{
	"id": "973f1138-3a15-484e-9832-aab9b1ed322b",
	"created_at": "2026-05-05T02:45:40.84141Z",
	"updated_at": "2026-05-05T02:46:36.800583Z",
	"deleted_at": null,
	"sha1_hash": "f2e450b04718986a1d9f6817384f1563bc0b6780",
	"title": "Detecting a MUMMY SPIDER campaign and Emotet infection",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 7893734,
	"plain_text": "Detecting a MUMMY SPIDER campaign and Emotet infection\r\nArchived: 2026-05-05 02:14:48 UTC\r\nThis website stores cookies on your computer. These cookies are used to collect information about how you\r\ninteract with our website and allow us to remember you. We use this information in order to improve and\r\ncustomize your browsing experience and for analytics and metrics about our visitors both on this website and\r\nother media. To find out more about the cookies we use, see our Privacy Policy.\r\nIf you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your\r\nbrowser to remember your preference not to be tracked.\r\nYES\r\nDetecting a MUMMY SPIDER campaign and Emotet infection\r\nKey findings:\r\nAt the start of the Eid Al-Fitr (Islamic holiday) weekend in early May 2022, IronNet Threat Research\r\ndetected a thread hijacking attack carrying Emotet malware against an organization located in the Asia\r\nPacific region.\r\nThis cyber attack is likely part of a new campaign by the MUMMY SPIDER threat group, designed to test\r\na new bypass for Microsoft disabling macros by default for use in future large-scale campaigns.\r\nThis finding supports recent open-source reporting that MUMMY SPIDER has begun to conduct more\r\ntargeted operations, and it is likely the threat actors will continue to use their access to enterprise emails to\r\nhttps://www.ironnet.com/blog/detecting-a-mummyspider-campaign-and-emotet-infection\r\nPage 1 of 7\n\nconduct further phishing attacks.\r\nIronNet’s Network Detection and Response (NDR)\r\nplatform, in combination with our cybersecurity experts, detected an Emotet infection in the network of a\r\ncustomer located in the Asia Pacific region at the start of the Eid Al-Fitr (Islamic holiday) weekend in early May\r\n2022. We were able to detect the aftermath of a successful phishing attack against an employee at the company,\r\nwhich resulted in an infection of a host in the client enterprise by Emotet malware. While we are still working\r\nwith our partner to assist in triage and remediation, we wanted to share our findings to increase the communities\r\nability to collectively defend against these types of attacks. We posit that this attack is part of a new campaign by\r\nthe MUMMY SPIDER threat group, designed to test updated techniques, tactics, and procedures (TTP) for future\r\ncampaigns.\r\nhttps://www.ironnet.com/blog/detecting-a-mummyspider-campaign-and-emotet-infection\r\nPage 2 of 7\n\nThis article discusses the threat group behind the attack and breaks down the post-compromise activity that\r\noccurred within the client enterprise. This attack bypassed the client enterprise’s anti-virus protection and security\r\nproducts; however, IronNet’s behavioral analytics were able to detect the post-compromise activity and quickly\r\nalert the customer to the infection.\r\nMUMMY SPIDER returns\r\nMUMMY SPIDER (also known as TA54) is a threat group that utilizes various malicious spam (malspam) email\r\ncampaigns to deploy Emotet malware. First detected in 2014, Emotet is a modular, polymorphic trojan that is\r\ncapable of evading signature-based detection and spreading throughout a victim network to compromise\r\nadditional systems. Emotet often serves as a first–or second–stage malware that can drop and download further\r\npayloads, which could ultimately lead to data theft, remote control of systems, financial losses, and operational\r\ndisruptions. An international law enforcement effort succeeded in taking down the Emotet botnet in 2021, but it\r\nhas since resurfaced with a new focus on targeted attacks rather than the previous “spray and pray” tactics it was\r\nonce known for. We cannot claim with absolute certainty that the group is linked to Russia; however, on April\r\n20th 2022, a joint alert issued by cybersecurity agencies from Australia, Canada, New Zealand, the U.S., and the\r\nU.K. mentioned the MUMMY SPIDER threat group when warning organizations of the threat of Russian cyber\r\nattacks on critical infrastructure.