{
	"id": "2b46c21c-dab0-4eda-bf7c-ccd8e0106423",
	"created_at": "2026-04-06T00:19:54.614323Z",
	"updated_at": "2026-04-10T03:21:26.848731Z",
	"deleted_at": null,
	"sha1_hash": "f70037486e33de5fbbfd366969c04f120fd640af",
	"title": "Emotet malware now steals your email attachments to attack contacts",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1475043,
	"plain_text": "Emotet malware now steals your email attachments to attack contacts\r\nBy Sergiu Gatlan\r\nPublished: 2020-07-28 · Archived: 2026-04-05 19:15:17 UTC\r\nThe Emotet malware botnet is now also using stolen attachments to increase the authenticity of spam emails used for\r\ninfecting targets' systems.\r\nThis is the first time the botnet is using stolen attachments to add credibility to emails as Binary Defense threat researcher\r\nJames Quinn told BleepingComputer.\r\nThe attachment stealer module code — that also steals email content and contact lists — was added around June 13th\r\naccording to Marcus 'MalwareTech' Hutchins.\r\nhttps://www.bleepingcomputer.com/news/security/emotet-malware-now-steals-your-email-attachments-to-attack-contacts/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/emotet-malware-now-steals-your-email-attachments-to-attack-contacts/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nBased on research from the Emotet tracking group Cryptolaemus, the malware now steals 131072 byte or smaller\r\nattachments with email contents, later to be used as part of reply chains.\r\nThis new tactic adds to the Emotet gang's leveraging of hijacked email conversation threads where a malicious URL or\r\nattachment would be included in new emails attached to existing conversations as a concealment measure (as first spotted by\r\nMinerva Labs in March 2019).\r\nEmotet, originally a banking Trojan when first spotted in 2014, has now evolved into a malware botnet used by threat actors\r\nto download other malware families including the Trickbot (a known vector used in the delivery of Ryuk and Conti\r\nransomware payloads) and QakBot trojans.\r\nEmotet phishing email with stolen attachments (Cofense)\r\n\"Emotet seems to be using not only stolen email bodies, but is now including stolen attachments as well,\" email security\r\nfirm Cofense said today.\r\n\"This lends to even more authenticity in their phishing emails. In one example we found 5 benign attachments and a dropper\r\nlink within the templated portion of the email.\"\r\nThe botnet has been delivering massive amounts of malicious spam emails — camouflaged as payment reports, invoices,\r\nemployment opportunities, and shipping information — through all its server clusters starting with July 17, after more than\r\nfive months of inactivity.\r\n\"Since reemerging on July 17, Emotet has sustained its activities with daily spam runs spewing more than 500K emails\r\nevery day (except weekends) starting at around 2:00 AM Pacific Time (UTC -7),\" Microsoft said.\r\nAfter returning back to life, Emotet first started installing the TrickBot trojan on compromised Windows computers, later to\r\nswitch to once again heavily spreading QakBot malware, fully replacing the TrickBot payloads.\r\nAt the moment, there is no exact info on QakBot's final payloads but reports say that it will deploy ProLock ransomware on\r\nsome of the systems initially infected with Emotet.\r\nhttps://www.bleepingcomputer.com/news/security/emotet-malware-now-steals-your-email-attachments-to-attack-contacts/\r\nPage 3 of 5\n\nEmotet's attachment stealer module (James Quinn)\r\nMost prevalent malware of the week\r\nIn a warning issued by the Australian Cyber Security Centre (ACSC) about the dangers posed by Emotet attacks, the\r\nmalware is described as providing attackers \"with a foothold in a network from which additional attacks can be performed,\r\noften leading to further compromise through the deployment of ransomware.\"\r\nThe Cybersecurity and Infrastructure Security Agency (CISA) also issued a warning on targeted Emotet attacks earlier this\r\nyear, advising admins and users to review its Emotet Malware alert for guidance.\r\nEmotet spreads using spam emails containing malicious URLs and attachments (Word or Excel documents designed to use\r\nmacros) for downloading and installing the Emotet Trojan on victims' computers, which will then download other malware\r\nover time and will also use the infected device to send more spam emails.\r\nSince the botnet was revived on July 17th, it started delivering massive amounts of Emotet malware payloads as part of\r\ncampaign of malicious emails targeting users worldwide.\r\nThis huge spike of activity was behind Emotet being ranked first in a list of top 10 malware strains analyzed on the\r\ninteractive malware analysis platform Any.Run during the last week, head and shoulders above the next malware in the top\r\n(the njRAT Remote Access Trojan), with more than double the number of sample uploads submitted for analysis.\r\nIf you want to find out more information about active Emotet campaigns you should follow the Cryptolaemus group on\r\nTwitter, a collective of security researchers who are keeping an eye on this malware's activity.\r\nUpdate July 29, 17:59 EDT: Added more info on Emotet's attachment stealer module and the number of spam emails sent\r\neach day.\r\nhttps://www.bleepingcomputer.com/news/security/emotet-malware-now-steals-your-email-attachments-to-attack-contacts/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/emotet-malware-now-steals-your-email-attachments-to-attack-contacts/\r\nhttps://www.bleepingcomputer.com/news/security/emotet-malware-now-steals-your-email-attachments-to-attack-contacts/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/emotet-malware-now-steals-your-email-attachments-to-attack-contacts/"
	],
	"report_names": [
		"emotet-malware-now-steals-your-email-attachments-to-attack-contacts"
	],
	"threat_actors": [],
	"ts_created_at": 1775434794,
	"ts_updated_at": 1775791286,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f70037486e33de5fbbfd366969c04f120fd640af.pdf",
		"text": "https://archive.orkl.eu/f70037486e33de5fbbfd366969c04f120fd640af.txt",
		"img": "https://archive.orkl.eu/f70037486e33de5fbbfd366969c04f120fd640af.jpg"
	}
}