{
	"id": "46c8bcd8-5e9c-41dc-94fe-c016a77d9c51",
	"created_at": "2026-04-06T00:16:13.881745Z",
	"updated_at": "2026-04-10T13:12:24.295855Z",
	"deleted_at": null,
	"sha1_hash": "f086102eb5546d5e02c0895c1988d9208c5c5f8e",
	"title": "Inside Look at Emotet's Global Victims and Malspam Qakbot Payloads",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 58354,
	"plain_text": "Inside Look at Emotet's Global Victims and Malspam Qakbot\r\nPayloads\r\nPublished: 2018-08-01 · Archived: 2026-04-05 14:03:30 UTC\r\nThe Emotet botnet reputation precedes it; historically aggressive and malicious, today it has evolved and\r\nincorporated a number of advancements to create a more resilient botnet delivery system, nearly immune from\r\ntakedown. Recently, US CERT reported that Emotet incidents (and its subsequent payload droppers) are affecting\r\nstate, local, tribal, and territorial (SLTT) governments at up to 1 million dollars per incident.\r\nWe have captured a global view of many of the active infections within the latest Emotet botnet. At the time of\r\nthis writing, we believe this to be the only publicly available coverage of actively infected Emotet peers.\r\nIn an earlier post, we announced Telltale and provided the WannaCry data set for organizations to determine if\r\nthey are still affected by residual ransomware risks. Today, we will further enrich this data set by adding Emotet\r\ndata promoted from the Vantage Breach Intelligence Service to our free version of the offering, Telltale.\r\nOrganizations looking to reduce their risk exposure to Emotet and or WannaCry should consider signing up for\r\neither of these breach notification offerings.\r\nThe remainder of this post will:\r\nProvide a high level view of the Emotet botnet distribution and some of its metrics;\r\nExamine the latest botnet trends and deep dive into a recent Qbot sample.\r\nEmotet by the Numbers\r\nMost telemetry available today on Emotet has been likely sourced from vendor-specific AV or spam infection\r\nattempts (e.g. blocked infections). However, to be clear, the following visibility is sourced from the Emotet peers\r\nwhich are actively infected and participating in the botnet, that is, those which have not been blocked.\r\nOverall we can compute a partial view of at least one of the botnets:\r\n70,000+ unique IPs identified\r\n4000+ unique ASNs communicated\r\n5000+ unique organizations and telecoms affected\r\n170 countries affected\r\nIt would be fair to estimate the botnet is at any given point between 50,000 to 150,000 infected nodes. Looking at\r\nthe aggregate of the information we can see how that breaks down by country.\r\nTotal Hits by count.\r\nhttps://blog.kryptoslogic.com/malware/2018/08/01/emotet.html\r\nPage 1 of 4\n\nWhile the science of evaluating the total infection hits for any given malware strain is out of scope for this post,\r\nwhat we can interpret from our source data and the traffic patterns against any particular IP address is that many\r\norganizations infected by Emotet have more than one infection, which was likely triggered by a pivoting\r\ncomponent like EternalBlue (you know the same EternalBlue from NotPetya and WannaCry). We have observed\r\nseveral organizations (hospitals, research centers, etc) exhibit signs of dangerously high levels of Emotet infection\r\nvolume. Clearly, the United States and South Korea have tells of high frequency activity from some certain\r\norganizations which increase its numbers. While this is certainly concerning, it is more prudent to examine the\r\nunique IP addresses graph below to get a different perspective not skewed by some of the noise of certain infected\r\norganizations.\r\nTop 12 countries seen by Unique IP.\r\nAgain we see a high number of United States coverage in the Unique IPs visualization. A special note should be\r\ngiven to India in that India typically has a high DHCP churn, resulting in higher than normal level of unique IPs\r\nfor any given period.\r\nFinally we can observe a full global map distribution which shows us no real surprises other than Emotet is\r\nwidespread.\r\nA global map of Emotet's reach, distributed by Source IP.\r\nMalspam Payload Show Signs of Evolving Botnet Trends\r\nWhile Qakbot is just one of many things that can be dropped we learn very quickly why the Emotet network\r\nintroduces a significant level of risk to organizations. The latest Emotet design utilizes a new blueprint in the\r\nevolution of modern malware and botnets. Because Emotet’s Command and Control (C\u0026C) systems work through\r\na complex decentralized network of infected hosts and proxy peers, it could prove a difficult take down task for\r\nlaw enforcement considering there are few single points of failure and would require multiple levels of\r\ncooperation in near perfect harmony.\r\nTraditional botnets heavily depended on Peer-to-Peer for C2 communication and fallback, this allowed researchers\r\nto peak into the activity of the botnet and observe victim machines, newer/more resilient botnets seem to be\r\nmoving away from this approach. Another way researchers observed victim machines was to reverse engineer the\r\ndomain generation algorithm and register their own “sinkholes”. As botnets move away from DGA this becomes\r\nunfeasible. Emotet and other botnets such as TrickBot pose a unique challenge to researchers and companies in\r\nthe field.