{
	"id": "753f0fde-f5cd-417c-a2c3-3996da556eb4",
	"created_at": "2026-04-06T00:06:10.501655Z",
	"updated_at": "2026-04-10T03:35:29.002044Z",
	"deleted_at": null,
	"sha1_hash": "f1082a752b19270554ab75b6c0157bf8e20e0548",
	"title": "Emotet Again! The First Malspam Wave of 2023 | Deep Instinct",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2075150,
	"plain_text": "Emotet Again! The First Malspam Wave of 2023 | Deep Instinct\r\nBy Simon KeninThreat Intelligence ResearcherDeep Instinct Threat Lab\r\nPublished: 2023-03-10 · Archived: 2026-04-05 20:00:21 UTC\r\nEarlier this week, on Tuesday, March 7th, Emotet was observed for the first time this year sending new malspam\r\nto infect victims. This is significant because the last time Emotet was seen sending malicious spam was in\r\nNovember of 2022. This current wave is different from the one in November, though, including new evasion\r\ntechniques that we will detail in this blog.\r\nDeep Instinct’s Threat Research team has been tracking Emotet over the last year and has written about its periods\r\nof silence and reemergence with new tactics. We will continue to track the malware and alert the community to\r\nany changes or activity.\r\nNovember 17, 2022: Emotet Vacation Is Over: No Rest For The Wicked\r\nJune 9, 2022: Emotet Malware Returns in 2022\r\nThe first to observe and tweet about Emotet’s return was @ilbaroni_:\r\nFigure 1: First public observation of Emotet’s return\r\nDelivery via Thread Hijacking Emails \r\nThe delivery method that Emotet used is the same as in November, however, this time the attached zip files are not\r\npassword protected.\r\nDeep Instinct’s Threat Research team observed thread-hijacked emails sent to companies around the globe,\r\nincluding in Japan:\r\nhttps://www.deepinstinct.com/blog/emotet-again-the-first-malspam-wave-of-2023\r\nPage 1 of 5\n\nFigure 2: Thread-hijacked mail in Japanese\r\nChanges to Emotet Malspam\r\nIn November, Emotet was sending malicious Excel files in the archives. Now Emotet is sending archives with\r\nmalicious Word files.\r\nThe Word files include macros that, if enabled, start the infection chain.\r\nThe first page contains an image that tries to lure the receiver to enable macros:\r\nhttps://www.deepinstinct.com/blog/emotet-again-the-first-malspam-wave-of-2023\r\nPage 2 of 5\n\nFigure 3: Social engineering lure on first page\r\nThe second page is blank, while pages 3-7 are excerpts from the novel “Moby-Dick” which are written in white\r\nfont to make the pages appear blank.\r\nThe whole document has 14,801 characters and 2,587 words; the text is added as part of an evasion technique.\r\nMany security tools will classify a Word document with just an image and a macro as malicious, which is true in\r\nmost cases.\r\nSome people still use macros for legitimate reasons, despite there being little reason to do so with the advances we\r\nhave made in technology in the 21st century.\r\nAdding textual context to a file with macros might fool some security tools into thinking that the file is benign:\r\nFigure 4: Changing the font color reveals the hidden text\r\nhttps://www.deepinstinct.com/blog/emotet-again-the-first-malspam-wave-of-2023\r\nPage 3 of 5\n\nThe Word document in the example contains several long and obfuscated macros which download and execute a\r\nZIP file containing the Emotet DLL from one of several compromised websites.\r\nIf that’s not enough, the most interesting change made by Emotet that it now artificially inflates the size of the\r\nWord document to over 500mb:\r\nFigure 5: Zero bytes are added to the end of the document.\r\nThis is done by simply adding zero bytes at the end of the document. Deep Instinct researchers have seen this\r\ntechnique previously used to inflate the final payloads, such as executables or DLL files.\r\nThe result is like the one before, and because the files are so big, many security products and sandboxes don’t scan\r\nthem, which breaks the automatic analysis and IOC extraction.\r\nAs mentioned earlier, the macros download a ZIP file from compromised hosts which contain a DLL file which is\r\nthe Emotet loader. This DLL is also inflated with zero bytes to a file size of over 500mb.\r\nThe combination of both the initial attack vector and the payload being artificially inflated might completely blind\r\nproducts that solely rely on static analysis.\r\nDespite these changes the behavior of the loader appears the same.\r\nIn the past Emotet used to copy a local version of the certutil.exe; this time Emotet drops a specific version of\r\nrenamed certutil into “\u003cAppData\u003e\\Local\\Temp.”\r\nThe hash of the observed version is: 4224312da8c3a37b95dd78236fca5ca316021c5de6e517d0ddc753ee26932e6a\r\nEmotet is still using process injection, therefore, security products that do not rely solely on static detection have a\r\nbetter chance at stopping the current wave.\r\nIOC\r\nhttps://www.deepinstinct.com/blog/emotet-again-the-first-malspam-wave-of-2023\r\nPage 4 of 5\n\nDOC: a13b394e4017c0c77faf4fab6c3aea4de3443f11610cc85a1d677249b9b2bc3a\r\nDLL: efcf59f4423df8fdacbfa8c3d23b6a3e4722bab65c31ea8a7f32daadddfa7adc\r\nFor the full list of IOCs (278) visit our GitHub page.\r\nSource: https://www.deepinstinct.com/blog/emotet-again-the-first-malspam-wave-of-2023\r\nhttps://www.deepinstinct.com/blog/emotet-again-the-first-malspam-wave-of-2023\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.deepinstinct.com/blog/emotet-again-the-first-malspam-wave-of-2023"
	],
	"report_names": [
		"emotet-again-the-first-malspam-wave-of-2023"
	],
	"threat_actors": [
		{
			"id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0",
			"created_at": "2022-10-25T15:50:23.710403Z",
			"updated_at": "2026-04-10T02:00:05.281246Z",
			"deleted_at": null,
			"main_name": "Silence",
			"aliases": [
				"Whisper Spider"
			],
			"source_name": "MITRE:Silence",
			"tools": [
				"Winexe",
				"SDelete"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7",
			"created_at": "2025-03-29T02:05:20.764715Z",
			"updated_at": "2026-04-10T02:00:03.851829Z",
			"deleted_at": null,
			"main_name": "GOLD WYMAN",
			"aliases": [
				"Silence "
			],
			"source_name": "Secureworks:GOLD WYMAN",
			"tools": [
				"Silence"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "88e53203-891a-46f8-9ced-81d874a271c4",
			"created_at": "2022-10-25T16:07:24.191982Z",
			"updated_at": "2026-04-10T02:00:04.895327Z",
			"deleted_at": null,
			"main_name": "Silence",
			"aliases": [
				"ATK 86",
				"Contract Crew",
				"G0091",
				"TAG-CR8",
				"TEMP.TruthTeller",
				"Whisper Spider"
			],
			"source_name": "ETDA:Silence",
			"tools": [
				"EDA",
				"EmpireDNSAgent",
				"Farse",
				"Ivoke",
				"Kikothac",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Meterpreter",
				"ProxyBot",
				"ReconModule",
				"Silence.Downloader",
				"TiniMet",
				"TinyMet",
				"TrueBot",
				"xfs-disp.exe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775433970,
	"ts_updated_at": 1775792129,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f1082a752b19270554ab75b6c0157bf8e20e0548.pdf",
		"text": "https://archive.orkl.eu/f1082a752b19270554ab75b6c0157bf8e20e0548.txt",
		"img": "https://archive.orkl.eu/f1082a752b19270554ab75b6c0157bf8e20e0548.jpg"
	}
}