\r\nUnlike most threat groups, MUMMY SPIDER operates atypically; they will hibernate for months at a time and\r\nconduct operations in short bursts over a several month period. Additionally, recent reports attributed to this group\r\nhave coincided with holiday seasons. Historically, when the group resumed operations, they utilized new variants\r\nof Emotet in an attempt to bypass security efforts. In the case of the compromise detailed in this article, we believe\r\nthat the MUMMY SPIDER threat group may have been testing a new bypass for Microsoft disabling macros by\r\ndefault. This capability involves using OneDrive URLs or XLL files instead of traditional macro-enabled\r\ndocuments. ProofPoint believes that the reason for the lower-than-normal target volume is because MUMMY\r\nSPIDER is testing the success of this new technique before adopting it on a larger scale.\r\nBehavioral detection and incident analysis\r\nOn April 29th, 2022,  at 0100UTC, an enterprise user received a phishing email with a zip file attached. The\r\narchive contained an XLL file that the victim accidentally executed on the host computer. This triggered a series\r\nof requests to multiple external domains, which hosted the new Emotet malware. While a majority of these\r\noutbound requests were blocked by enterprise security products, an outbound session succeeded to\r\ngla[.]ge:80/old/PuVaff/ at 0151UTC and a DLL (Emotet) was downloaded. The sample was not flagged as\r\nmalicious by VirusTotal at the time of detection. IronNet observed the host making a large volume of outbound\r\nrequests to various remote servers in an attempt to establish command and control (C2) communications. Similar\r\nto the domain requests, a majority of these attempts were blocked, but a small number were successful.\r\nIronDefense was able to generate alerts based on the anomalous nature of the domains, two instances of C2\r\nbeaconing activity, and numerous threat-intelligence-based alerts.\r\nhttps://www.ironnet.com/blog/detecting-a-mummyspider-campaign-and-emotet-infection\r\nPage 3 of 7\n\nAfter reporting this activity to the customer, we were informed that the attack occurred on the Friday before a\r\nmajor holiday weekend; this suggests a potential attack of opportunity, which corroborates with the new TTP that\r\nMUMMY SPIDER is assumed to be operating under. IronNet was able to alert the customer shortly after their\r\nworkday ended Friday, enabling isolation of the infected host and mitigation during the long weekend. There is no\r\nevidence of lateral movement attempts from the infected host, supporting the assessment that this was isolated and\r\nthus part of MUMMY SPIDER’s new test campaign model.\r\nThread Hijacking\r\nAfter initial triage, IronNet’s threat hunters and intel analysts requested a copy of the phishing email used and\r\nwere able to categorize this as a thread hijacking attack. Thread Hijacking is a process in which a threat actor\r\ncompromises and injects themselves into an email thread in an effort to increase legitimacy and trust. In this\r\ninstance, the actors leveraged an email chain that involved updating a spreadsheet of delivery information,\r\nproviding a legitimate use case for the phishing target to open the attached file. While the sender's address was not\r\nfrom a legitimate enterprise domain, the email was able to avoid suspicion from the user. \r\nWhen we categorized this as a thread hijacking attack, we uncovered additional concerns that we began to\r\ninvestigate. Palo Alto released an article in 2020 detailing this type of attack, which indicates the post-infection\r\ngoal is exfiltrating host data via C2. This discovery suggests the enterprise user was likely targeted, evidenced by\r\nthe email being sent specifically to the user. We were able to use this information to inform the customer that there\r\nwere likely additional infections of one or more personnel from the original email chain, making them aware of\r\nadditional thread hijacking attacks that would be likely using emails from the victim user.\r\nIronNet conducted a review of indicators of compromise (IOC) associated with recent MUMMY SPIDER\r\ncampaigns and identified external scanning attempts against several enterprise customers. While most of these\r\nappeared to be generic scanning, one instance involved a large volume of scanning against customer Simple Mail\r\nTransfer Protocol (SMTP) servers. We conclude this was likely an attempt to identify more malspam targets.