r\nhttps://thehackernews.com/2022/11/all-you-need-to-know-about-emotet-in.html\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://thehackernews.com/2022/11/all-you-need-to-know-about-emotet-in.html"
	],
	"report_names": [
		"all-you-need-to-know-about-emotet-in.html"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434528,
	"ts_updated_at": 1775791463,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ec7536fb344dc0ccc72c78c85fde5e4a79ca5b57.pdf",
		"text": "https://archive.orkl.eu/ec7536fb344dc0ccc72c78c85fde5e4a79ca5b57.txt",
		"img": "https://archive.orkl.eu/ec7536fb344dc0ccc72c78c85fde5e4a79ca5b57.jpg"
	}
}