\r\nHowever, our research demonstrates that it is not impossible to gain insight into these evolved botnets. IPs tend to\r\nbe harder to blacklist than domain C2s so the traditional “IOC” approach is becoming less and less effective, On\r\nthe other hand, you have various payloads all with their own techniques. So while a good Predict, Prevent, and\r\nDetect agent like Tactics (or perhaps EDRs) can help, it still requires analysts to steer.\r\nhttps://blog.kryptoslogic.com/malware/2018/08/01/emotet.html\r\nPage 2 of 4\n\nConsequently, this also makes it difficult to block and track for most organizations, as IP addresses are constantly\r\nshifting and changing. This makes detecting the traffic a bit of a long term whack-a-mole game.\r\nIronically, Emotet drops a variety of payloads (like Qakbot) which are in fact separate botnets. Looking at a quite\r\nrecent Malspam campaign we picked up a interesting Qakbot which in itself is another botnet sharing many of the\r\nsame design resilience as Emotet, e.g., proxy peers and no DGA.\r\nQakbot graph.\r\nA thorough review of Qakbot, ranging from protocol version 10 to 12, was written up by Intel Security in Virus\r\nBulletin. Current Qakbot samples (version 322.368) are at version 15 of the protocol and behave similarly to\r\nversion 12, with some exceptions:\r\nDGA mechanism appears to be completely gone\r\nThe 1024-bit RSA key used for encrypting keys and verifying signatures was removed, with only the same\r\n2048-bit key remaining\r\nThere are 31 possible C\u0026C commands, upwards from the 25 described before\r\nWe found signs of Qakbot disabling HTTP2 in Firefox by modifying the profile.js configuration file, where we\r\nused to see banking malware disabling SPDY. HTTP2 is the successor to SPDY so disabling these leaves only\r\nHTTP1, which is much easier to intercept. Typically this is done so that the malware can hook a specific function\r\nin the browser: in the case of Firefox they normally hook nspr4!PR.Read .\r\nLike Emotet, Qakbot contains signs of a UPnP library, removal of the DGA function, and reliance on\r\ndecentralized peers through a proxy. To this end we see a malware which has\r\nBanking web injects;\r\nIts own botnet communication system outside of Emotet;\r\nStolen certificates and heavy use of Powershell and other defense evasion techniques.\r\nConclusion\r\nEmotet introduces significant challenges to the cybersecurity threat landscape which are very concerning. In the\r\npast, botnets which may have been too large or introduced significant risks could be taken down. If they were not\r\ntaken down, at minimum defenders could coordinate on specific protocols and IP addresses or certain security\r\ncontrols to counteract the effectiveness and potential exposure of the botnet. However the resiliency introduced in\r\nthe latest trends of botnets such as Emotet, Dridex, and Qakbot suggest that takedowns will be far more difficult,\r\nor infeasible and consequently operators will have quite a bit of difficulty counteracting against a perpetual high\r\nfrequency whack-a-mole IP address blacklisting game.\r\nThe reality is that as Emotet continues to grow, it will increase public and private risk exposure to digital attacks\r\nwhich can be leveraged by staging attacks on top of these difficult to stop botnets. Whether it is a ransomware, a\r\ncritical infrastructure attack, or the next EternalBlue, there is not much that can currently slow these attacks down\r\nhttps://blog.kryptoslogic.com/malware/2018/08/01/emotet.html\r\nPage 3 of 4\n\nin most organizational threat models. These types of new resilient botnets are a paradigm shift for attackers and\r\nhave shown us the dangers of attack platforms which can undermine and circumvent security controls at scale.\r\nWe’re pleased to be able to share the breach intelligence data we have gathered for free via our Victim\r\nNotification service Telltale. You can sign-up and check for any observed activity coming from your network for\r\nfree. In the future we’ll be adding more and more malware families to Telltale.\r\nIOCs:\r\nA list of binaries signed by the above detailed malicious code signing certificate are available here, a list of\r\nwebinject URLs are available here and finally a list of webinject paths are available here.\r\nSource: https://blog.kryptoslogic.com/malware/2018/08/01/emotet.html\r\nhttps://blog.kryptoslogic.com/malware/2018/08/01/emotet.html\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.kryptoslogic.com/malware/2018/08/01/emotet.html"
	],
	"report_names": [
		"emotet.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434573,
	"ts_updated_at": 1775826744,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f086102eb5546d5e02c0895c1988d9208c5c5f8e.pdf",
		"text": "https://archive.orkl.eu/f086102eb5546d5e02c0895c1988d9208c5c5f8e.txt",
		"img": "https://archive.orkl.eu/f086102eb5546d5e02c0895c1988d9208c5c5f8e.jpg"
	}
}