\r\nIronNet has since deployed Threat Intelligence Rules (TIR) and propagated the incident alerts throughout the\r\nIronDome, enabling other IronNet customers to have increased detection capability and reduced response time\r\nthrough collective defense.\r\nhttps://www.ironnet.com/blog/detecting-a-mummyspider-campaign-and-emotet-infection\r\nPage 4 of 7\n\nConclusion\r\nRecent reporting indicates that MUMMY SPIDER and other actors that use Emotet have begun to conduct more\r\ntargeted operations, increasing the likelihood of spear-phishing against enterprise employees. While preventing all\r\nenterprise users from being the victim of a phishing attack would be ideal, it is statistically unlikely. Awareness\r\ntraining is recommended and effective, but having additional layers of security in the event of compromise is\r\ncritical. This incident highlights the importance of behavioral detections as threat actors work to evade traditional\r\nsecurity tools and signature-based detections. IronNet’s ability to detect the behavioral aspects of this attack\r\nprevented the threat group from having extended access to the customer’s enterprise over a long weekend and\r\npotentially causing further damage.\r\nIOCs\r\nURLs:\r\ngakudou[.]com:80/photo06/hEu/\r\ngiasotti[.]com:80/js/Khc6mb0zx4KoWX/\r\nplresende[.]com:80/pcinfor/cq/\r\nthomasmanton[.]com:80/wp-includes/owZnpWmH4D8j/\r\ngla[.]ge:80/old/PuVaff/\r\ngccon[.]in/UploadedFiles/UYtJNrT2llxy1/\r\nExtract from C2 Config via Tria.ge\r\n176.31.73.90:443\r\n45.76.159.214:8080\r\n138.197.147.101:443\r\n104.168.154.79:8080\r\n149.56.131.28:8080\r\n5.9.116.246:8080\r\n77.81.247.144:8080\r\n172.104.251.154:8080\r\n50.30.40.196:8080\r\n173.212.193.249:8080\r\n51.91.76.89:8080\r\n197.242.150.244:8080\r\n103.75.201.2:443\r\n51.254.140.238:7080\r\n79.137.35.198:8080\r\n72.15.201.15:8080\r\n27.54.89.58:8080\r\n189.126.111.200:7080\r\n196.218.30.83:443\r\n82.165.152.127:8080\r\nhttps://www.ironnet.com/blog/detecting-a-mummyspider-campaign-and-emotet-infection\r\nPage 5 of 7\n\n164.68.99.3:8080\r\n183.111.227.137:8080\r\n167.172.253.162:8080\r\n153.126.146.25:7080\r\n129.232.188.93:443\r\n151.106.112.196:8080\r\n188.44.20.25:443\r\n167.99.115.35:8080\r\n134.122.66.193:8080\r\n185.4.135.165:8080\r\n212.24.98.99:8080\r\n51.91.7.5:8080\r\n146.59.226.45:443\r\n131.100.24.231:80\r\n212.237.17.99:8080\r\n201.94.166.162:443\r\n45.176.232.124:443\r\n159.65.88.10:8080\r\n160.16.142.56:8080\r\n216.158.226.206:443\r\n203.114.109.124:443\r\n103.43.46.182:443\r\n46.55.222.11:443\r\n209.126.98.206:8080\r\n91.207.28.33:8080\r\n1.234.2.232:8080\r\n45.118.115.99:8080\r\n206.189.28.199:8080\r\n94.23.45.86:4143\r\n158.69.222.101:443\r\n103.70.28.102:8080\r\n101.50.0.91:8080\r\n58.227.42.236:80\r\n119.193.124.41:7080\r\n107.182.225.142:8080\r\n185.157.82.211:8080\r\n45.235.8.30:8080\r\n103.132.242.26:8080\r\n1.234.21.73:7080\r\n110.232.117.186:8080\r\n209.97.163.214:443\r\n185.8.212.130:7080\r\nhttps://www.ironnet.com/blog/detecting-a-mummyspider-campaign-and-emotet-infection\r\nPage 6 of 7\n\n209.250.246.206:443\r\nTria.ge:\r\nhttps://tria.ge/220428-23e5saffg3/behavioral1#report\r\nIronNet Analytics Mapped to MITRE TTPs\r\n  MITRE ATT\u0026CK\r\nIronNet Analytic Tactic Technique\r\nConsistent Beaconing HTTP/TLS Command and Control Application Layer Protocol\r\nDomain Analysis HTTP/TLS Command and Control Application Layer Protocol\r\nSource: https://www.ironnet.com/blog/detecting-a-mummyspider-campaign-and-emotet-infection\r\nhttps://www.ironnet.com/blog/detecting-a-mummyspider-campaign-and-emotet-infection\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.ironnet.com/blog/detecting-a-mummyspider-campaign-and-emotet-infection"
	],
	"report_names": [
		"detecting-a-mummyspider-campaign-and-emotet-infection"
	],
	"threat_actors": [],
	"ts_created_at": 1777949140,
	"ts_updated_at": 1777949196,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f2e450b04718986a1d9f6817384f1563bc0b6780.pdf",
		"text": "https://archive.orkl.eu/f2e450b04718986a1d9f6817384f1563bc0b6780.txt",
		"img": "https://archive.orkl.eu/f2e450b04718986a1d9f6817384f1563bc0b6780.jpg"
	}
}